AnyConnect to ASA 5505 ver 8.4 unable to ping/access Inside network
My AnyConnect VPN connect to the ASA, however I cannot access my inside network hosts (tried Split Tunnel and it didn't work either). I plan to use a Split Tunnel configuration but I thought I would get this working before I implemented that configuration. My inside hosts are on a 10.0.1.0/24 network and 10.1.0.0/16 networks. My AnyConnect hosts are using 192.168.60.0/24 addresses.
I have seen other people that appeared to have similar posts but none of those solutions have worked for me. I have also tried several NAT and ACL configurations to allow traffic form my Inside network to the ANYConnect hosts and back, but apparently I did it incorrectly. I undestand that this ver 8.4 is supposed to be easier to perform NAT and such, but I now in the router IOS it was much simpler.
My configuration is included below.
Thank you in advance for your assistance.
Jerry
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password (removed)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Generic_All_Network interface
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: end
Hi,
Yes, I have saved the config and did a write erase and reloaded the config, no difference. I rebuilt it once a couple of weeks ago, but that was before I had gotten this far with your assistance. I'll include my ASA and switches configs after this. Here is a little background (took it form the Firewall section issue just because it gives a little insight for the network). I have 2 3560s, one as a L3 switch the other L2 with an etherchannel between them (one of the cables was bad so I am waiting on the replacement to have 2 - Gigabit channels between the switches).
I think our issue with the VPN not getting to the Inside is posibly related to my DMZ issue not getting to the internet.
I am using 2 VLANs on my switch for Guests - one is wired and the other is wireless. I am trying to keep them separate because the wireless are any guest that might be at our restaurant that is getting on WiFi. The wired is for our Private Dining Rooms that vendors may need access and I don't want the wireless being able to see the wired network in that situation.
I have ports on my 3560s that are assigned to VLAN 20 (Guest Wired) and VLAN 22 (Guest Wireless). I am not routing those addresses within the 3560s (one 3560 is setup as a L3 switch). Those VLANs are being L2 switched to the ASA via the trunk to save ports (I tried separating them and used 2 ports on the ASA and it still didn't work). The ASA is providing DCHP for those VLANs and the routing for the DMZ VLANs. I can ping each of the gateways (which are the VLANs on the ASA from devices on the 3560s - 172.26.20.1 and 172.26.22.1. I have those in my DMZ off the ASA so it can control and route the data.
The 3560 is routing for my Corp VLANs. So far I have tested the Wired VLAN 10 (10.1.10.0/24) and it is working and gets to the Internet. I have a default route (0.0.0.0 0.0.0.0) from the L3 switch to e0/1 on the ASA and e0/1 is an Inside interface.
E0/0 on the ASA is my Outside interface and gets it IP from the upstream router (will be an AT&T router/modem when I move it to the building).
So for a simple diagram:
PC (172.26.20.21/24) -----3560 (L2) ------Trunk----(VLAN 20 - DMZ/ VLAN 22 - DMZ2)---- ASA -----Outside ------- Internet (via router/modem)
I will be back at this tomorrow morning - I've been up since 4pm yesterday and it is almost 3pm.
Thank you for all of your assistance.
Jerry
Current ASA Config:
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password $$$$$$$$$$$$$$$ encrypted
passwd $$$$$$$$$$$$$$$$ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
switchport access vlan 20
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
object network INSIDE
subnet 10.0.1.0 255.255.255.0
access-list capdmz extended permit icmp host 172.26.20.22 host 208.67.222.222
access-list capdmz extended permit icmp host 208.67.222.222 host 172.26.20.22
access-list capout extended permit icmp host 192.168.1.231 host 208.67.222.222
access-list capout extended permit icmp host 208.67.222.222 host 192.168.1.231
access-list capvpn extended permit icmp host 192.168.60.20 host 10.1.10.23
access-list capvpn extended permit icmp host 10.1.10.23 host 192.168.60.20
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list SPLIT-TUNNEL standard permit 10.0.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.1.0.0 255.255.0.0
access-list capins extended permit icmp host 10.1.10.23 host 10.0.1.1
access-list capins extended permit icmp host 10.0.1.1 host 10.1.10.23
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
nat (inside,outside) after-auto source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6d9bbacca2a5c8b5af946a8ddc12550
: end
L3 3560 connects to ASA via port f0/3 routed port 10.0.1.0/24 network
Connects to second 3560 via G0/3 & G0/4
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560a
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip dhcp excluded-address 10.1.10.1 10.1.10.20
ip dhcp excluded-address 10.1.12.1 10.1.12.20
ip dhcp excluded-address 10.1.14.1 10.1.14.20
ip dhcp excluded-address 10.1.16.1 10.1.16.20
ip dhcp excluded-address 10.1.30.1 10.1.30.20
ip dhcp excluded-address 10.1.35.1 10.1.35.20
ip dhcp excluded-address 10.1.50.1 10.1.50.20
ip dhcp excluded-address 10.1.80.1 10.1.80.20
ip dhcp excluded-address 10.1.90.1 10.1.90.20
ip dhcp excluded-address 10.1.100.1 10.1.100.20
ip dhcp excluded-address 10.1.101.1 10.1.101.20
ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN12
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN14
network 10.1.14.0 255.255.255.0
default-router 10.1.14.1
option 150 ip 10.1.13.1
ip dhcp pool VLAN16
network 10.1.16.0 255.255.255.0
default-router 10.1.16.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN30
network 10.1.30.0 255.255.255.0
default-router 10.1.30.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN35
network 10.1.35.0 255.255.255.0
default-router 10.1.35.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
default-router 10.1.50.1
option 43 hex f104.0a01.6564
ip dhcp pool VLAN80
network 10.1.80.0 255.255.255.0
default-router 10.1.80.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN90
network 10.1.90.0 255.255.255.0
default-router 10.1.90.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
default-router 10.1.100.1
ip dhcp pool VLAN101
network 10.1.101.0 255.255.255.0
default-router 10.1.101.1
ip dhcp pool VLAN40
dns-server 208.67.222.222 208.67.220.220
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 1 downstream
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
power inline never
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/3
description Interface to MXFW E0/1
no switchport
ip address 10.0.1.2 255.255.255.0
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
switchport mode access
shutdown
power inline never
interface FastEthernet0/6
switchport mode access
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
power inline never
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
switchport mode access
shutdown
power inline never
interface FastEthernet0/10
switchport mode access
shutdown
power inline never
interface FastEthernet0/11
switchport mode access
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 50
switchport mode access
interface FastEthernet0/18
switchport mode access
shutdown
power inline never
interface FastEthernet0/19
switchport mode access
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
switchport mode access
shutdown
power inline never
interface FastEthernet0/22
switchport mode access
shutdown
power inline never
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/24
switchport access vlan 35
switchport mode access
power inline never
interface FastEthernet0/25
switchport mode access
shutdown
power inline never
interface FastEthernet0/26
switchport mode access
shutdown
power inline never
interface FastEthernet0/27
switchport mode access
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 50
switchport mode access
interface FastEthernet0/34
switchport mode access
shutdown
power inline never
interface FastEthernet0/35
switchport mode access
shutdown
power inline never
interface FastEthernet0/36
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
switchport mode access
shutdown
power inline never
interface FastEthernet0/38
switchport mode access
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
switchport mode access
shutdown
power inline never
interface FastEthernet0/42
switchport mode access
shutdown
power inline never
interface FastEthernet0/43
switchport mode access
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport mode access
shutdown
power inline never
interface GigabitEthernet0/1
description Interface to MXC2911 Port G0/0
no switchport
ip address 10.1.13.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 10.1.10.1 255.255.255.0
interface Vlan12
ip address 10.1.12.1 255.255.255.0
interface Vlan14
ip address 10.1.14.1 255.255.255.0
interface Vlan16
ip address 10.1.16.1 255.255.255.0
interface Vlan20
ip address 172.26.20.1 255.255.255.0
interface Vlan22
ip address 172.26.22.1 255.255.255.0
interface Vlan30
ip address 10.1.30.1 255.255.255.0
interface Vlan35
ip address 10.1.35.1 255.255.255.0
interface Vlan40
ip address 10.1.40.1 255.255.255.0
interface Vlan50
ip address 10.1.50.1 255.255.255.0
interface Vlan80
ip address 172.16.80.1 255.255.255.0
interface Vlan86
no ip address
shutdown
interface Vlan90
ip address 10.1.90.1 255.255.255.0
interface Vlan100
ip address 10.1.100.1 255.255.255.0
interface Vlan101
ip address 10.1.101.1 255.255.255.0
router eigrp 1
network 10.0.0.0
network 10.1.13.0 0.0.0.255
network 10.1.14.0 0.0.0.255
passive-interface default
no passive-interface GigabitEthernet0/1
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/3 10.0.1.1
ip route 192.168.60.0 255.255.255.0 FastEthernet0/3 10.0.1.1 2
ip http server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
L3 3560 Route Table (I added 192.168.60.0/24 instead of just using the default route just in case it wasn't routing for some reason - no change)
mx3560a#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
S 192.168.60.0/24 [2/0] via 10.0.1.1, FastEthernet0/3
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.80.0 is directly connected, Vlan80
172.26.0.0/24 is subnetted, 2 subnets
C 172.26.22.0 is directly connected, Vlan22
C 172.26.20.0 is directly connected, Vlan20
10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C 10.1.10.0/24 is directly connected, Vlan10
D 10.1.13.5/32 [90/3072] via 10.1.13.1, 4d02h, GigabitEthernet0/1
C 10.1.14.0/24 is directly connected, Vlan14
C 10.1.13.0/24 is directly connected, GigabitEthernet0/1
C 10.1.12.0/24 is directly connected, Vlan12
C 10.0.1.0/24 is directly connected, FastEthernet0/3
C 10.1.30.0/24 is directly connected, Vlan30
C 10.1.16.0/24 is directly connected, Vlan16
C 10.1.40.0/24 is directly connected, Vlan40
C 10.1.35.0/24 is directly connected, Vlan35
C 10.1.50.0/24 is directly connected, Vlan50
C 10.1.90.0/24 is directly connected, Vlan90
C 10.1.101.0/24 is directly connected, Vlan101
C 10.1.100.0/24 is directly connected, Vlan100
S* 0.0.0.0/0 [1/0] via 10.0.1.1, FastEthernet0/3
I have a C2911 for CME on G0/1 - using it only for that purpose at this time.
L2 3560 Config it connects to the ASA as a trunk on e0/5 of the ASA and port f0/3 of the switch - I am using L2 switching for the DMZ networks from the switches to the ASA and allowing the ASA to provide the DHCP and routing out of the network. DMZ networks: 172.26.20.0/24 and 172.26.22.0/24.
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560b
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
crypto pki trustpoint TP-self-signed-3877365632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3877365632
revocation-check none
rsakeypair TP-self-signed-3877365632
crypto pki certificate chain TP-self-signed-3877365632
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383737 33363536 3332301E 170D3933 30333031 30303031
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373733
36353633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DF81 DA515E0B 7FC760CF 2CC98400 42DCA007 215E4DDE D0C3FBF2 D974CE85
C46A8700 6AE44C2C 79D9BD2A A9297FA0 2D9C2BE4 B3941A2F 435AC4EA 17E89DFE
34EC8E93 63BD4CDF 784E91D7 2EE0093F 06CC97FD 83CB818B 1ED624E6 F0F5DA51
1DE4B8A7 169EED2B 40575B81 BADDE052 85BA9D19 4C206DCB 00878FF3 89E74028
B3F30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 086D7833 35363062 2E301F06 03551D23 04183016 80147125
78CE8540 DB95D852 3C0BD975 5D9C6EB7 58FC301D 0603551D 0E041604 14712578
CE8540DB 95D8523C 0BD9755D 9C6EB758 FC300D06 092A8648 86F70D01 01040500
03818100 94B98410 2D9CD602 4BD16181 BCB7C515 77C8F947 7C4AF5B8 281E3131
59298655 B12FAB1D A6AAA958 8473483C E993D896 5251770B 557803C0 531DEB62
A349C057 CB473F86 DCEBF8B8 7DDE5728 048A49D0 AB18CE8C 8257C00A C2E06A63
B91F872C 5F169FF9 77DC523B AB1E3965 C6B67FCC 84AE11E9 02DD10F0 C45EAFEA 41D7FA6C
quit
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/1
switchport access vlan 50
switchport mode access
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,22
switchport mode trunk
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
shutdown
power inline never
interface FastEthernet0/6
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
shutdown
power inline never
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/11
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/18
shutdown
power inline never
interface FastEthernet0/19
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
shutdown
power inline never
interface FastEthernet0/22
shutdown
power inline never
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/24
shutdown
power inline never
interface FastEthernet0/25
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/26
shutdown
power inline never
interface FastEthernet0/27
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/34
shutdown
power inline never
interface FastEthernet0/35
shutdown
power inline never
interface FastEthernet0/36
switchport mode access
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
shutdown
power inline never
interface FastEthernet0/38
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
shutdown
power inline never
interface FastEthernet0/42
shutdown
power inline never
interface FastEthernet0/43
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport access vlan 40
switchport mode access
shutdown
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2
switchport access vlan 40
switchport mode access
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
ip classless
ip http server
ip http secure-server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
Similar Messages
-
ASA 5505 ver 8.4 DMZ to Outside not working
I have an ASA 5505 ver 8.4. The configuration is provided below. My INSIDE hosts are able to get to the internet via the Outside interface. The DHCP for my INSIDE hosts are handled by my L3 3560 switch. My DMZ hosts DHCP is handled by the ASA 5505. I've included packet-tracer results for both from the DMZ to the Outside address (DNS server) and a return packet tracer from the Outside interface to the DMZ host address. I see that the return is failing, however everything I have tried so far hasn't worked. Thank you in advance for any assistance.
***************************************8
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password (removed)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Generic_All_Network interface
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: end
Packet Tracer from DMZ to Outside
mxfw# packet-tracer input dmz icmp 172.26.20.22 8 0 208.67.222.222 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac5bdb90, priority=0, domain=inspect-ip-options, deny=true
hits=22, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=dmz, output_ifc=any
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacff7ee0, priority=70, domain=inspect-icmp, deny=false
hits=8, user_data=0xad253a68, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=dmz, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac5bd768, priority=66, domain=inspect-icmp-error, deny=false
hits=8, user_data=0xac5bcd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=dmz, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz,outside) source dynamic Generic_All_Network interface
Additional Information:
Dynamic translate 172.26.20.22/0 to 192.168.1.231/23136
Forward Flow based lookup yields rule:
in id=0xac63c0e8, priority=6, domain=nat, deny=false
hits=7, user_data=0xac6209f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=dmz, output_ifc=outside
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac578bf0, priority=0, domain=inspect-ip-options, deny=true
hits=7510, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7561, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Packet Tracer for return from Outside:
mxfw(config)# packet-tracer input outside icmp 207.67.222.222 0 0 172.26.20.22$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.26.20.0 255.255.255.0 dmz
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacea45d8, priority=11, domain=permit, deny=true
hits=0, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Settings of PC and PING & tracert results
C:\Users>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MXW8DT01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Wireless LAN adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 68-94-23-20-FA-C5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Ralink RT5390R 802.11bgn Wi-Fi Adapter
Physical Address. . . . . . . . . : 68-94-23-20-FA-C3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 08-9E-01-3D-64-39
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.26.20.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 6, 2013 3:28:48 PM
Lease Expires . . . . . . . . . . : Sunday, October 6, 2013 4:28:48 PM
Default Gateway . . . . . . . . . : 172.26.20.1
DHCP Server . . . . . . . . . . . : 172.26.20.1
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3497:208a:53e5:ebe9(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::3497:208a:53e5:ebe9%16(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Users>ping 208.67.222.222
Pinging 208.67.222.222 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 208.67.222.222:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users>tracert 208.67.222.222
Tracing route to 208.67.222.222 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 172.26.20.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.Naveen & Julio,
The version is below along with the captures. The show cap asp | include 208.67.222.222 is fairly long.
Thank you again for your assistance.
Jerry
mxfw(config)# sho ver
Cisco Adaptive Security Appliance Software Version 8.4(4)
Device Manager Version 6.4(9)
Compiled on Mon 21-May-12 10:48 by builders
System image file is "disk0:/asa844-k8.bin"
Config file at boot was "startup-config"
mxfw up 23 hours 47 mins
Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 32768MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 2c54.2df4.9c93, irq 11
1: Ext: Ethernet0/0 : address is 2c54.2df4.9c8b, irq 255
2: Ext: Ethernet0/1 : address is 2c54.2df4.9c8c, irq 255
3: Ext: Ethernet0/2 : address is 2c54.2df4.9c8d, irq 255
4: Ext: Ethernet0/3 : address is 2c54.2df4.9c8e, irq 255
5: Ext: Ethernet0/4 : address is 2c54.2df4.9c8f, irq 255
6: Ext: Ethernet0/5 : address is 2c54.2df4.9c90, irq 255
7: Ext: Ethernet0/6 : address is 2c54.2df4.9c91, irq 255
8: Ext: Ethernet0/7 : address is 2c54.2df4.9c92, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 24 perpetual
Total UC Proxy Sessions : 24 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Serial Number: JMX1617Z2B0
Running Permanent Activation Key: 0x112dd960 0x68ba556a 0x9160b8f4 0xc4f49064 0x822ae087
Configuration register is 0x1
mxfw(config)# sho cap asp | include 208.67.222.222
1: 08:14:03.444953 802.1Q vlan#2 P0 192.168.60.20.50815 > 208.67.222.222.53: udp 38
4: 08:14:04.613920 802.1Q vlan#2 P0 192.168.60.20.49379 > 208.67.222.222.53: udp 36 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
9: 08:14:05.456168 802.1Q vlan#2 P0 192.168.60.20.50815 > 208.67.222.222.53: udp 38 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
19: 08:14:07.874283 802.1Q vlan#2 P0 192.168.60.20.52778 > 208.67.222.222.53: udp 39 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
26: 08:14:09.464407 802.1Q vlan#2 P0 192.168.60.20.50815 > 208.67.222.222.53: udp 38 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
31: 08:14:09.885559 802.1Q vlan#2 P0 192.168.60.20.52778 > 208.67.222.222.53: udp 39 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
36: 08:14:11.228427 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36
37: 08:14:12.240847 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
38: 08:14:13.254533 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
44: 08:14:13.893889 802.1Q vlan#2 P0 192.168.60.20.52778 > 208.67.222.222.53: udp 39 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
51: 08:14:15.266374 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36
63: 08:14:19.274750 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36
68: 08:14:20.509312 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
69: 08:14:21.520816 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
70: 08:14:22.534548 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
76: 08:14:24.547228 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
83: 08:14:28.554826 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
89: 08:14:29.803150 802.1Q vlan#2 P0 192.168.60.20.54948 > 208.67.222.222.53: udp 38
91: 08:14:31.816089 802.1Q vlan#2 P0 192.168.60.20.54948 > 208.67.222.222.53: udp 38
102: 08:14:35.822894 802.1Q vlan#2 P0 192.168.60.20.54948 > 208.67.222.222.53: udp 38
116: 08:14:42.885604 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
118: 08:14:43.883926 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
123: 08:14:44.884491 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
127: 08:14:46.884521 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
133: 08:14:48.882721 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
135: 08:14:49.881942 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
138: 08:14:50.882858 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
140: 08:14:50.885620 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
145: 08:14:52.883590 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
149: 08:14:53.983790 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
151: 08:14:54.982981 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
156: 08:14:55.982844 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
161: 08:14:56.884811 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
180: 08:14:57.983408 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
197: 08:14:59.441017 802.1Q vlan#2 P0 192.168.60.20.55495 > 208.67.222.222.53: udp 34
198: 08:14:59.441764 802.1Q vlan#2 P0 192.168.60.20.52091 > 208.67.222.222.53: udp 42
199: 08:14:59.442756 802.1Q vlan#2 P0 192.168.60.20.52233 > 208.67.222.222.53: udp 40
200: 08:14:59.442985 802.1Q vlan#2 P0 192.168.60.20.57413 > 208.67.222.222.53: udp 40
201: 08:14:59.443794 802.1Q vlan#2 P0 192.168.60.20.65042 > 208.67.222.222.53: udp 40
202: 08:14:59.448753 802.1Q vlan#2 P0 192.168.60.20.62151 > 208.67.222.222.53: udp 34
204: 08:14:59.504978 802.1Q vlan#2 P0 192.168.60.20.60528 > 208.67.222.222.53: udp 33
206: 08:14:59.524234 802.1Q vlan#2 P0 192.168.60.20.54032 > 208.67.222.222.53: udp 34
213: 08:15:00.505161 802.1Q vlan#2 P0 192.168.60.20.60528 > 208.67.222.222.53: udp 33
214: 08:15:00.524066 802.1Q vlan#2 P0 192.168.60.20.54032 > 208.67.222.222.53: udp 34
225: 08:15:01.441124 802.1Q vlan#2 P0 192.168.60.20.55495 > 208.67.222.222.53: udp 34
229: 08:15:01.442893 802.1Q vlan#2 P0 192.168.60.20.57413 > 208.67.222.222.53: udp 40
230: 08:15:01.443168 802.1Q vlan#2 P0 192.168.60.20.52233 > 208.67.222.222.53: udp 40
235: 08:15:01.444663 802.1Q vlan#2 P0 192.168.60.20.65042 > 208.67.222.222.53: udp 40
241: 08:15:01.563584 802.1Q vlan#2 P0 192.168.60.20.49326 > 208.67.222.222.53: udp 32
242: 08:15:01.582458 802.1Q vlan#2 P0 192.168.60.20.64011 > 208.67.222.222.53: udp 33
244: 08:15:01.598983 802.1Q vlan#2 P0 192.168.60.20.55971 > 208.67.222.222.53: udp 33
246: 08:15:01.628278 802.1Q vlan#2 P0 192.168.60.20.54709 > 208.67.222.222.53: udp 37
248: 08:15:01.982920 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
254: 08:15:02.598861 802.1Q vlan#2 P0 192.168.60.20.55971 > 208.67.222.222.53: udp 33
256: 08:15:02.622785 802.1Q vlan#2 P0 192.168.60.20.54709 > 208.67.222.222.53: udp 37
266: 08:15:04.438301 802.1Q vlan#2 P0 192.168.60.20.57642 > 208.67.222.222.53: udp 34
267: 08:15:04.440040 802.1Q vlan#2 P0 192.168.60.20.49886 > 208.67.222.222.53: udp 40
268: 08:15:04.440284 802.1Q vlan#2 P0 192.168.60.20.64655 > 208.67.222.222.53: udp 40
269: 08:15:04.441078 802.1Q vlan#2 P0 192.168.60.20.57383 > 208.67.222.222.53: udp 40
279: 08:15:05.441551 802.1Q vlan#2 P0 192.168.60.20.55495 > 208.67.222.222.53: udp 34
285: 08:15:05.443168 802.1Q vlan#2 P0 192.168.60.20.52233 > 208.67.222.222.53: udp 40
286: 08:15:05.443443 802.1Q vlan#2 P0 192.168.60.20.57413 > 208.67.222.222.53: udp 40
293: 08:15:05.445396 802.1Q vlan#2 P0 192.168.60.20.65042 > 208.67.222.222.53: udp 40
314: 08:15:07.438911 802.1Q vlan#2 P0 192.168.60.20.57642 > 208.67.222.222.53: udp 34
318: 08:15:07.440040 802.1Q vlan#2 P0 192.168.60.20.49886 > 208.67.222.222.53: udp 40
322: 08:15:07.441322 802.1Q vlan#2 P0 192.168.60.20.64655 > 208.67.222.222.53: udp 40
326: 08:15:07.443412 802.1Q vlan#2 P0 192.168.60.20.57383 > 208.67.222.222.53: udp 40
335: 08:15:09.374400 802.1Q vlan#2 P0 192.168.60.20.59105 > 208.67.222.222.53: udp 38
362: 08:15:11.439399 802.1Q vlan#2 P0 192.168.60.20.57642 > 208.67.222.222.53: udp 34
363: 08:15:11.440101 802.1Q vlan#2 P0 192.168.60.20.49886 > 208.67.222.222.53: udp 40
370: 08:15:11.441627 802.1Q vlan#2 P0 192.168.60.20.64655 > 208.67.222.222.53: udp 40
374: 08:15:11.442543 802.1Q vlan#2 P0 192.168.60.20.57383 > 208.67.222.222.53: udp 40
381: 08:15:11.995279 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
382: 08:15:12.003127 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
383: 08:15:12.003356 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
384: 08:15:12.003585 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
387: 08:15:12.994989 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
388: 08:15:13.001922 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
389: 08:15:13.004455 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
390: 08:15:13.004974 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
391: 08:15:13.005660 802.1Q vlan#2 P0 192.168.60.20.59092 > 208.67.222.222.53: udp 33
392: 08:15:13.995065 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
394: 08:15:14.001922 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
396: 08:15:14.002868 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
397: 08:15:14.003082 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
400: 08:15:14.004104 802.1Q vlan#2 P0 192.168.60.20.59092 > 208.67.222.222.53: udp 33
418: 08:15:15.995416 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
422: 08:15:16.002334 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
426: 08:15:16.003570 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
427: 08:15:16.003738 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
446: 08:15:17.302062 802.1Q vlan#2 P0 192.168.60.20.63130 > 208.67.222.222.53: udp 34
451: 08:15:18.172003 802.1Q vlan#2 P0 192.168.60.20.63438 > 208.67.222.222.53: udp 39
466: 08:15:18.993829 802.1Q vlan#2 P0 192.168.60.20.62143 > 208.67.222.222.53: udp 34
467: 08:15:19.000717 802.1Q vlan#2 P0 192.168.60.20.62168 > 208.67.222.222.53: udp 40
468: 08:15:19.000945 802.1Q vlan#2 P0 192.168.60.20.53798 > 208.67.222.222.53: udp 40
469: 08:15:19.002670 802.1Q vlan#2 P0 192.168.60.20.49384 > 208.67.222.222.53: udp 40
474: 08:15:19.695703 802.1Q vlan#2 P0 192.168.60.20.60662 > 208.67.222.222.53: udp 45
478: 08:15:19.994882 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
486: 08:15:20.002120 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
490: 08:15:20.003066 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
492: 08:15:20.003539 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
500: 08:15:20.303008 802.1Q vlan#2 P0 192.168.60.20.63130 > 208.67.222.222.53: udp 34
504: 08:15:20.411660 802.1Q vlan#2 P0 192.168.60.20.55911 > 208.67.222.222.53: udp 38
510: 08:15:20.984369 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
511: 08:15:21.171850 802.1Q vlan#2 P0 192.168.60.20.63438 > 208.67.222.222.53: udp 39
525: 08:15:21.983744 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
526: 08:15:21.993555 802.1Q vlan#2 P0 192.168.60.20.62143 > 208.67.222.222.53: udp 34
530: 08:15:22.000366 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
531: 08:15:22.001602 802.1Q vlan#2 P0 192.168.60.20.62168 > 208.67.222.222.53: udp 40
532: 08:15:22.001846 802.1Q vlan#2 P0 192.168.60.20.53798 > 208.67.222.222.53: udp 40
539: 08:15:22.004150 802.1Q vlan#2 P0 192.168.60.20.49384 > 208.67.222.222.53: udp 40
547: 08:15:22.986216 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
549: 08:15:22.999444 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
565: 08:15:23.999170 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
576: 08:15:24.303252 802.1Q vlan#2 P0 192.168.60.20.63130 > 208.67.222.222.53: udp 34
584: 08:15:24.985254 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
592: 08:15:25.172186 802.1Q vlan#2 P0 192.168.60.20.63438 > 208.67.222.222.53: udp 39
604: 08:15:25.994012 802.1Q vlan#2 P0 192.168.60.20.62143 > 208.67.222.222.53: udp 34
608: 08:15:25.998926 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
610: 08:15:26.001953 802.1Q vlan#2 P0 192.168.60.20.62168 > 208.67.222.222.53: udp 40
611: 08:15:26.002441 802.1Q vlan#2 P0 192.168.60.20.53798 > 208.67.222.222.53: udp 40
618: 08:15:26.004226 802.1Q vlan#2 P0 192.168.60.20.49384 > 208.67.222.222.53: udp 40
643: 08:15:28.986582 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
657: 08:15:29.999307 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
681: 08:15:31.458914 802.1Q vlan#2 P0 192.168.60.20.63467 > 208.67.222.222.53: udp 37
685: 08:15:31.724190 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
691: 08:15:31.875671 802.1Q vlan#2 P0 192.168.60.20.54302 > 208.67.222.222.53: udp 37
700: 08:15:32.723961 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
706: 08:15:33.724877 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
712: 08:15:35.725670 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
724: 08:15:39.726814 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
732: 08:15:41.453269 802.1Q vlan#2 P0 192.168.60.20.64218 > 208.67.222.222.53: udp 34
754: 08:15:43.453315 802.1Q vlan#2 P0 192.168.60.20.64218 > 208.67.222.222.53: udp 34
764: 08:15:43.995737 802.1Q vlan#2 P0 192.168.60.20.53749 > 208.67.222.222.53: udp 34
786: 08:15:45.994760 802.1Q vlan#2 P0 192.168.60.20.53749 > 208.67.222.222.53: udp 34
795: 08:15:47.451194 802.1Q vlan#2 P0 192.168.60.20.64429 > 208.67.222.222.53: udp 34
797: 08:15:47.454276 802.1Q vlan#2 P0 192.168.60.20.64218 > 208.67.222.222.53: udp 34
806: 08:15:48.285110 802.1Q vlan#2 P0 192.168.60.20.55170 > 208.67.222.222.53: udp 39
821: 08:15:49.451209 802.1Q vlan#2 P0 192.168.60.20.64429 > 208.67.222.222.53: udp 34
826: 08:15:49.979868 802.1Q vlan#2 P0 192.168.60.20.53423 > 208.67.222.222.53: udp 38
828: 08:15:49.994058 802.1Q vlan#2 P0 192.168.60.20.53749 > 208.67.222.222.53: udp 34
830: 08:15:50.285217 802.1Q vlan#2 P0 192.168.60.20.55170 > 208.67.222.222.53: udp 39
845: 08:15:51.979777 802.1Q vlan#2 P0 192.168.60.20.53423 > 208.67.222.222.53: udp 38
856: 08:15:53.450660 802.1Q vlan#2 P0 192.168.60.20.64429 > 208.67.222.222.53: udp 34
864: 08:15:54.008330 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
865: 08:15:54.285507 802.1Q vlan#2 P0 192.168.60.20.55170 > 208.67.222.222.53: udp 39
872: 08:15:55.008437 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
876: 08:15:55.980250 802.1Q vlan#2 P0 192.168.60.20.53423 > 208.67.222.222.53: udp 38
880: 08:15:56.009185 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
886: 08:15:58.009902 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
902: 08:16:00.006957 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
908: 08:16:00.837679 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
910: 08:16:01.006377 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
914: 08:16:01.837221 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
915: 08:16:01.991724 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
916: 08:16:02.007217 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
918: 08:16:02.010161 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
923: 08:16:02.838182 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
925: 08:16:02.991007 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
931: 08:16:03.990885 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
932: 08:16:04.007842 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
938: 08:16:04.838823 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
945: 08:16:05.990610 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
957: 08:16:08.009215 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
964: 08:16:08.840425 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
970: 08:16:09.991052 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
1005: 08:16:16.981287 802.1Q vlan#2 P0 192.168.60.20.53038 > 208.67.222.222.53: udp 38
1008: 08:16:17.391352 802.1Q vlan#2 P0 192.168.60.20.49778 > 208.67.222.222.53: udp 39
1010: 08:16:18.981348 802.1Q vlan#2 P0 192.168.60.20.53038 > 208.67.222.222.53: udp 38
1015: 08:16:19.391428 802.1Q vlan#2 P0 192.168.60.20.49778 > 208.67.222.222.53: udp 39
1022: 08:16:22.982645 802.1Q vlan#2 P0 192.168.60.20.53038 > 208.67.222.222.53: udp 38
1027: 08:16:23.403650 802.1Q vlan#2 P0 192.168.60.20.49778 > 208.67.222.222.53: udp 39
1032: 08:16:24.014434 802.1Q vlan#2 P0 192.168.60.20.54274 > 208.67.222.222.53: udp 34
1059: 08:16:26.014113 802.1Q vlan#2 P0 192.168.60.20.54274 > 208.67.222.222.53: udp 34
1096: 08:16:29.956737 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1097: 08:16:30.013381 802.1Q vlan#2 P0 192.168.60.20.54274 > 208.67.222.222.53: udp 34
1099: 08:16:30.939343 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1100: 08:16:30.939572 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1101: 08:16:30.939801 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1102: 08:16:30.956081 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1106: 08:16:31.938870 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1107: 08:16:31.939099 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1108: 08:16:31.939785 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1109: 08:16:31.956890 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1112: 08:16:32.938916 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1113: 08:16:32.939145 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1116: 08:16:32.940075 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1140: 08:16:33.956401 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1148: 08:16:34.939740 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1149: 08:16:34.939999 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1150: 08:16:34.940228 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1161: 08:16:36.936810 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1162: 08:16:36.937970 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1163: 08:16:36.938244 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1168: 08:16:37.936002 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1169: 08:16:37.936948 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1170: 08:16:37.938046 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1171: 08:16:37.955883 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1175: 08:16:38.936948 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1177: 08:16:38.937817 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1179: 08:16:38.938763 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1181: 08:16:38.939709 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1185: 08:16:38.941006 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1186: 08:16:38.941220 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1195: 08:16:40.937512 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1196: 08:16:40.937741 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1199: 08:16:40.939602 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1208: 08:16:42.005874 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1216: 08:16:43.005202 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1229: 08:16:44.006026 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1237: 08:16:44.939419 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1238: 08:16:44.939908 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1245: 08:16:44.941494 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1275: 08:16:46.006011 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1321: 08:16:50.007079 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1398: 08:17:10.994073 802.1Q vlan#2 P0 192.168.60.20.63745 > 208.67.222.222.53: udp 38
1401: 08:17:12.992517 802.1Q vlan#2 P0 192.168.60.20.63745 > 208.67.222.222.53: udp 38
1426: 08:17:15.766638 802.1Q vlan#2 P0 192.168.60.20.64128 > 208.67.222.222.53: udp 39
1429: 08:17:16.992761 802.1Q vlan#2 P0 192.168.60.20.63745 > 208.67.222.222.53: udp 38
1433: 08:17:17.766729 802.1Q vlan#2 P0 192.168.60.20.64128 > 208.67.222.222.53: udp 39
1441: 08:17:21.767050 802.1Q vlan#2 P0 192.168.60.20.64128 > 208.67.222.222.53: udp 39
1452: 08:17:26.504170 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1463: 08:17:27.504032 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1465: 08:17:28.318953 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1466: 08:17:28.504887 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1468: 08:17:29.319212 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1475: 08:17:30.319746 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1479: 08:17:30.505512 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1484: 08:17:32.320356 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1493: 08:17:34.507297 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1498: 08:17:35.987299 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1504: 08:17:36.321623 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1512: 08:17:36.986475 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1513: 08:17:37.987406 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1521: 08:17:39.988001 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1940: 08:19:32.749732 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65521: udp 91
2126: 08:19:46.482335 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61347: udp 50
2169: 08:19:50.479681 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61347: udp 50
2200: 08:19:54.485921 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61347: udp 50
2235: 08:19:58.700113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57408: udp 50
2275: 08:20:02.700113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57408: udp 50
2300: 08:20:06.380931 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61124: udp 139
2303: 08:20:06.697321 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57408: udp 50
2310: 08:20:07.624113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59656: udp 184
2313: 08:20:08.222202 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63181: udp 112
2314: 08:20:08.222263 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50007: udp 70
2335: 08:20:09.764441 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51040: udp 91
2345: 08:20:10.380839 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61124: udp 139
2354: 08:20:11.624235 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59656: udp 184
2361: 08:20:12.093821 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56090: udp 131
2362: 08:20:12.202458 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63181: udp 112
2363: 08:20:12.206364 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50007: udp 70
2373: 08:20:12.696466 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51948: udp 50
2384: 08:20:14.200886 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64562: udp 112
2385: 08:20:14.205311 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63143: udp 70
2387: 08:20:14.378062 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61124: udp 139
2399: 08:20:22.627012 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50607: udp 108
2407: 08:20:23.801136 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51512: udp 195
2417: 08:20:24.940777 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62374: udp 184
2423: 08:20:25.811771 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61821: udp 91
2432: 08:20:26.646801 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60226: udp 108
2433: 08:20:26.692606 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54228: udp 50
2452: 08:20:27.801167 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51512: udp 195
2461: 08:20:28.941510 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62374: udp 184
2463: 08:20:29.230990 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52123: udp 139
2465: 08:20:29.912260 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61877: udp 65
2467: 08:20:30.000976 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57311: udp 112
2474: 08:20:30.646664 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60226: udp 108
2476: 08:20:30.689737 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54228: udp 50
2491: 08:20:31.800678 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51512: udp 195
2500: 08:20:32.938428 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62374: udp 184
2503: 08:20:33.229037 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52123: udp 139
2507: 08:20:33.444541 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51060: udp 70
2512: 08:20:33.909590 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61877: udp 65
2514: 08:20:34.001296 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57311: udp 112
2522: 08:20:34.646511 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60226: udp 108
2524: 08:20:34.690027 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54228: udp 50
2530: 08:20:35.997705 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52341: udp 112
2538: 08:20:37.228656 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52123: udp 139
2540: 08:20:37.441886 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51060: udp 70
2544: 08:20:37.909926 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61877: udp 65
2548: 08:20:38.001113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57311: udp 112
2555: 08:20:38.651318 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56407: udp 108
2561: 08:20:39.440818 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53603: udp 70
2569: 08:20:39.997857 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52341: udp 112
2575: 08:20:41.228519 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63240: udp 185
2578: 08:20:41.446708 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51060: udp 70
2589: 08:20:42.646664 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56407: udp 108
2598: 08:20:43.440666 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53603: udp 70
2604: 08:20:43.997354 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52341: udp 112
2618: 08:20:45.163275 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63149: udp 65
2619: 08:20:45.227817 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63240: udp 185
2621: 08:20:45.251924 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57764: udp 112
2626: 08:20:46.130547 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61026: udp 195
2632: 08:20:46.643567 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56407: udp 108
2638: 08:20:47.440742 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53603: udp 70
2644: 08:20:48.162879 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63149: udp 65
2646: 08:20:48.251512 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57764: udp 112
2648: 08:20:48.694986 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49312: udp 70
2652: 08:20:49.130867 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61026: udp 195
2654: 08:20:49.228625 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63240: udp 185
2663: 08:20:51.251146 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61384: udp 112
2666: 08:20:51.647091 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52622: udp 108
2667: 08:20:51.694589 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49312: udp 70
2670: 08:20:52.160193 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63149: udp 65
2674: 08:20:52.251360 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57764: udp 112
2679: 08:20:53.100306 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56042: udp 131
2680: 08:20:53.129448 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61026: udp 195
2685: 08:20:54.250765 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61384: udp 112
2687: 08:20:54.646161 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52622: udp 108
2689: 08:20:54.696726 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52496: udp 70
2691: 08:20:55.697412 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49312: udp 70
2693: 08:20:56.097971 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56042: udp 131
2700: 08:20:57.693369 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52496: udp 70
2703: 08:20:58.250109 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61384: udp 112
2705: 08:20:58.646008 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52622: udp 108
2708: 08:21:00.097819 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56042: udp 131
2713: 08:21:01.693308 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52496: udp 70
2718: 08:21:02.823626 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63251: udp 91
2719: 08:21:02.948177 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51292: udp 70
2722: 08:21:03.646023 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63250: udp 108
2729: 08:21:05.947399 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51292: udp 70
2734: 08:21:06.648678 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63250: udp 108
2743: 08:21:08.911467 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61647: udp 195
2744: 08:21:08.946865 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60298: udp 70
2748: 08:21:09.950069 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51292: udp 70
2751: 08:21:10.643521 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63250: udp 108
2754: 08:21:11.910627 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61647: udp 195
2756: 08:21:11.946530 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60298: udp 70
2767: 08:21:15.130623 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61338: udp 117
2770: 08:21:15.646527 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51375: udp 108
2774: 08:21:15.909453 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61647: udp 195
2776: 08:21:15.943844 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60298: udp 70
2783: 08:21:17.200947 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64763: udp 70
2787: 08:21:18.130104 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61338: udp 117
2790: 08:21:18.645565 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51375: udp 108
2793: 08:21:20.198033 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64763: udp 70
2799: 08:21:22.127434 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61338: udp 117
2802: 08:21:22.513309 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51759: udp 70
2803: 08:21:22.643460 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51375: udp 108
2805: 08:21:23.197652 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49516: udp 70
2811: 08:21:24.202885 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64763: udp 70
2814: 08:21:24.904906 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60682: udp 236
2817: 08:21:25.510471 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51759: udp 70
2821: 08:21:26.196797 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49516: udp 70
2825: 08:21:27.646023 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59714: udp 108
2827: 08:21:27.883941 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60682: udp 236
2833: 08:21:29.407174 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60724: udp 65
2834: 08:21:29.510273 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51759: udp 70
2838: 08:21:30.196629 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49516: udp 70
2843: 08:21:30.645703 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59714: udp 108
2844: 08:21:30.883072 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53426: udp 236
2846: 08:21:31.451636 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62205: udp 70
2848: 08:21:31.886230 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60682: udp 236
2851: 08:21:32.406946 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60724: udp 65
2858: 08:21:33.882171 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53426: udp 236
2862: 08:21:34.451209 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62205: udp 70
2864: 08:21:34.642941 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59714: udp 108
2871: 08:21:35.948116 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60127: udp 195
2872: 08:21:36.406595 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60724: udp 65
2875: 08:21:36.909331 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65140: udp 222
2877: 08:21:37.449866 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59320: udp 70
2878: 08:21:37.880005 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53426: udp 236
2883: 08:21:38.456137 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62205: udp 70
2884: 08:21:38.944699 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60127: udp 195
2886: 08:21:39.888427 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65140: udp 222
2890: 08:21:40.449485 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59320: udp 70
2893: 08:21:41.321714 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62421: udp 237
2899: 08:21:42.885528 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60796: udp 222
2900: 08:21:42.945065 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60127: udp 195
2904: 08:21:43.657345 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50140: udp 65
2906: 08:21:43.890731 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65140: udp 222
2909: 08:21:44.298278 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62421: udp 237
2912: 08:21:44.449531 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59320: udp 70
2919: 08:21:45.704828 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50687: udp 70
2920: 08:21:45.884658 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60796: udp 222
2925: 08:21:46.657497 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50140: udp 65
2928: 08:21:47.297958 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57907: udp 237
2930: 08:21:48.300582 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62421: udp 237
2934: 08:21:48.703653 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50687: udp 70
2937: 08:21:49.831789 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57908: udp 91
2938: 08:21:49.884491 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60796: udp 222
2942: 08:21:50.297714 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57907: udp 237
2943: 08:21:50.657299 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50140: udp 65
2946: 08:21:51.703119 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55290: udp 70
2950: 08:21:52.706308 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50687: udp 70
2951: 08:21:53.303741 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53899: udp 237
2952: 08:21:54.297363 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57907: udp 237
2956: 08:21:54.702402 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55290: udp 70
2960: 08:21:56.302810 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53899: udp 237
2965: 08:21:57.908095 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60934: udp 117
2968: 08:21:58.702035 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55290: udp 70
2972: 08:21:59.302428 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63799: udp 237
2975: 08:21:59.977564 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51380: udp 76
2979: 08:22:00.307631 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53899: udp 237
2984: 08:22:00.907667 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60934: udp 117
2986: 08:22:01.284164 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51226: udp 108
2990: 08:22:02.302688 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63799: udp 237
2993: 08:22:02.956646 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51380: udp 76
2995: 08:22:02.987848 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55596: udp 195
3001: 08:22:04.283783 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51226: udp 108
3004: 08:22:04.907072 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60934: udp 117
3009: 08:22:05.955822 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64295: udp 76
3010: 08:22:05.984934 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55596: udp 195
3012: 08:22:06.301864 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63799: udp 237
3016: 08:22:06.958934 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51380: udp 76
3022: 08:22:08.280640 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51226: udp 108
3029: 08:22:08.955440 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64295: udp 76
3032: 08:22:09.910627 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57632: udp 117
3033: 08:22:09.987238 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55596: udp 195
3035: 08:22:10.246538 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60678: udp 131
3042: 08:22:11.959514 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62946: udp 76
3044: 08:22:12.909758 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57632: udp 117
3046: 08:22:12.952709 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64295: udp 76
3049: 08:22:13.245653 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60678: udp 131
3056: 08:22:14.956554 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62946: udp 76
3062: 08:22:16.906996 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57632: udp 117
3065: 08:22:17.248507 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60678: udp 131
3068: 08:22:17.957820 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57216: udp 76
3071: 08:22:18.956493 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62946: udp 76
3077: 08:22:20.958004 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57216: udp 76
3083: 08:22:23.961543 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64402: udp 76
3086: 08:22:24.957271 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57216: udp 76
3089: 08:22:25.054562 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60597: udp 237
3092: 08:22:26.958675 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64402: udp 76
3096: 08:22:28.046246 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60597: udp 237
3100: 08:22:29.960353 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51515: udp 76
3102: 08:22:30.029570 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51928: udp 195
3105: 08:22:30.958049 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64402: udp 76
3108: 08:22:31.020689 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54204: udp 70
3110: 08:22:31.032819 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64172: udp 237
3113: 08:22:32.036069 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60597: udp 237
3115: 08:22:32.960002 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51515: udp 76
3117: 08:22:33.024214 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51928: udp 195
3120: 08:22:34.019850 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54204: udp 70
3122: 08:22:34.032392 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64172: udp 237
3126: 08:22:35.963649 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58593: udp 76
3127: 08:22:36.918943 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52177: udp 117
3128: 08:22:36.957302 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51515: udp 76
3131: 08:22:37.024031 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51928: udp 195
3134: 08:22:38.020155 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54204: udp 70
3137: 08:22:38.034971 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64172: udp 237
3138: 08:22:38.963451 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58593: udp 76
3141: 08:22:39.916075 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52177: udp 117
3144: 08:22:41.962337 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55848: udp 76
3147: 08:22:42.905608 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54153: udp 260
3149: 08:22:42.965037 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58593: udp 76
3153: 08:22:43.915739 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52177: udp 117
3159: 08:22:44.961498 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55848: udp 76
3162: 08:22:45.904860 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54153: udp 260
3165: 08:22:46.842790 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54154: udp 91
3169: 08:22:47.966121 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50849: udp 76
3170: 08:22:48.894881 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55040: udp 236
3171: 08:22:48.918317 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63098: udp 117
3172: 08:22:48.959026 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55848: udp 76
3177: 08:22:49.905165 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54153: udp 260
3180: 08:22:50.965282 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50849: udp 76
3182: 08:22:51.894179 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55040: udp 236
3183: 08:22:51.917417 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63098: udp 117
3188: 08:22:53.964839 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64023: udp 76
3192: 08:22:54.893157 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57213: udp 236
3193: 08:22:54.963039 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50849: udp 76
3199: 08:22:55.898970 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55040: udp 236
3200: 08:22:55.917707 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63098: udp 117
3205: 08:22:56.963954 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64023: udp 76
3207: 08:22:57.064953 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56311: udp 195
3211: 08:22:57.892760 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57213: udp 236
3219: 08:22:59.968089 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63271: udp 76
3220: 08:23:00.064877 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56311: udp 195
3223: 08:23:00.899382 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52883: udp 222
3224: 08:23:00.918241 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63492: udp 65
3225: 08:23:00.964015 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64023: udp 76
3228: 08:23:01.892562 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57213: udp 236
3233: 08:23:02.967235 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63271: udp 76
3237: 08:23:03.898650 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52883: udp 222
3240: 08:23:03.917433 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63492: udp 65
3242: 08:23:04.061871 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56311: udp 195
3248: 08:23:05.966853 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49426: udp 76
3249: 08:23:06.105661 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3250: 08:23:06.897582 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54348: udp 222
3253: 08:23:06.969966 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63271: udp 76
3254: 08:23:07.104395 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3256: 08:23:07.900817 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52883: udp 222
3258: 08:23:07.917188 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63492: udp 65
3260: 08:23:08.121102 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3262: 08:23:08.965968 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49426: udp 76
3267: 08:23:09.894790 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54348: udp 222
3269: 08:23:10.103510 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3273: 08:23:12.966594 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49426: udp 76
3276: 08:23:13.894591 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54348: udp 222
3278: 08:23:14.105325 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3283: 08:23:15.168524 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64971: udp 65
3290: 08:23:18.168692 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64971: udp 65
3297: 08:23:22.167975 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64971: udp 65
3300: 08:23:24.102426 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59518: udp 195
3304: 08:23:25.966487 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63456: udp 70
3311: 08:23:27.101526 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59518: udp 195
3317: 08:23:28.965602 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63456: udp 70
3320: 08:23:29.418755 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63330: udp 117
3326: 08:23:31.101343 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59518: udp 195
3329: 08:23:31.919706 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52792: udp 108
3330: 08:23:31.962825 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51619: udp 70
3331: 08:23:32.415872 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63330: udp 117
3337: 08:23:32.968532 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63456: udp 70
3342: 08:23:34.921384 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52792: udp 108
3343: 08:23:34.962093 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51619: udp 70
3347: 08:23:36.416161 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63330: udp 117
3355: 08:23:38.918653 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52792: udp 108
3357: 08:23:38.961681 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51619: udp 70
3362: 08:23:40.219242 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52373: udp 70
3367: 08:23:41.420983 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60196: udp 117
3368: 08:23:41.426140 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52680: udp 70
3374: 08:23:43.218341 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52373: udp 70
3378: 08:23:44.417840 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60196: udp 117
3381: 08:23:44.422967 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52680: udp 70
3391: 08:23:46.217991 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51938: udp 70
3398: 08:23:47.220706 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52373: udp 70
3403: 08:23:48.418160 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60196: udp 117
3406: 08:23:48.423058 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52680: udp 70
3411: 08:23:49.217655 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51938: udp 70
3422: 08:23:51.141533 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55883: udp 195
3433: 08:23:53.214939 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51938: udp 70
3440: 08:23:54.145637 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55883: udp 195
3441: 08:23:54.469442 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53554: udp 70
3450: 08:23:57.469061 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53554: udp 70
3455: 08:23:58.140999 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55883: udp 195
3461: 08:24:00.468695 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58757: udp 70
3464: 08:24:01.468969 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53554: udp 70
3469: 08:24:03.467810 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58757: udp 70
3480: 08:24:07.427132 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51241: udp 117
3483: 08:24:07.467733 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58757: udp 70
3487: 08:24:08.722130 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53884: udp 70
3491: 08:24:10.430275 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51241: udp 117
3496: 08:24:11.722237 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53884: udp 70
3505: 08:24:14.426064 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51241: udp 117
3507: 08:24:14.720864 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59532: udp 70
3511: 08:24:14.906035 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3515: 08:24:15.724068 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53884: udp 70
3521: 08:24:17.720498 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59532: udp 70
3523: 08:24:18.181677 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52120: udp 195
3526: 08:24:19.428612 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58045: udp 117
3528: 08:24:19.887054 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3531: 08:24:21.178304 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52120: udp 195
3535: 08:24:21.720299 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59532: udp 70
3538: 08:24:22.428231 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58045: udp 117
3540: 08:24:22.975321 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55981: udp 70
3542: 08:24:24.885620 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3544: 08:24:25.178777 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52120: udp 195
3549: 08:24:25.977915 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55981: udp 70
3550: 08:24:26.428093 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58045: udp 117
3553: 08:24:26.571671 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54072: udp 108
3557: 08:24:28.974055 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61441: udp 70
3558: 08:24:29.571351 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54072: udp 108
3560: 08:24:29.885864 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3562: 08:24:29.979273 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55981: udp 70
3564: 08:24:31.973139 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61441: udp 70
3566: 08:24:33.573639 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54072: udp 108
3572: 08:24:35.973963 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61441: udp 70
3575: 08:24:37.225574 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54778: udp 70
3578: 08:24:40.227695 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54778: udp 70
3586: 08:24:43.224780 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61415: udp 70
3588: 08:24:44.225009 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54778: udp 70
3594: 08:24:45.218357 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59345: udp 195
3599: 08:24:46.225909 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61415: udp 70
3603: 08:24:48.217472 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59345: udp 195
3605: 08:24:48.437309 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64239: udp 117
3609: 08:24:50.223697 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61415: udp 70
3612: 08:24:51.435310 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64239: udp 117
3614: 08:24:51.478262 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60625: udp 76
3616: 08:24:52.217807 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59345: udp 195
3619: 08:24:52.798359 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57029: udp 70
3622: 08:24:54.477926 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60625: udp 76
3625: 08:24:55.433113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64239: udp 117
3629: 08:24:55.798222 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57029: udp 70
3634: 08:24:57.477499 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65124: udp 76
3638: 08:24:58.483281 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60625: udp 76
3642: 08:24:59.797306 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57029: udp 70
3645: 08:25:00.438408 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50075: udp 117
3646: 08:25:00.478857 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65124: udp 76
3651: 08:25:03.435371 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50075: udp 117
3652: 08:25:03.480749 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57210: udp 76
3654: 08:25:04.474020 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65124: udp 76
3660: 08:25:06.480352 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57210: udp 76
3662: 08:25:07.435066 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50075: udp 117
3667: 08:25:09.479497 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52037: udp 76
3670: 08:25:10.487187 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57210: udp 76
3673: 08:25:12.258485 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59263: udp 195
3674: 08:25:12.478612 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52037: udp 76
mxfw(config)# sho cap capo
16 packets captured
1: 08:49:55.933347 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
2: 08:49:55.961345 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
3: 08:50:00.697122 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
4: 08:50:00.723915 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
5: 08:50:05.696283 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
6: 08:50:05.721947 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
7: 08:50:10.695474 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
8: 08:50:10.722466 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
9: 08:24:14.880508 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
10: 08:24:14.906004 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
11: 08:24:19.860780 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
12: 08:24:19.887023 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
13: 08:24:24.859971 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
14: 08:24:24.885574 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
15: 08:24:29.859147 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
16: 08:24:29.885833 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
16 packets shown
mxfw(config)# sho cap capdmz
ERROR: Capture does not exist
mxfw(config)# sho cap capd
0 packet captured
0 packet shown
mxfw(config)# -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN
Hi there, please forgive if I have missed any forum protocols as this is my first post.
I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
Inside 192.168.1.254/24
Outside dhcp
VPN Pool 192.168.250.1-50/24
Inside LAN 192.168.1.0/24
: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.128
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4433
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username test password JAasdf434ey521ZCT encrypted privilege 15
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool vpn_pool
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:24bcba3c4124ab371297d52260135924
: end :: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.0
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.2 255.255.255.255 management
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Anyconnect_VPN internal
group-policy GroupPolicy_Anyconnect_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username sander password f/J.5nLef/EqyPfy encrypted
username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
tunnel-group Anyconnect_VPN type remote-access
tunnel-group Anyconnect_VPN general-attributes
address-pool Anyconnect-pool
default-group-policy GroupPolicy_Anyconnect_VPN
tunnel-group Anyconnect_VPN webvpn-attributes
group-alias Anyconnect_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
: end: -
ASA 5505 IPSEC VPN connected but can't access to LAN
ASA : 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
VPN Pool: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
Below is my configure, do I mis-configure anything?
ASA Version 8.2(5)
hostname asatest
domain-name XXX.com
enable password 8Fw1QFqthX2n4uD3 encrypted
passwd g9NiG6oUPjkYrHNt encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.253 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name vff.com
access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside 10.1.1.230
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (inside) host 10.1.1.108
nt-auth-domain-controller 10.1.1.108
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.0.0 255.255.252.0 inside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpntest internal
group-policy vpntest attributes
wins-server value 10.1.1.108
dns-server value 10.1.1.108
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntest_splitTunnelAcl
default-domain value XXX.com
split-tunnel-all-dns disable
backup-servers keep-client-config
address-pools value vpnpool
username admin password WeiepwREwT66BhE9 encrypted privilege 15
username user5 password yIWniWfceAUz1sUb encrypted privilege 5
username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
tunnel-group vpntest type remote-access
tunnel-group vpntest general-attributes
address-pool vpnpool
authentication-server-group AD
authentication-server-group (inside) AD
default-group-policy vpntest
strip-realm
tunnel-group vpntest ipsec-attributes
pre-shared-key BEKey123456
peer-id-validate nocheck
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: endI change a Machine's gateway to this ASA and capture again, now we can see some reply.
All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
add two gateways to all PCs and swtichwes?
1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request -
ASA 5505 (8.3.1) DMZ to Outside access problem
We have a hub and spoke VPN setup and at one location used the DMZ port/vlan subnet to access the hub. We have since changed and want the DMZ to only access the outside interface (have base license that can only access one interface). We have taken out all the configs that allow access to inside/VPN but can not get the DMZ to access Outside/internet. I also do not see any debug info in the logs. We have read a ton but it seems that there are changes in 8.3 that are not documented well enough for us to get this going. Does anybody see what we are missing?
Full Config:
ASA Version 8.3(1)
hostname Rye5505
domain-name thedavid
enable password encrypted
passwd encrypted
names
name 192.168.72.0 Sixpines description VPN
interface Vlan1
nameif inside
security-level 100
ip address 192.168.73.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.15.200.138 255.255.255.252
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 5
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name thedavid
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
subnet 192.168.72.0 255.255.255.0
description Sixpines
object network NETWORK_OBJ_192.168.73.0_24
subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
subnet 192.168.73.0 255.255.255.0
object network Sixpines
subnet 192.168.72.0 255.255.255.0
object network DMZ
subnet 192.168.1.0 255.255.255.0
object-group network SixpinesInternalNetwork
network-object Sixpines 255.255.255.0
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip object DMZ object obj_any inactive
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines
access-list dmz extended permit ip object obj_any object DMZ
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (dmz,outside) source static DMZ DMZ
object network obj_any
nat (inside,outside) dynamic interface
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.73.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 dmz
http Sixpines 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.73.101-192.168.73.132 inside
dhcpd dns 192.168.72.14 8.8.8.8 interface inside
dhcpd domain thedavidlawfirm interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
pre-shared-key
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
OUTPUT of log.....
6 Sep 29 2008 19:31:32 302015 8.8.8.8 53 192.168.1.110 59468 Built outbound UDP connection 2298 for outside:8.8.8.8/53 (8.8.8.8/53) to dmz:192.168.1.110/59468 (192.168.1.110/59468)
6 Sep 29 2008 19:31:30 302016 8.8.8.8 53 192.168.1.110 62740 Teardown UDP connection 2234 for outside:8.8.8.8/53 to dmz:192.168.1.110/62740 duration 0:02:08 bytes 110
THANKS!!!!Hello –
I know that it has been a while since you’ve posted this question. I just recently ran into the very same situation; trying to get my DMZ to access the internet.
You think that because the internet in a lower security interface, that traffic automatically flows downhill. If you have ANY ACL’s in your DMZ, then this default feature disappears.
If you want to secure your inside from the DMZ, and still get internet, you must do the following:
Second to last ACL :
Action: Deny
Source: any
Destination: inside
Service: IP
Last ACL:
Action: Permit
Source: any
Destination: any
Service: IP
ACL’s read from top to bottom, so in this case, traffic would try to find a match. If traffic was not trying to go into the inside interface, the only other available would be outside.
Thanks,
Michael -
ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's
Hello All,
I'm an ASA Newb.
I feel like I have tried everything posted and still no success.
PROBLEM: When connected to the SSL VPN I cannot ping any internal host's. I cannot ping anything on this inside?
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname MCASA01
domain-name mydomain.org
enable password xxbtzv6P4Hqevn4N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 VLAN
name 192.168.5.0 VPNPOOL
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname MC_DNS
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 11.11.11.202 255.255.255.252
interface Vlan3
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mydomain.org
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
keypair digicert.key
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 00b63edadf5efa057ea49da56b179132e8
3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 66.180.96.12 64.238.96.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 4000 interface inside
dhcpd domain mydomain.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 64.147.116.229 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNGP internal
group-policy VPNGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
username GaryC attributes
vpn-group-policy VPNGP
tunnel-group MCVPN type remote-access
tunnel-group MCVPN general-attributes
address-pool VPNPOOL
default-group-policy VPNGP
tunnel-group MCVPN webvpn-attributes
group-alias MCVPN enable
group-url https://11.11.11.202/MCVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
: end
My goal is to allow Remote Users to RDP(3389) through VPN.
Thank you,
Gary
Message was edited by: Gary CulwellHello Jon,
Thank you so much for your response. Clients will not be connect to a specific RDP server. I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access. So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
Would you say this would work:
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
Do you have examples?
Thank you,
Gary -
Unable to access inside network using Split tunnel RA VPN
Hi Everyone,
I configured RA Split tunnel VPN.
Connection works fine.
Inside Interface of ASA has connection to Switch IP 10.1.12.1.
When connected via RA VPN i try https://10.1.12.1 but it does not open up.
Inside Interface of ASA has IP 10.0.0.1
ASA1# $
Session Type: IKEv1 IPsec Detailed
Username : ipsec-user Index : 23
Assigned IP : 10.0.0.51 Public IP : 192.168.98.2
Protocol : IKEv1 IPsec
License : Other VPN
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 2130969 Bytes Rx : 259008
Pkts Tx : 6562 Pkts Rx : 3682
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ipsec-group Tunnel Group : ipsec-group
Login Time : 11:10:41 MST Sun Jan 26 2014
Duration : 0h:40m:30s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 23.1
UDP Src Port : 62751 UDP Dst Port : 500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 83975 Seconds
D/H Group : 2
Filter Name :
Client OS : WinNT Client OS Ver: 5.0.07.0440
IPsec:
Tunnel ID : 23.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.0.0.51/255.255.255.255/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 26375 Seconds
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 2137160 Bytes Rx : 259088
Pkts Tx : 6571 Pkts Rx : 3684
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 2426 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
From ASA i can ping the switch IP
ASA1# ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1#
logs from firewall
Jan 26 2014 11:53:20: %ASA-6-302014: Teardown TCP connection 51636 for outside:10.0.0.51/50747(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:00:00 bytes 1075 TCP Reset-O (ipsec-user)
Jan 26 2014 11:53:20: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/50747 to 10.0.0.1/443 flags FIN ACK on interface outside
Why firewall logs show https connection to 10.0.0.1 instead of 10.1.12.1?
Regards
MaheshHi Jouni,
ASA1# sh ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG
Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG
Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG
Connection is split tunnel.
when i check stats on vpn client all i see bypassed packets.
ASA1# sh run group-polic$
group-policy ipsec-group internal
group-policy ipsec-group attributes
dns-server value 64.59.144.19
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value ipsec-group_splitTunnelAcl
Regards
Mahesh
Message was edited by: mahesh parmar -
ASA 5505 Site to Site and Web VPN
Hello all, I need to add a site to site tunnel from a an ASA 5505 (ver 8.05) to a Sonic wall appliance. The problem is, the ASA already has remote access VPN and anyconnect VPN configured. I'm not sure if its possible to add another secured tunnel to the device. Ive already got one NAT 0 statement.
Thanks for your expert opinions!Hi,
There should be no problem adding a Site to Site VPN on the ASA even if it has Client VPN configured.
If you for example have an "inside" interface which has NAT0 configuration like
nat (inside) 0 access-list NAT0
You just add the needed ACL lines to that existing ACL for the L2L VPN.
On the basis of the information you provided I dont see any problem configuring the L2L VPN on the ASA.
- Jouni -
L2TP on Cisco ASA 5505, just doesn't work??!
This is pretty urgent, client expects me to have this up by lunch today
So, there is this Cisco ASA 5505 ver 8.4.
Most things work but now I want to setup a vpn connection...
I have done this 2 ways, first by using the "VPN Wizard" in ASDM and then 5 hours later removing everything and configuring from cli.
And it just doesn't work, client (WinXP & Win7) gets "error 792" and sometimes "error 789" (both indicating problem with phase 1, I'm pretty sure of that)
Googling on those gives a few suggestions none works.
All I get in the log on Cisco is the "Error processing payload: Payload ID: 1"
Googling on that only comes up with a few pages telling me this message is caused by an error. (Yeah, I could never have guessed...)
For the cli config, I followed this tutorial carefully (3 times actually...)
http://www.cisco.com/en/US/docs/secu...html#wp1117464
I'm using PSK for IPSec, entered same on Cisco and client - checked several times, this is not a password/PSK issue.
Ports opened on Cisco: 500, 1701, 4500
(For a try I opened all ports, no change.)
And here's the "show run":
Code:
ASA Version 8.4(2)
hostname ciscoasa
enable password <string> encrypted
passwd <string> encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address #.#.#.# 255.255.255.252
interface Vlan7
description VLAN till kontor
no forward interface Vlan2
nameif kontor
security-level 100
ip address 172.16.5.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
host 192.168.5.2
object network Webserver443
host 192.168.5.2
object network rdp
host 192.168.5.2
object network vpnserver
host 192.168.5.2
object service vpn-service-group
object network VPN
host 192.168.5.2
object-group service Webports tcp-udp
description Portar för webbserver
port-object eq 443
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
group-object Webports
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPNports tcp-udp
port-object eq 1701
port-object eq 4500
port-object eq 500
object-group service RDP tcp-udp
port-object eq 3389
object-group service vpn-services tcp-udp
port-object eq 1701
port-object eq 500
access-list outside_access_in extended permit tcp any object Webserver eq www
access-list outside_access_in_1 extended permit tcp any object Webserver object-group DM_INLINE_TCP_1
access-list outside_access_in_1 remark Ãppnar för vpn
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group VPNports
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group RDP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu kontor 1500
ip local pool vpn1 10.10.10.10-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network Webserver
nat (inside,outside) static interface service tcp www www
object network Webserver443
nat (inside,outside) static interface service tcp https https
object network rdp
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 79.142.243.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption aes-256 aes-192 aes 3des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal 3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
.... (sorry, not giving you the cert...)
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2 1
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
l2tp tunnel hello 100
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.5.11-192.168.5.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
address-pools value vpn1
group-policy DfltGrpPolicy attributes
dns-server value 79.142.240.10
vpn-tunnel-protocol l2tp-ipsec
address-pools value vpn1
username test password <string> nt-encrypted
username someoneelse password <string> nt-encrypted privilege 15
username someoneelse attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
service-type admin
username someone password <string> nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group vpn1 type remote-access
tunnel-group vpn1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:dd92aa6707dc63e8ed7dad47cfecdd47
: end
In Pingvino Veritas!I lmost got it working now, new problem is that the connection is immediately ended.
Logs shows that client is authenticated and assigned an ip.
From the logs, all happens during one second:
IPAA: Client assigned ip-address from local pool
IPAA: Local pool request succeeded for tunnel-group
IPAA: Freeing local pool address
L2TP Tunnel created, tunnel_id is 24
L2TP Tunnel deleted, tunnel_id =24
IPSEC: An outbound remote access SA has been deleted
IPSEC: An inbound remote access SA has been deleted
Session is being torn down. Reason: L2TP initiated
Teardown UDP connection -
ASA 5505 version 9.1(4) NAT issue
Hi,
I am using ASA 5505 version 9.1(4) and using dynamic NAT command to NAT(PAT) inside subnet 192.168.3.0/24 with outside interface 192.168.100.2/24
But unable to ping from inside host to internet or router interface 192.168.100.1 . Please suggest the show running is mentioned below.
Following is the logical diagram
192.168.100.1/24 192.168.100.2/24 192.168.3.1
Internet(ISP) ------------------->------------------ Router------------------------->(e0/0) ASA 5505 (9.1) eth0/4 ----- ---------- Host (192.168.3.22)
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ciscoasa(config)# object network Generic_All_Network
ciscoasa(config-network-object)# sub
ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
ciscoasa(config-network-object)# ex
ciscoasa(config)# nat (inside,outside) source dynamic Generic_All_Network inte$
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: fe5175c6 25dfd45a 117bd6e3 867486db
3211 bytes copied in 1.120 secs (3211 bytes/sec)
[OK]
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source dynamic Generic_All_Network interface
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:fe5175c625dfd45a117bd6e3867486db
: endyep I have already removed nat (inside,outside) source dynamic Generic_All_Network interface
Following is the latest show-running
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list capi extended permit ip host 192.168.3.22 host 192.168.100.1
access-list capi extended permit ip host 192.168.100.1 host 192.168.3.22
access-list capo extended permit ip host 192.168.100.2 any
access-list capo extended permit ip any host 192.168.100.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:b5958fd342c81895465887026d1423b3
: end -
Good morning,
I'm having the following problem. I configured a ASA 5505 with VPN and a VPN Remote Access Site-to-site. Everything is working, but when I reload the ASA does not work anymore VPNs, Remote Access error 412 and the Site-to-site does not connect more to solve, I have to reset and reconfigure the ASA. This is happening dopo updating the ASA, I have version 842-k8 and asdm645-106.
Does anyone have any idea what can be?
Thank you.
Running-config:
: Saved
: Written by master at 10:34:14.839 BRDT Mon Oct 10 2011
ASA Version 8.4(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 172.16.0.140 255.255.252.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group gvt
ip address pppoe setroute
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone BRST -3
clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_172.16.0.0_22
subnet 172.16.0.0 255.255.252.0
object network NETWORK_OBJ_172.16.0.128_26
subnet 172.16.0.128 255.255.255.192
object network NETWORK_OBJ_20.0.0.0_24
subnet 20.0.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.11.0_24
subnet 172.16.11.0 255.255.255.0
object-group network obj_any
access-list 1 standard permit 172.16.0.0 255.255.252.0
access-list 1 standard permit 20.0.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.252.0 20.0.0.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.252.0 172.16.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 172.16.0.150-172.16.0.160 mask 255.255.252.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_172.16.0.128_26 NETWORK_OBJ_172.16.0.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_20.0.0.0_24 NETWORK_OBJ_20.0.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_172.16.11.0_24 NETWORK_OBJ_172.16.11.0_24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
route outside 172.16.11.0 255.255.255.0 187.16.33.131 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 189.11.56.237
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 187.16.33.131
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group gvt request dialout pppoe
vpdn group gvt localname *******@turbonetpro
vpdn group gvt ppp authentication pap
vpdn username *******@turbonetpro password *****
dhcpd auto_config outside
dhcpd address 172.16.0.144-172.16.1.143 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy crv internal
group-policy crv attributes
dns-server value 172.16.0.253 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 1
default-domain value crvnatural.com.br
group-policy GroupPolicy_189.11.56.237 internal
group-policy GroupPolicy_189.11.56.237 attributes
vpn-filter value 1
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_187.16.33.131 internal
group-policy GroupPolicy_187.16.33.131 attributes
vpn-filter value 1
vpn-tunnel-protocol ikev1 ikev2
username master password kWH7f2vqtjMEg2Yp encrypted
tunnel-group crv type remote-access
tunnel-group crv general-attributes
default-group-policy crv
dhcp-server 172.16.0.253
tunnel-group crv ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 189.11.**.*** type ipsec-l2l
tunnel-group 189.11.**.*** general-attributes
default-group-policy GroupPolicy_189.11.**.***
tunnel-group 189.11.**.*** ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key ****
ikev2 local-authentication pre-shared-key *****
tunnel-group 187.16.33.*** type ipsec-l2l
tunnel-group 187.16.33.*** general-attributes
default-group-policy GroupPolicy_187.16.33.***
tunnel-group 187.16.33.*** ipsec-attributes
ikev1 pre-shared-key ******
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:50ed6f55182534a2429d065a26e9b45c
: endDavid,
In order to understand why LDAP is not working run a "debug ldap 255" and then try to login or run a AAA test.
Attach the output to find out the issue.
Please check this out as well, to make sure that you have the correct settings:
ASA 8.0: Configure LDAP Authentication for WebVPN Users
HTH.
Portu. -
I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.)
Post the config of your ASA and someone will be able to assist.
-
Hi
I am facing a problem with icmp in ASA 5505, i want to block the icmp from inside to outside , but outside to inside icmp should work, here the configuration.
ASA Version 8.0(5)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.17.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service OPC_Ports tcp
port-object range 3800 3900
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp range 3800 3900
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp range 3800 3900
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object tcp range 3800 3900
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_1 host 172.17.1.200 any
access-list inside_access_out extended deny icmp any host 172.17.1.200
access-list inside_access_in extended permit tcp any host 172.17.1.200 range 3800 3900
access-list inside_access_in extended deny icmp host 172.17.1.200 any
access-list inside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 172.17.1.200 any
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_4 192.168.1.0 255.255.255.0 host 172.17.1.200
access-list outside_access_out extended deny icmp any host 172.17.1.200
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny 192.168.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 172.17.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:0e7c3f786320372e8e43f7e5f00fb72c
: end
with this configuration it worked fine, but after rebooting the device , port 3800-3900 ports are not working, if i enable IP then ICMP and 3800-3900 ports are working,
What i need is
inside to outside icmp deny
outside to inside icmp permit
thanks in advanceIf so then you need to have the specified settings on the inside and outside interface mapping ACL's....
outside to inside ( on outside ) interface mapped acl you can allow the entire icmp....
like
access-list inbound extended permit icmp any any
On the inside interface mapped ACL....
access-list outbound permit icmp any any echo-reply
access-list outbound permit icmp any any unreachable
access-list outbound permit icmp any any time-exceeded
access-list outbound deny icmp any any
Have the above ACL on top of your IP/TCP/UDP ACL's so that it works correctly.....
This will allow any kind of icmp requests from outside.... but from inside it allows only the return traffic required icmp messages....
Regards
Karthik -
Cisco ASA 5505 site to site IPSec VPN with RV220W issue
I have a ASA5505 connected to RV220W through IPSec VPN. When using SMB to transfer large file, the ASA5505 will show error message:
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1561
The error message from the debug crypto engine. When the message show, the speed of the transfer will slow down quickly, and even no data can be go through between ASA and the RV220W. But the IPSec SA and the IKE SA is active, and can ping the inside network in both site.
Both ASA5505 and the RV220W has been updated the latest firmware. I have surf the Google but no such related issue found.
Any suggestions on where to look would be much appreciated.
Thanks in advance
TerryHi Ted thanks for your reply and information.
The strange things happened in RV220W shows the IPSec sa is expired, but the ASA5505 IPSec and IKEv1 sa is active. Inside both site internal network can ping to other side, but cant transfer file through Windows SMB. It seems when I transfer over 4GBytes of file, it will start happening and required clear IPSec and IKEv1 sa so that the VPN tunnel will start up again.
I am already surrander for this issue......
Maybe you are looking for
-
What would happen if I reset settings on my iPod touch 5th gen
I have and iPod touch 5th gen I bought it 1 month ago but I had forgot my Apple ID and I wanted to download all my music to this ipod from the one that it purchased but I had made a new Apple ID because I had forgot this one and I remembered and I lo
-
Calling Stored Procedure with CLOB parameter
Hi, i have one procedure with IN parameter CLOB which is taking xml file and stored in one table column and this table column datatype is also CLOB. And this procedure called by .Net program but problem is when the file will come more than 32KB calli
-
Cannot edit SAP or WebService Jobs via Client (5.3)
When I try to edit or view our SAP or Web service jobs in the Client (5.3), it brings up the job details but there is no SAP or web service tabs shown and the Job name and other details of the job are blank. From the same computer, I can successfully
-
Feathering while saving for web
Hi! I made this figure: http://luniwei.com/temp/1.jpg (green one) It is relatively little I want to save it for web, but quality is very bad. Its seems to me illustrator adds feather feature: http://luniwei.com/temp/2.jpg Result picture is unclear. C
-
Consuming function of WebServices (Microsoft) in sap
Hi guru. I want call a function of a WebService of external System (not SAP). In SM59 I define an HTTP Connections to Ext. Server. Now can i implement a abap code to call this function and import the result table? My SAP release is 4.7. Regards Angel