Arp inspection not working on ASA

Folks,
I configured a transparent firewall on ASA. I have arp inspection enabled, with dynamic mac learning and dynamic arp. I am able to ping through the transparent firewall using 2 routers with the same mac-address. The firewall shows me that it is learning both the mac-addresses and also forwarding packets, can someone help me understand why this is happening?

For some reason it will not take the shun command...I've tried every combanation I could think of but it will always fail.. I'm guessing there is a bug or that its just not allowed in transparent mode..
You have to use the vlan before the number or it says invalid host.. when I do specify the vlan 2 it take it and then comes back with "Invalid vlan (2) shun failed

Similar Messages

ACL not working in ASA 8.4

An ACL has been applied on the inside interface to of the ASA 8.4 but it is not working. The aim of this list to allow only a few host for outside access and deny rest of the hosts for outside access. The syntex of the access list is
access-list ACL-Inside extended permit ip host 192.168.100.101 any
access-list ACL-Inside extended permit ip host 192.168.100.108 any
access-list ACL-Inside extended permit ip host 192.168.100.109 any
access-list ACL-Inside extended permit ip host 192.168.100.243 any
access-list ACL-Inside extended permit ip host 192.168.100.241 any
access-group ACL-Inside in interface inside

Did you configure the NAT statement for the inside hosts to be mapped to a public IP? The below config will NAT 192.168.100.0 -100.254 to outside interface and the access-list you defined only allow those hosts to go out.
object network Inside_Net
subnet 192.168.100.0 255.255.255.0
nat (inside, outside) dynamic interface
If you alread did the above config please send us the packet capture as Mike requested.

Inspect not working in cisco ASA

Hi
I have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.Any idea what may be the issue.All configuration seems to be ok for me.
service-policy global_policy global
Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 0, drop 0, reset-drop 0
      Inspect: icmp error, packet 0, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: icmp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: dns preset_dns_map_1, packet 0, drop 0, reset-drop 0

I'm assuming you've the service-policy global_policy global command in place, hence I can only assume that this is a bug with your present version. After all, version 8.2.5 has brought me more headaches than anything else.
Perhaps, you could try downgrading to version 8.2.4, for example. This version is alrite. You can't upgrade to version 8.3.X as this requires memory upgrade, which means money $$$

Remote Desktop not working via ASA

Hi Everyone,
ASA has 2 interfaces inside and sales.
There is ACL on interface sales that allow RDP on tcp port 3389 from sales to inside subnet 10.0.0.15.
Interface sales is attached to switch.
I did test from switch
2950A#telnet 10.0.0.15 3389
Trying 10.0.0.15, 3389 ...
% Connection refused by remote host
2950A#ping 10.0.0.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.15, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
2950A#
logs on firewall show
May 18 2014 18:50:34: %ASA-6-302013: Built inbound TCP connection 313812 for sales:10.12.12.2/24066 (10.12.12.2/24066) to inside:10.0.0.15/3389 (10.0.0.15/3389)
May 18 2014 18:50:34: %ASA-6-302014: Teardown TCP connection 313812 for sales:10.12.12.2/24066 to inside:10.0.0.15/3389 duration 0:00:00 bytes 0 TCP Reset-I
Where 10.0.0.15 is PC and this PC is configured to allow Remote desktop connection coming in.
Any ideas what can i check?
Regards
MAhesh

Hi Jennifer,
I tested the RDP in both directions no luck.
Sales has security level
interface Vlan3
nameif sales
security-level 50
ip address 10.12.12.1 255.255.255.0
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
Ping works fine in both directions means from switch to PC and PC to switch so this should rule out routing right?
Seems NAT is not configured between inside and sales.
Regards
MAhesh

Edge Inspect not working for domain.dev URL's running locally on my laptop, displays error message.

"An error occured
Web page not availiable".
This, printed on a white screen, on my iphone5 (OSX and iOS all running latest updates, latest Adobe Edge Inspect, freshly downloaded) is all I see when I try to visit any of the sites I run on my laptop with Apache.
I set up my domains as "http://foobar.dev" (where '.dev' is the TLD on my localhost for things ... local).
I can view any public internet sites, and they will show up on Edge Inspect on my phone, with no problem.
I've tested this with turning off the firewall on my computer... (but I'm surprised thats how edge works, but what ever).
Any guides? tricks? help?
Thanks.

Edge Inspect doesn't do anything different to read the website off your computer than a normal browser does. We send a URL to the connected devices and expect them to be able to load that address into the WebView/UIWebView components in the Edge Inspect app on the devices.The reason you're seeing an issue with Edge Inspect and your http://foobar.dev site is the same reason why you wouldn't/shouldn't expect to type that URL into a browser on another machine and be able to view the website... there's no external DNS server to talk to that knows where that address is actually located.
So, Edge Inspect might be doing less than you thought is was in those terms. The main focus of Edge Inspect really is:
1. Managing the connection from your computer to multiple connected devices
2. Translating localhost, 127.0.0.1, and <machinename>.local urls
3. Keeping multiple devices in sync
4. Simplifying things like cache clearing and screenshots on all your devices
5. Providing a simple interface into weinre for remote inspection
Definitely read more on xip.io. It's a public website, yes. We don't have anything to do with it, but it does provide a nice workflow for using virtual hosts with Edge Inspect.
Mark
Message was edited by: Mark Rausch to clarify the 1st paragraph

Certificate Revocation List not working on ASA 8.3(1)

I've configured my SSL VPN to certificate authentication, in wich the authentication with certificates is working fine. However the ASA is not able to store (cache) the CRL.
Based on debug bellow the asa downloads the CRL file but is not able to open it.
Does anyone know this sitation?
Here is te debug output:
fwlpasa01/pri/act# crypto ca crl request SSL-VPN
CRYPTO_PKI: CRL is being polled from CDP http://10.151.1.9/certlist/certcrl.crl.
crypto_pki_req(7ae32bf0, 24, ...)
CRYPTO_PKI: Crypto CA req queue size = 1.
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: content dump count 75----------
CRYPTO_PKI: For function crypto_http_send
GET /certlist/certcrl.crl HTTP/1.0
Host: 10.151.1.9
CRYPTO_PKI: For function crypto_http_send
CRYPTO_PKI: content dump-------------------
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1482
Content-Type: application/pkix-crl
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDACBQATBA=IEGHHGMBOHNIGEJIEPJKCFCE; path=/
Date: Mon, 26 Nov 2012 15:47:38 GMT
Connection: close
CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20    | -----BEGIN X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a 4d 49 49 45 44 44    | CRL-----..MIIEDD
43 43 41 76 51 43 41 51 45 77 44 51 59 4a 4b 6f    | CCAvQCAQEwDQYJKo
5a 49 68 76 63 4e 41 51 45 46 42 51 41 77 57 54    | ZIhvcNAQEFBQAwWT
45 53 4d 42 41 47 43 67 6d 53 4a 6f 6d 54 38 69    | ESMBAGCgmSJomT8i
78 6b 41 52 6b 57 41 6e 70 73 0d 0a 4d 52 4d 77    | xkARkWAnps..MRMw
45 51 59 4b 43 5a 49 6d 69 5a 50 79 4c 47 51 42    | EQYKCZImiZPyLGQB
47 52 59 44 61 57 35 30 4d 52 67 77 46 67 59 4b    | GRYDaW50MRgwFgYK
43 5a 49 6d 69 5a 50 79 4c 47 51 42 47 52 59 49    | CZImiZPyLGQBGRYI
65 6d 6c 73 62 47 39 79 5a 57 34 78 0d 0a 46 44    | emlsbG9yZW4x..FD
41 53 42 67 4e 56 42 41 4d 54 43 31 70 4a 54 45    | ASBgNVBAMTC1pJTE
78 50 55 6b 56 4f 4c 55 4e 42 46 77 30 78 4d 6a    | xPUkVOLUNBFw0xMj
45 78 4d 54 6b 78 4e 6a 4d 7a 4d 44 68 61 46 77    | ExMTkxNjMzMDhaFw
30 78 4d 6a 45 78 4d 6a 63 77 4e 44 55 7a 0d 0a    | 0xMjExMjcwNDUz..
4d 44 68 61 4d 46 63 77 47 77 49 4b 52 66 65 4b    | MDhaMFcwGwIKRfeK
6b 67 41 41 41 41 41 42 67 52 63 4e 4d 54 49 78    | kgAAAAABgRcNMTIx
4d 44 49 35 4d 54 4d 79 4d 7a 41 77 57 6a 41 62    | MDI5MTMyMzAwWjAb
41 67 70 46 31 4f 55 76 41 41 41 41 41 41 47 41    | AgpF1OUvAAAAAAGA
0d 0a 46 77 30 78 4d 6a 45 77 4d 6a 6b 78 4d 7a    | ..Fw0xMjEwMjkxMz
49 7a 4d 44 42 61 4d 42 73 43 43 6a 75 71 30 79    | IzMDBaMBsCCjuq0y
41 41 41 41 41 41 41 58 6f 58 44 54 45 79 4d 54    | AAAAAAAXoXDTEyMT
41 79 4f 54 45 7a 4d 6a 49 77 4d 46 71 67 67 67    | AyOTEzMjIwMFqggg
49 4d 0d 0a 4d 49 49 43 43 44 41 66 42 67 4e 56    | IM..MIICCDAfBgNV
48 53 4d 45 47 44 41 57 67 42 52 73 73 75 79 64    | HSMEGDAWgBRssuyd
63 2b 6c 54 32 66 6a 75 62 39 66 70 7a 67 42 38    | c+lT2fjub9fpzgB8
76 45 36 59 78 54 41 51 42 67 6b 72 42 67 45 45    | vE6YxTAQBgkrBgEE
41 59 49 33 0d 0a 46 51 45 45 41 77 49 42 41 44    | AYI3..FQEEAwIBAD
41 4c 42 67 4e 56 48 52 51 45 42 41 49 43 41 31    | ALBgNVHRQEBAICA1
55 77 48 41 59 4a 4b 77 59 42 42 41 47 43 4e 78    | UwHAYJKwYBBAGCNx
55 45 42 41 38 58 44 54 45 79 4d 54 45 79 4e 6a    | UEBA8XDTEyMTEyNj
45 32 4e 44 4d 77 0d 0a 4f 46 6f 77 67 63 77 47    | E2NDMw..OFowgcwG
41 31 55 64 4c 67 53 42 78 44 43 42 77 54 43 42    | A1UdLgSBxDCBwTCB
76 71 43 42 75 36 43 42 75 49 61 42 74 57 78 6b    | vqCBu6CBuIaBtWxk
59 58 41 36 4c 79 38 76 51 30 34 39 57 6b 6c 4d    | YXA6Ly8vQ049WklM
54 45 39 53 52 55 34 74 0d 0a 51 30 45 73 51 30    | TE9SRU4t..Q0EsQ0
34 39 63 33 5a 73 63 47 46 6b 62 54 4d 78 4c 45    | 49c3ZscGFkbTMxLE
4e 4f 50 55 4e 45 55 43 78 44 54 6a 31 51 64 57    | NOPUNEUCxDTj1QdW
4a 73 61 57 4d 6c 4d 6a 42 4c 5a 58 6b 6c 4d 6a    | JsaWMlMjBLZXklMj
42 54 5a 58 4a 32 61 57 4e 6c 0d 0a 63 79 78 44    | BTZXJ2aWNl..cyxD
54 6a 31 54 5a 58 4a 32 61 57 4e 6c 63 79 78 44    | Tj1TZXJ2aWNlcyxD
54 6a 31 44 62 32 35 6d 61 57 64 31 63 6d 46 30    | Tj1Db25maWd1cmF0
61 57 39 75 4c 45 52 44 50 58 70 70 62 47 78 76    | aW9uLERDPXppbGxv
63 6d 56 75 4c 45 52 44 50 57 6c 75 0d 0a 64 43    | cmVuLERDPWlu..dC
78 45 51 7a 31 36 62 44 39 6b 5a 57 78 30 59 56    | xEQz16bD9kZWx0YV
4a 6c 64 6d 39 6a 59 58 52 70 62 32 35 4d 61 58    | Jldm9jYXRpb25MaX
4e 30 50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57    | N0P2Jhc2U/b2JqZW
4e 30 51 32 78 68 63 33 4d 39 59 31 4a 4d 0d 0a    | N0Q2xhc3M9Y1JM..
52 47 6c 7a 64 48 4a 70 59 6e 56 30 61 57 39 75    | RGlzdHJpYnV0aW9u
55 47 39 70 62 6e 51 77 67 64 67 47 43 53 73 47    | UG9pbnQwgdgGCSsG
41 51 51 42 67 6a 63 56 44 67 53 42 79 6a 43 42    | AQQBgjcVDgSByjCB
78 7a 43 42 78 4b 43 42 77 61 43 42 76 6f 61 42    | xzCBxKCBwaCBvoaB
0d 0a 75 32 78 6b 59 58 41 36 4c 79 38 76 51 30    | ..u2xkYXA6Ly8vQ0
34 39 57 6b 6c 4d 54 45 39 53 52 55 34 74 51 30    | 49WklMTE9SRU4tQ0
45 73 51 30 34 39 63 33 5a 73 63 47 46 6b 62 54    | EsQ049c3ZscGFkbT
4d 78 4c 45 4e 4f 50 55 4e 45 55 43 78 44 54 6a    | MxLENOPUNEUCxDTj
31 51 0d 0a 64 57 4a 73 61 57 4d 6c 4d 6a 42 4c    | 1Q..dWJsaWMlMjBL
5a 58 6b 6c 4d 6a 42 54 5a 58 4a 32 61 57 4e 6c    | ZXklMjBTZXJ2aWNl
63 79 78 44 54 6a 31 54 5a 58 4a 32 61 57 4e 6c    | cyxDTj1TZXJ2aWNl
63 79 78 44 54 6a 31 44 62 32 35 6d 61 57 64 31    | cyxDTj1Db25maWd1
63 6d 46 30 0d 0a 61 57 39 75 4c 45 52 44 50 58    | cmF0..aW9uLERDPX
70 70 62 47 78 76 63 6d 56 75 4c 45 52 44 50 57    | ppbGxvcmVuLERDPW
6c 75 64 43 78 45 51 7a 31 36 62 44 39 6a 5a 58    | ludCxEQz16bD9jZX
4a 30 61 57 5a 70 59 32 46 30 5a 56 4a 6c 64 6d    | J0aWZpY2F0ZVJldm
39 6a 59 58 52 70 0d 0a 62 32 35 4d 61 58 4e 30    | 9jYXRp..b25MaXN0
50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57 4e 30    | P2Jhc2U/b2JqZWN0
51 32 78 68 63 33 4d 39 59 31 4a 4d 52 47 6c 7a    | Q2xhc3M9Y1JMRGlz
64 48 4a 70 59 6e 56 30 61 57 39 75 55 47 39 70    | dHJpYnV0aW9uUG9p
62 6e 51 77 44 51 59 4a 0d 0a 4b 6f 5a 49 68 76    | bnQwDQYJ..KoZIhv
63 4e 41 51 45 46 42 51 41 44 67 67 45 42 41 4a    | cNAQEFBQADggEBAJ
51 6f 2f 78 73 4e 79 34 67 34 31 66 69 45 2b 67    | Qo/xsNy4g41fiE+g
46 4d 31 39 62 65 59 2b 52 77 36 74 4c 61 42 52    | FM19beY+Rw6tLaBR
34 33 58 64 45 7a 46 4d 63 61 0d 0a 72 55 74 2f    | 43XdEzFMca..rUt/
70 39 33 73 63 4c 38 63 45 4a 54 48 6d 42 54 33    | p93scL8cEJTHmBT3
73 33 79 30 50 42 55 59 6d 35 52 58 36 6f 4c 42    | s3y0PBUYm5RX6oLB
41 41 74 4f 42 63 5a 4b 62 33 76 77 58 47 33 2f    | AAtOBcZKb3vwXG3/
34 72 65 71 72 6a 39 47 42 61 49 42 0d 0a 30 2b    | 4reqrj9GBaIB..0+
4f 34 66 37 43 67 4f 78 42 38 47 6d 44 32 69 42    | O4f7CgOxB8GmD2iB
31 70 79 56 55 7a 76 52 72 44 37 65 30 69 6a 31    | 1pyVUzvRrD7e0ij1
35 63 76 6e 58 46 63 6f 75 31 34 50 45 53 6c 6f    | 5cvnXFcou14PESlo
30 2b 34 75 6b 4e 6d 42 4a 44 57 74 67 6c 0d 0a    | 0+4ukNmBJDWtgl..
45 47 46 65 6f 4e 30 78 37 2f 63 52 59 53 70 71    | EGFeoN0x7/cRYSpq
52 44 48 71 56 59 39 75 34 69 63 44 49 7a 31 4c    | RDHqVY9u4icDIz1L
75 78 5a 72 69 35 76 69 63 41 59 4b 62 44 69 4b    | uxZri5vicAYKbDiK
30 4b 77 69 64 39 59 71 4b 43 63 76 2f 73 4c 37    | 0Kwid9YqKCcv/sL7
0d 0a 32 77 2b 53 7a 46 46 75 72 73 54 6c 70 2f    | ..2w+SzFFursTlp/
36 74 4c 4d 41 72 6c 30 37 49 4f 65 52 63 51 38    | 6tLMArl07IOeRcQ8
4c 2b 6a 71 69 6e 44 30 6f 6f 62 53 5a 78 49 30    | L+jqinD0oobSZxI0
6b 42 64 54 47 6a 6c 38 68 44 42 77 6d 6a 74 63    | kBdTGjl8hDBwmjtc
33 63 0d 0a 6b 39 68 53 58 78 42 65 65 4d 74 74    | 3c..k9hSXxBeeMtt
53 72 33 48 6f 4c 42 63 6c 76 4d 75 78 64 77 72    | Sr3HoLBclvMuxdwr
41 6f 52 49 48 61 64 4f 4b 52 35 54 70 52 34 3d    | AoRIHadOKR5TpR4=
0d 0a 2d 2d 2d 2d 2d 45 4e 44 20 58 35 30 39 20    | ..-----END X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a                      | CRL-----..
CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!
CRYPTO_PKI: Failed to retrieve CRL for trustpoint: SSL-VPN.
Retrying with next CRL DP...

Hello everyone!
I've got the issue solved. The issue ware in CA CDP. I published the new http CDP, and it's working fine.
Windows CA
- At Server Manager -> Right click on Certificate Athotity object name -> click properties then extentions
- Create an extention to genearate the following URL
http://winca.pmmagalhaes.com.br/CertEnroll/WINCA.crl
- Then apply -> ok
- Under Windows PKI right click Certificate Athotity object name then Refresh
ASA
Under retrieval policy set for static a then put the url above.
It's done

TACACS not working in ASA 8.0(3)

We have quite a few ASA s with similar tacacs and crypto configs but yesterday we had issue with pix and we swapped pix with ASA 8.0(3) and tunnel is up and running but we are not able to login using tacacs even after the configs,, and i found a bug in cisco.com which asks us to use command " crypto map set reverse-route"
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454
even after configuring it right,, am not able to,, login using tacacs,, can some tell me how to use this command or ,, any other way ?
thnx in advance

we have a tunnel established with remote ASA and here are the configs related: let me know if ya need any hing,, thnx for replyin thgh
local device configs:
aaa-server protocol tacacs+
aaa-server host < ip>
aaa authentication ssh console
aaa authentication http console
access-list extended permit ip any
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map 20 match address
crypto map 20 set peer x.x.x.x
crypto map 20 set transform-set ESP-3DES-MD5
crypto map 20 set reverse-route
crypto map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
crypto isakmp policy 65535
remote ASA
access-list remark MobileAL
access-list extended permit ip any ip add subnet
crypto map 1925 match address outside_1925_cryptomap
crypto map 1925 set peer
crypto map 1925 set transform-set ESP-3DES-MD5
crypto map 1925 set security-association lifetime seconds 86400
crypto map 1925 set nat-t-disable
crypto map 1925 set reverse-route

TACACS Authentication not working with ASA

I have an ACS 4.1 Windows server running TACACS. It si working on all devices within the enterprise except for one new ASA at a remote site. There is no NAT going on or anything and the ASA can ping the ACS box and the ACS box can ping the ASA.
I added the configuration below but the authentication fails and no requests come to the ACS server
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ host 10.x.x.x
key password
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
Any help would be greatly appreciated

Please check shared secret key. Remember NDG key overwrites aaa client key.
Make sure acs should have correct ip address of asa in network configuration.
Do you see any hits on acs failed or passed attempts ? Also try increasing the tacacs timeout to 15 sec.

Edge inspect not working on VMware hosted iis sites.

I use a Mac, and run Windows 7 on VMware Fusion (latest). I'm running a website in iis from .net 2010. Everything runs fine and displays in every browser.
Even when I'm in Chrome/Safari on the Mac, I can view the site by going to the Windows IP address. However, when I'm running Edge Inspect it doesn't display the iis hosted site. It shows everything else.
Does edge inspect support tunnelling through to a virtual host on a virtual machine?
Hope this makes sense.

Hi Mark,
This is a scenario I don't think we've ever specfically tested. We know we can get to locally hosted web pages with Edge Inspect and we know we can also get to virtual host sites as well if you make use of xip.io or Charles Proxy
http://blogs.adobe.com/edgeinspect/2012/06/19/shadow-xip-io-virtual-hosts-workflow-simplif ied/
http://blogs.adobe.com/edgeinspect/2012/05/16/shadow-charles-proxy-virtual-hosts-workflow/
You don't quite explicitly say it, but I'm guessing you've tried using the IP address in Chrome and Edge Inspect can't get to that, correct? Could you give xip.io a shot and see if that helps at all?
Meanwhile I'll try checking with the team to see if anyone knows whether or not we can support your scenario.

Route inside does not work on ASA 8.2(3), ASA cannot ping inside hosts

Hi Guys,
I have a problem on one our ASA seems to acting strange.
I have copy these routes below on ASA, and able to ping only 10.126.0.32.
route inside 10.126.0.10 255.225.255.255 10.20.3.1
route inside 10.126.0.30 255.225.255.255 10.20.3.1
route inside 10.126.0.31 255.225.255.255 10.20.3.1
route inside 10.126.0.32 255.225.255.255 10.20.3.1
route inside 10.126.0.140 255.225.255.255 10.20.3.1
route inside 10.126.0.141 255.225.255.255 10.20.3.1
route inside 10.126.0.142 255.225.255.255 10.20.3.1
When I saved the configuration and checking back on ASA running-configuration, none of above routes exists.
MYASA(config)# route inside 10.126.0.10 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.30 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.31 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.32 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.140 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.141 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.142 255.225.255.255 10.20.3.1
MYASA(config)# end
MYASA# show run | in route inside
route inside 10.0.0.0 255.0.0.0 10.20.3.1 1
route inside 10.96.0.0 255.224.0.0 10.20.3.1 1
route inside 10.96.0.10 255.225.255.255 10.20.3.1 1
route inside 10.96.0.30 255.225.255.255 10.20.3.1 1
route inside 10.96.0.31 255.225.255.255 10.20.3.1 1
route inside 10.96.0.32 255.225.255.255 10.20.3.1 1
route inside 10.96.0.140 255.225.255.255 10.20.3.1 1
route inside 10.96.0.141 255.225.255.255 10.20.3.1 1
route inside 10.96.0.142 255.225.255.255 10.20.3.1 1
route inside 10.100.1.61 255.255.255.255 10.20.3.1 1
route inside 10.101.20.112 255.255.255.255 10.0.0.254 1
route inside 10.101.20.113 255.255.255.255 10.0.0.254 1
route inside 10.101.20.114 255.255.255.255 10.0.0.254 1
route inside 10.101.20.115 255.255.255.255 10.0.0.254 1
route inside 10.101.20.201 255.255.255.255 10.0.0.254 1
route inside 10.101.20.202 255.255.255.255 10.0.0.254 1
route inside 10.101.20.204 255.255.255.255 10.0.0.254 1
route inside 10.101.20.205 255.255.255.255 10.0.0.254 1
route inside 10.101.22.22 255.255.255.255 10.20.3.1 1
route inside 10.101.24.100 255.255.255.255 10.0.0.254 1
route inside 10.101.24.101 255.255.255.255 10.0.0.254 1
route inside 10.101.25.0 255.255.255.0 10.20.3.1 1
route inside 10.126.0.32 255.255.255.255 10.20.3.1 1
route inside 67.215.65.132 255.255.255.255 10.20.3.1 1
route inside 192.168.1.3 255.255.255.255 10.0.0.254 1
route inside 192.168.1.4 255.255.255.255 10.0.0.254 1
route inside 192.168.151.0 255.255.255.0 10.20.3.1 1
route inside 192.168.151.48 255.255.255.240 10.0.0.254 1
route inside 205.210.235.0 255.255.255.0 10.0.0.254 1
route inside 205.210.236.0 255.255.255.0 10.20.3.1 1
route inside 205.210.237.0 255.255.255.0 10.0.0.254 1
route inside 205.210.238.0 255.255.255.0 10.0.0.254 1
route inside 205.210.239.0 255.255.255.0 10.0.0.254 1
route inside 205.210.240.0 255.255.255.0 10.0.0.254 1
route inside 205.210.241.0 255.255.255.0 10.0.0.254 1
MYASA#
It maybe a bug on the ASA?
Thanks
Rizwan Rafeek

Hi Vibhor,
Well, problem is resolved from Cisco Tech support, it boiled down a bug.
"route inside 10.126.0.32 255.225.255.255 10.20.3.1", this route already existed, and yet it only one route shows up out of 7 copied, that is a bug.
Thanks for your reply.
Regards
Rizwan Rafeek.

ACE: probe with serverfarm not working

Hello
When i use one probe configured for port 8080 with serverfarm which users realservers port 8080 everything works fine. But i wanted to create one generic probe and use for all of my serverfarms. I hoped that this generic (tcp probe) probe will use ports of each serverfarm, but it uses default port 80. Is it possible to use one generic probe for all serverfarms which have different ports ? How ?
It worked in CSM, but it does not work in ASA :(
Thanx

if you do not define a port in the probe config, it should take the one defined in the serverfarm.
Just like the CSM.
Gilles.

No AutoUpdate feature working on ASA-SSM-20

Hi!
Autoupdate feature is not working on ASA-SSM-20 module.
We have configure:
https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl
And/Or:
https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
And/Or:
https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
And/Or:
https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
We get this errors on the ASA-SSM-20 module:
evError: eventId=1280563964539644086 vendor=Cisco severity=error
originator:
    hostId: sensor1
    appName: mainApp
    appInstanceId: 356
time: nov 17, 2010 08:15:45 UTC offset=60 timeZone=GMT+01:00
errorMessage: AutoUpdate exception: Receive HTTP response failed [3,212] name=errSystemError
evError: eventId=1280563964539644079 vendor=Cisco severity=error
originator:
    hostId: sensor1
    appName: mainApp
    appInstanceId: 356
time: nov 17, 2010 08:10:02 UTC offset=60 timeZone=GMT+01:00
errorMessage: http error response: 400 name=errSystemError
Any Ideas?

I am experiencing a similar issue currently with a new SSC-5 module. I am working with TAC, however reposne has been slow. I can see traffic with Wireshark for 198.133.219.25 but I never see the traffic for 198.133.219.243 that I was told to allow on the firewall. I also found it confusing that I need to create exceptions on the firewall for outbound traffic to these two IP addresses when I do not have to make any exceptions for any other outbound traffic.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Here is what I see:
IPS_Sensor# show stat host
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Auto Update Statistics
   lastDirectoryReadAttempt = 09:03:09 GMT-06:00 Wed Jan 19 2011
    =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
    =   Error: AutoUpdate exception: HTTP connection failed [1,110]
   lastDownloadAttempt = N/A
   lastInstallAttempt = N/A
   nextAttempt = 11:00:00 GMT-06:00 Wed Jan 19 2011 Auxilliary Processors Installed
IPS_Sensor# show clock
.09:24:05 GMT-06:00 Wed Jan 19 2011
I know this thread is a few months old, but am hoping to spark an interest here.
Thanks.

VPN not working after adding subinterface - ASA 5510

Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
ASA Version 8.2(5)
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
access-list INCOMING remark *** Wartung BMD ***
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: end

Hi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni

ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enable

Hi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni

ASA asdm not working

hi,
when i am trying to access the webpage for asdm then the internet explorer is showing "internet explorer can not display the webpage" from the inside interface. following is the show version and show runing config. i checked with asdm 6.2.1 and 6.4.9.kindly suggest what could be the reason..
CBAH# sh version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.4(9)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
CBAH up 15 hours 1 min
Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is c84c.7599.4810, irq 9
1: Ext: GigabitEthernet0/1 : address is c84c.7599.4811, irq 9
2: Ext: GigabitEthernet0/2 : address is c84c.7599.4812, irq 9
3: Ext: GigabitEthernet0/3 : address is c84c.7599.4813, irq 9
4: Ext: Management0/0       : address is c84c.7599.480f, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Disabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 750
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1432L0JM
Running Activation Key: 0x042cd360 0x4c819429 0xf4927584 0x8ea0082c 0x8f3d07bf
Configuration register is 0x1
Configuration last modified by enable_15 at 03:19:58.868 UTC Tue Jul 3 2012
show run
ASA Version 8.2(1)
hostname CBAH
domain-name corinthia.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.216 255.255.255.0
interface GigabitEthernet0/1
nameif testing
security-level 100
ip address 192.168.2.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
<--- More --->
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 62.240.63.45 255.255.255.248
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 62.240.32.5
name-server 62.68.42.2
name-server 4.2.2.2
name-server 4.2.2.3
domain-name corinthia.local
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list INTERNET extended permit ip 192.168.1.0 255.255.255.0 any
<--- More --->
access-list INTERNET extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu testing 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list INTERNET
nat (inside) 1 192.168.1.0 255.255.255.0
nat (testing) 1 192.168.2.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.63.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
<--- More --->
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e8c7560ce2dc8a100cc77f09a2b80393
: end
CBAH# sh flash:
--#-- --length-- -----date/time------ path
124 16275456    Aug 03 2010 10:09:54 asa821-k8.bin
125 11348300    Aug 03 2010 12:17:30 asdm-621.bin
    3 4096        Jan 01 2003 00:03:50 log
   10 4096        Jan 01 2003 00:03:58 crypto_archive
   11 4096        Jan 01 2003 00:04:30 coredumpinfo
   12 43          Jul 03 2012 03:18:45 coredumpinfo/coredump.cfg
127 12105313    Aug 03 2010 12:14:58 csd_3.5.841-k9.pkg
128 4096        Aug 03 2010 12:15:02 sdesktop
135 1462        Aug 03 2010 12:15:02 sdesktop/data.xml
129 2857568     Aug 03 2010 12:15:02 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
130 3203909     Aug 03 2010 12:15:04 anyconnect-win-2.4.1012-k9.pkg
131 4832344     Aug 03 2010 12:15:06 anyconnect-macosx-i386-2.4.1012-k9.pkg
132 5209423     Aug 03 2010 12:15:08 anyconnect-linux-2.4.1012-k9.pkg
133 18927088    Jun 28 2012 08:09:30 asdm-649.bin

The luink shoudl be working, I tried that again:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
To enter the license you need to do;
activation-key <5 tuple license key>
If the link does not work, send an e-mail to [email protected] and they would send you the license file.
Thanks,
Varun Rao
Security Team,
Cisco TAC

Arp inspection not working on ASA

Similar Messages

Maybe you are looking for