ASA 5505 - 2 Internet Connections, Problems with the Default Route
Hey there,
i have a Problem at a Customer Site at the moment. The customer uses an ASA 5505 with two internet connections attached to it. On the first connection (which is the only one in use at the moment) he has some Static-PAT's from Outside to Inside where he translates different services to the internal servers. He also has a site-2-site VPN terminating there and AnyConnect.
He now wants to switch the Internet Traffic from Inside to the new Internet Connection. Therefore changing the default route to that new ISPs Gateway. The problem now is, that no traffic recieved on the old "outside" Interface is transmitted back out of that old "outside" Interface. And this happens although the "same-security permit intra-interface" command is set.
Can you tell me what's wrong here? For every Static-PAT from outside to inside there is also a dynamic PAT from inside to outside. But the ASA seems to ignore this. I have not looked into the Logs yet, was too busy finding the problem because i had no real time window to test on the productive ASA.
Can it be achieved in any way? Having a default route on the ASA which leads any traffic to the second internet connection while still having connections on the first internet connection where no explicit route can be set? Because connections arrive from random IPs?
Many thanks for your help in advance!
Steffen
Phillip, indeed , I have as well read may comments,it all depends on your environment as they all differ from one another, you best bet is to have a good solid plan for upgrade and fall back. You do have a justification to upgrade for features needed, so I would suggest the following:
1- Do a search again in forum for ASA code upgrades and look at comments from users that have gone through this process and note their impact in fuctionality if any. I believe this is good resource to collect information .
2- Very important , look into release notes for a particular version. For example version 8.0, look into open CAVEATS usually at the end of the link page, reading the open bugs gives you clues what has not yet been resolved for that particular code and if in fact could impact you in your environment, it is possible that a particular bug does not realy apply to your environment becuase you have yet not implemented that particualr configuration. Usually we all try to aim towards a GD (General Deployment) code which is what we all understand is most stable but not necesarily means you have to be stack in that code waiting for another GD release, in my personal experience I have upgraded our firewall from 7.2 to 8.0(3) long ago and had no issues, and recently upgraded to 8.0(4)when it was first release in August this year.
Release notes
http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html
3- AS a good practice precaution -
a-Backup firewall configs in clear text as well as via tftp code.
b-Backup running code and ASDM version code currently running in firewall.
c- Save the output of " show version " to have as reference for all the feature licenses you currently have running as asll as activation keys - good info to have to compare with after upgrade.
d- Ensure that the code you will be using to upgrade also uses correct ASDM version code.
I think with thorough assesment and preparation you can indeed minimize impact.
Rgds
Jorge
Similar Messages
-
Internet connection problem with a linksys router
first of all i tried the solution on this topic http://discussions.apple.com/thread.jspa?messageID=1573174
first of all i tried the solution on this topic
http://discussions.apple.com/thread.jspa?messageID=157
3174
it worked fine, i used the "" on the WEP key and now
i got a successful connection to the router.
Does the iMac have a valid IP address ie not a 169.x.x.x style address?
But
still, i cant connect to the internet...
If you have a valid IP address
In a browser try http://17.254.0.91
and report back
do i, under
any circumstance, need an airport base station?
No
iFelix -
Carmel advisors: skype connection problem with the...
Hi everyone i use regularly skype but during this week i have a problem weither i call or receiving a call,when i call it rings 2 times then it cuts. showing me a message connection problem with the device
Thank you in advance for your help
Carmel advisorsGreetings, Carmel Advisors, and welcome to the Community!
Please start by posting back with clarifications and more detailed information:
Which device or computer are you experiencing this on? Please note the device or computer, its operating system, and which version of Skype you are using.
You ticked the "WiFi" label; does this mean you are referring to the Skype for WiFi feature?
What has changed or altered from previous weeks when Skype worked well for you?
Thanks and regards,
Elaine
Was your question answered? Please click on the Accept as a Solution link so everyone can quickly find what works! Like a post or want to say, "Thank You" - ?? Click on the Kudos button!
Trustworthy information: Brian Krebs: 3 Basic Rules for Online Safety and Consumer Reports: Guide to Internet Security Online Safety Tip: Change your passwords often! -
Internet connection problem with MacPro, only. PC fine
I have a Netgear 600n. My notebooks, Vista PC and MacPro, are connected to it. There is no connection problem with the PC, but there is with the MacPro. Weekly, I have to delete the "system configuration file," or it keeps dropping the connection. I heard it had to do with Windows configuring the netgear router. is this true and is there a solution. I use the PC and the Mac at the same desk, so there is no location issue.
Thanks!!Some operators block the option to use your phone as a modem, as this will use up a lot of data. It might be worth checking your contract to see if it mentions anything about data use, or give your operator a call to see if they have any limitations.
Please try to use the phone with a different SIM card to see if this is related to your operator after all, or if it's something else. If it doesn't work with a different SIM card either, try the following to see if the issue lies in Nokia Suite or in the phone itself:
Install Nokia Suite on a different computer or laptop and check if you can use your phone as a modem on that computer. If this works, try reinstalling Nokia Suite on your current computer and see if this makes a difference.
If this doesn't work, try connecting a different Nokia device to Nokia Suite and try to use it as a modem. If you can connect a different phone with your SIM card to the modem but connecting with yout 6700 Classic fails, then please visit a local care centre where your phone can be checked on any errors.
You can find a care centre by going to your local Nokia web page and clicking on Support.
If my post has helped you in any way, please accept it as a solution or click on the white star, so that other users will be able to benefit from it too. -
Problem with the default selection screen condition
hi guys,
I have got some problem with the default screen given by the PNP logical database, P0000 infotype automatically populated according to the condition given in default screen.
Reg,
HariharanDon know what u r trying to acheive.
1) when u have specified PNP in the logical databse field of attributes of program, the SAP wil proivde u default PNP screen and here u can also add ur paramters if u want.
2) in the program u have to declare like
INFOTYPES: 0000,0001. "Etc
for all the infotypes u want to use in the program.
3) it is the GET PERNR event which wil fil all the p0000 and p0001 (internal tables for al the infotypes declared via INFOTYPES syntax as shown above)
4) after tht get pernr, u now have data in P tables and u can use it for further reporting.
5) refer below dummy code -
REPORT ZPPL_PREVEMPLOYERS message-id rp
line-size 250
line-count 65.
*Program logic :- This Report is used to Download all the Previous
* Employer (IT0023) records of the employees
*eject
*& Tables and Infotypes *
tables: pernr.
infotypes: 0000,
0001,
0002,
0023.
*eject
*& Constants *
constants: c_1(1) type c value '1' ,
c_3(1) type c value '3' ,
c_i(1) type c value 'I' ,
c_x(1) type c value 'X' ,
c_eq(2) type c value 'EQ' ,
c_pl03 like p0001-werks value 'PL03'.
*eject
*& Selection-Screen *
parameters: p_file like rlgrap-filename default 'C:TempABC.xls',
p_test as checkbox default c_x .
*eject
*& Internal tables *
* Internal Table for Output
data: begin of t_output occurs 0 ,
pernr like pernr-pernr ,
nachn like p0002-nachn ,
vorna like p0002-vorna ,
orgeh_stext like p1000-stext ,
plans_stext like p1000-stext ,
begda like p0023-begda ,
endda like p0023-endda ,
land1 like p0023-land1 ,
arbgb like p0023-arbgb ,
ort01 like p0023-ort01 .
data: end of t_output .
*eject
*& Variables *
data: o_stext like p1000-stext,
p_stext like p1000-stext.
*eject
*& Initialization *
Initialization.
* Initialize Selection-Screen values
perform init_selction_screen.
*eject
*& AT Selection-screen *
at selection-screen .
* Check if Test run selected, download file name should be entered
if p_test is initial. "
if p_file is initial.
message e016 with 'Please enter file name'
'specifying complete path'.
endif.
endif.
*eject
*& Start-of Selection *
Start-of-selection.
get pernr.
clear t_output.
* Read Infotype 0
rp-provide-from-last p0000 space pn-begda pn-endda.
check pnp-sw-found eq c_1.
* Check if employee is active
check p0000-stat2 in pnpstat2. "pernr Active
* Read Infotype 1
rp-provide-from-last p0001 space pn-begda pn-endda.
check pnp-sw-found eq c_1.
* check if employee belongs to PL03
check p0001-werks in pnpwerks. "belongs to PL03
* Check if emp belongs to Active Group
check p0001-persg in pnppersg.
* Read Infotype 2
rp-provide-from-last p0002 space pn-begda pn-endda.
check pnp-sw-found eq c_1.
* Read Org Unit Text.
CALL FUNCTION 'HR_READ_FOREIGN_OBJECT_TEXT'
EXPORTING
OTYPE = 'O'
objid = p0001-orgeh
begda = p0001-begda
endda = p0001-endda
reference_date = p0001-begda
IMPORTING
object_text = o_stext
EXCEPTIONS
nothing_found = 1
wrong_objecttype = 2
missing_costcenter_data = 3
missing_object_id = 4
OTHERS = 5.
*Read Position Text.
CALL FUNCTION 'HR_READ_FOREIGN_OBJECT_TEXT'
EXPORTING
OTYPE = 'S'
objid = p0001-plans
begda = p0001-begda
endda = p0001-endda
reference_date = p0001-begda
IMPORTING
object_text = p_stext
EXCEPTIONS
nothing_found = 1
wrong_objecttype = 2
missing_costcenter_data = 3
missing_object_id = 4
OTHERS = 5.
* Gather all the required information related to the emp
move: pernr-pernr to t_output-pernr,
o_stext to t_output-orgeh_stext,
p_stext to t_output-plans_stext,
p0002-nachn to t_output-nachn,
p0002-vorna to t_output-vorna.
* Gather previous Employee details
loop at p0023.
move-corresponding p0023 to t_output.
append t_output.
endloop.
*eject
*& End-of Selection *
end-of-selection.
perform print_report.
* Downlaod the file
if not t_output[] is initial.
if p_test eq space.
perform download_file.
endif.
else.
write: 'No records selected' color col_negative.
endif.
*eject
*& Top-of-page *
Top-of-page.
* Print Header
perform print_header.
*eject
*& Form download_file
* Description :
FORM download_file .
DATA: full_file_name TYPE string,
z_akt_filesize TYPE i .
full_file_name = p_file.
* download table into file on presentation server
CALL METHOD cl_gui_frontend_services=>gui_download
EXPORTING
filename = full_file_name
filetype = 'DAT'
NO_AUTH_CHECK = c_x
codepage = '1160'
IMPORTING
FILELENGTH = z_akt_filesize
CHANGING
data_tab = t_output[]
EXCEPTIONS
file_write_error = 1
no_batch = 2
gui_refuse_filetransfer = 3
invalid_type = 4
no_authority = 5
unknown_error = 6
header_not_allowed = 7
separator_not_allowed = 8
filesize_not_allowed = 9
header_too_long = 10
dp_error_create = 11
dp_error_send = 12
dp_error_write = 13
unknown_dp_error = 14
access_denied = 15
dp_out_of_memory = 16
disk_full = 17
dp_timeout = 18
file_not_found = 19
dataprovider_exception = 20
control_flush_error = 21
not_supported_by_gui = 22
error_no_gui = 23
OTHERS = 24.
IF sy-subrc NE 0.
MESSAGE e016 WITH 'Download-Error; RC:' sy-subrc.
ENDIF.
ENDFORM. " download_file
*eject
*& Form print_report
*Description:
FORM print_report .
data: i type i,
w_count type i.
sort t_output.
* Print the report
loop at t_output.
i = sy-tabix mod 2.
if i eq 0.
format color col_normal intensified on.
else.
format color col_normal intensified off.
endif.
write:/1 t_output-pernr ,
10 t_output-vorna(25) ,
35 t_output-nachn(25) ,
61 t_output-orgeh_stext ,
102 t_output-plans_stext ,
143 t_output-begda ,
154 t_output-endda ,
168 t_output-land1 ,
178 t_output-arbgb(40) ,
219 t_output-ort01 ,
249 space .
endloop.
uline.
Describe table t_output lines w_count.
Skip 2.
Write:/ 'Total No of Records Downloaded: ' color col_total,
w_count.
ENDFORM. " print_report
*eject
*& Form print_header
*Description:
FORM print_header .
skip 1.
Uline.
format Intensified on color col_heading.
write:/1 'Pers. #' ,
10 'Last Name' ,
35 'First Name' ,
61 'Org Unit' ,
102 'Position' ,
143 'Beg Date' ,
154 'End Date' ,
168 'Cntry Key' ,
178 'Prev Employer' ,
219 'City' ,
249 space .
format intensified off color off.
uline.
ENDFORM. " print_header
*eject
*& Form init_selction_screen
*Description:
FORM init_selction_screen .
refresh: pnpwerks,
pnppersg,
pnpstat2.
clear: pnpwerks,
pnppersg,
pnpstat2.
pnpwerks-sign = c_i.
pnpwerks-option = c_EQ.
pnpwerks-low = c_pl03.
append pnpwerks.
pnppersg-sign = c_i.
pnppersg-option = c_EQ.
pnppersg-low = c_1.
append pnppersg.
pnpstat2-sign = c_i.
pnpstat2-option = c_EQ.
pnpstat2-low = c_3.
append pnpstat2.
ENDFORM. " init_selction_screen -
Whilst playing Clash of Clans I will continually lose the internet connection. This means that I lose battles, resources, gold etc and lose boost times. I have informed Supercell who blame my internet connection even though the iPhone, laptop and TV all work fine so it is obviously a technical problem with their game and probably something to do with their last updates.
As I have purchased gems I feel that I should be compensated for my loss but they will not accept responsibility nor investigate the technical issue. The loss of connection occurs constantly with the game often freezing during replays or searching for battles. This is obviously not a connection issue.
What suggestions do you have to resolve this situation?Hi.
Thanks for the reply. I asked because I also wanted to see if others had encountered the same problem.
I have no problems with my internet connection as I run my TV, laptop and iPhone off the same connection with no problems. I believe that since the recent updates to the game this has caused the problem. The game often freezes, cancels out or returns me to the main game screen during battles or replays.
What I want to know is how do I get the game designers or owners to acknowledge my problem as at this time they keep telling me it is my internet that is a problem and not their game. How do they know this when they refuse to investigate. What can I do and who do I go to for support if they won't accept responsibility?
I am very grateful to you for replying but concerned that if this can happen to me then how many other gamers are losing out and paying for something that they are not going to receive.
Many thanks. -
Having internet connection problem with a new Actiontec GT794WG
I am currently using Westell 327w which works completely fine. Its internet light comes on after few seconds the DSL light becomes solid. I am trying to change it to GT794WG, because I have been using 327w about 4 years.
By the way, I am having a connection difficulty with my new GT794WG modem.
Although I connect every necessary cables such as DSL, Ethernet cables and turn it on, an internet light on the modem does not flash. There is no problem with DSL light. It becomes solid after few blinking. Only problem is the internet light. I know that it refers that the modem can not connect with the internet.
I don't understand why the new modem can't connect to the internet which my old modem can?
Can anyone help me solve this problem?Ok.
#1 For your info, there a certain amount of time that you can re-edit your post.
A time limit of at least 2 hours.
#2 Why do you want to replace your Westell 327w with the newer router? That is if there is any other reason besides, you have been using it for four years..
Moving along...
#3 In the Westell 327w, go to Configuration -> VC Configuration
#4 There are different settings there, as I saw at
https://docs.google.com/viewer?url=http://www.westell.com/images/pdf/e90_6000_6100_6110_ug.pdf&embed...
on page 46 out of 146 pages.
#5 What is 0 VPI / 35 VCI set to?
#6 Notes:
a) In the manual/user guide (that docs.google.com URL) the connection type is PPPoE.
b) If 0 VPI / 35 VCI is set to Disabled, what ever the enabled for example 0 VPI / 36 VCI.
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
Internet connection problems with OSX 10.10.3
Does anyone else have very bad Internet connection problems after downloading OSX 10.101.3? Does anyone have a solution? P.S. What do you think of PHOTOS, after Aperture?
1, No problems here with internet on 10.10.3
2, No solution
3, I think that Photos is a toy. Apple has basically neutered both Aperture and iPhotos with their efforts to make their desktop solution match the iOS solution.
I am currently looking for a non-Apple solution for my photographic needs since Photos in no way shape or form is able to fill my needs. -
Connection problems with the C4780
Hello
the problem i have seems to be very simple, but i have failed to resolve it. I don't really know how to, since its my first time working with wireless printers. [its my first one]
I have another shared printer in my network, but that one is connected directly to my computer and then shared[simple right].
The problem here is that when i try to configure the wireless printer, to connect to my PC the wizard tells me that the printer is in another network [192.168.0.1] and my computers are in the 10.0.0.0 range.
I don't know why the printer is not taking that range of IP[the 10.0.0.0] since every device i connect to the network gets that range of IP address making them to be in the same network.
I have tried to run the wizard but every time i get the same error. I need to get this done cuss im changing the old printer for this one that is newer.
Thanks
Chrisindeed that is what is going on, but the issue here is that whenever i connect a device it gets the IP from the ISP router, and i don't really know why the printer is not getting the same here as well
i cant turn of the ISP router since that is the one where i get the internet from, the linkys just acts more as a switch since all of the computer cant connect directly to the ISP router.
So turning it of nd use only the linkys is not an option
but thanks for the idea though.
oh and another weird thing is that i cant get access to the linkys router. through the 192.168.1.1 wich i know is the default direction for loggin-in in linksys routers -
My operating system is Windows 7 Home Premium. Although the application works fine such as playing music, downloading app updates and music. However, when I attempted to make the connection between iTunes Store and the current version of iTunes, the iTunes window began to froze, then the error message showed that there was a problem with the application that causes it to shut down. Any ideas on how to resolve this?
Hey *9,
Thanks for the question. If I understand correctly, iTunes unexpectedly quit. I would recommend that you read this article, it may be able to help you isolate or resolve the issue.
iTunes for Windows Vista, Windows 7, or Windows 8: Fix unexpected quits or launch issues - Apple Support
Thanks for using Apple Support Communities.
Have a great day,
Mario -
Internet connectivity issues with SA 520W router
Hi,
We have configured Cisco Small Business Pro (SA 520W) in a small office and all computers are connected with wifi. We are facing following problems:
1. Computer is connected with network and 100% signals available but there is no internet. After repairing network from computer or sometimes rebooting computer fix the this problem. What cause internet connectivity problem?
2. Sometimes computer is connected with internet and everything work fine but suddenly there is no internet. May be internet come back again after 2 minutes etc. Strange behavior.
3. Sometime there is no internet connection even after trying all possible tuneing but internet connection become alive again if we reboot router.
All these problems appear randomly on different computers. Can anyone tell what's the reason of all these problems and how can fix it?
Thanks.
SajjadI have the just similar problem since few days , for long time I have no issues with wireless router
I have five static IP addresses I am using 1 static IP for the Router and other for the internal use
I though it was my inter provider technical issue,
The internet is working through provider gateway router but not through a Cisco SA520W
some times it works some time it wont resolve host name, internal LAN works perfect ,but internet drops packets and it is very slow
If we dynamically setup the router, it works but not for the static IP address
my old configuration is not saved , reset to factory defaults even then it did not work
I do have 24 port cisco switch when I login there is no gui console just blank blue screen with text boxes
I appreciate some can guide.
I believe we need the update firmware on both devices .I appreciate for the help
Thanks
Ravi -
Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL
Hi all.
we have following IPSec configuration:
ASA Site 1:
Cisco Adaptive Security Appliance Software Version 9.1(1)
crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal PropAES256
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
crypto map CMVPN 5 match address SITE_2
crypto map CMVPN 5 set peer IP_SITE2
crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
crypto map CMVPN interface OUTSIDE
route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
tunnel-group IP_SITE2 type ipsec-l2l
tunnel-group IP_SITE2 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA Site 2:
Cisco Adaptive Security Appliance Software Version 9.1(4)
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 match address SITE_1
crypto map CMVPN 10 set peer IP_SITE1
crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
crypto map CMVPN 10 set reverse-route
crypto map CMVPN interface OUTSIDE
tunnel-group IP_SITE1 type ipsec-l2l
tunnel-group IP_SITE1 general-attributes
default-group-policy VPN_S2S_WAN
tunnel-group IP_SITE1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
We are not able to reach from 172.22.20.x ips 172.27.99.x.
It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
We are using similar configuration on many sites and it works correctly expect sites with DSL line.
We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
Thanks in advance for your help.
Regards.
Jan
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (3)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (3)SHA1
Bytes Tx : 423634 Bytes Rx : 450526
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 1h:50m:45s
IKEv2 Tunnels: 1
IPsec Tunnels: 3
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 79756 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22156 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607648 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 312546 Bytes Rx : 361444
Pkts Tx : 3745 Pkts Rx : 3785
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22165 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607952 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 50014 Bytes Rx : 44621
Pkts Tx : 496 Pkts Rx : 503
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 22324 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607941 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 61074 Bytes Rx : 44461
Pkts Tx : 402 Pkts Rx : 437
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 6648 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
.... after ping from 172.27.99.x any ip in 172.22.20.x.
ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
Session Type: LAN-to-LAN Detailed
Connection : IP ASA Site 2
Index : 3058 IP Addr : IP ASA Site 2
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (4)AES256
Hashing : IKEv2: (1)SHA512 IPsec: (4)SHA1
Bytes Tx : 784455 Bytes Rx : 1808965
Login Time : 19:59:35 HKT Tue Apr 29 2014
Duration : 2h:10m:48s
IKEv2 Tunnels: 1
IPsec Tunnels: 4
IKEv2:
Tunnel ID : 3058.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA512
Rekey Int (T): 86400 Seconds Rekey Left(T): 78553 Seconds
PRF : SHA512 D/H Group : 5
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3058.2
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20953 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4606335 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 652492 Bytes Rx : 1705136
Pkts Tx : 7419 Pkts Rx : 7611
IPsec:
Tunnel ID : 3058.3
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.97.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 20962 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607942 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 60128 Bytes Rx : 52359
Pkts Tx : 587 Pkts Rx : 594
IPsec:
Tunnel ID : 3058.4
Local Addr : 172.27.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 21121 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607931 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 70949 Bytes Rx : 50684
Pkts Tx : 475 Pkts Rx : 514
IPsec:
Tunnel ID : 3058.5
Local Addr : 172.22.0.0/255.255.0.0/0/0
Remote Addr : 172.27.99.0/255.255.255.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28767 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 25 Minutes Idle TO Left : 24 Minutes
Bytes Tx : 961 Bytes Rx : 871
Pkts Tx : 17 Pkts Rx : 14
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 7852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
ASA 5505 L2TP client connect problem
I am trying to connect MS l2tp clients to asa 5505 and am unsuccessful. I have tried the ASDM VPN Wizard as well as CLI and missing something. I have attached my current config. My client hits the interface and logs an error 713048 Error processing payload: Payload ID: 1. I know I am missing something simple, but I just can't see it. HELP!!!! Please
ASA configuration needs to have the following configured ...
- The preshared key needs to match the one configured in the windows client setup.
- The authentication needs to match what you have configured on the client, pap or chap ..
If chap is configured you need to readd the usernames to the ASA with the mschap keyword
at the end .. e.g
SV2-2(config)# username msclient password msclient mschap
- The DefaultRAGroup needs to be configured with the preshared key and point to a policy
that include this vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
The complete config is below ... DefaultRAGroup will be used if the preshared key is
added and nothing is specified on the client..
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2 -
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
I have Connection Problems with the Linksys WRT400N Router!
I bought the Linksys WRT400N Dual Band Router in January 2010, and had nothing but problems with it keeping renewing the IP Address for the internet. I have Road Runner High Speed Cable Internet, and they can’t help me with this support, I tried to call Linksys about 5 times and they are no real help, all I get is pay by credit card after talking to someone for a few minutes.
The problem is I can’t connect to the internet but can only connect to my Network Printer or Home Network. It won’t renew the IP Address for the internet until I reboot the router. I had this problem Connecting it Wired and Wirelessly I have a Linksys WUSB600N version 2 Wireless Adapter.Check if you have this configuration. Don't miss the MAC Address Cloning.
Maybe you are looking for
-
Selecting one cursor at a time and then reading its value
I am a novice LabView user. I am trying to develop a program in which I have to select portions of a waveform and delete the outliers. The problems I run into is selecting cursors at a time and then reading its value. I was using Active Cursor. Idea
-
How to set up new enviroment variables permanently for all users?
Hi. I downloadad Apache Tomcat, and need to set enviromental variables for all users. I tryed setenv commad, but it is not found. for example # JAVA_HOME="/opt/jre1.6.0" Solaris remembers this variable only for one session and I need for all users pe
-
Possibility to limit runtime prompt members to write access only ?
Hi everyone, Here is my issue : In my Planning application in 9.3.1, each user have a write access on a defined entity perimeter but a read access on all the dimension. If I create a BR with a runtime prompt asking on which entity deleting data for e
-
AV failure... "Failed to respond" error
Been suffering from this "failed to respond" error for attempted video connections for some time now. Never quite got a solution for it. I have a PB 12" and iMac mini routed at home through a Netgear WPN824 unit, and now adding a MacBook. We could AV
-
Adobe form not saving data.
hi Experts, I am facing strange problems with Adobe forms. I am working on both Offline and online adobe forms. adobe form which i make does not allow to save data. I am using the Adobe liveCycle designer 7.1. The Adobe reader version is 7.08 and ser