ASA 5505/5510 Management Interface

Hi,
Does anyone know a workaround to this limitation? (other than the "management-access" command for VPN connections)
Management access to an interface other than the one from which you entered the ASA is not supported. For example, if your management host is located on the outside interface, you can only initiate a management connection directly to the outside interface.
Thanks!

Hi,
If you need to ssh for XYZ (name) instead of real IP, you need to make a mapping on your DNS server. ASA will not do this mapping or resolution.
Thanks,
Prashant Joshi

Similar Messages

ASA 5505 Vlan1/Inside Interface Down

I did an initial setup of an ASA 5505 using the setup wizard.
The inside interface is showing down/down. It is not shutdown in the running config.
The ethernet ports say "available but not configured via nameif."
Anyone have some ideas for me to check?
ethernet0/0 is working with no problems.

Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
Brian

Rekey data left of 0KB in ASA 5505-5510 seems to make IPSec SA fail

Hello
I have a Central Office with a Cisco ASA 5510 connected to several remote locations with ASA5505
The site to site VPNs work well, but sometimes some of them fail. After some research I found that, it that situation, the IKE and IPSec SAs are working, but traffic only crosses the tunnel in one direction. As an example, if I ping a remote host, it receives the ping request and sends the ping reply, but this reply never crosses the tunnel back.
As far as I know, it seems to happen randomly, at least I couldn't find a pattern. I tried logging out the tunnel by means of the ASDM but, when the tunnel re-establishes, the same happens. The only solution is to force a reload of the ASA5505 in the remote location, and then it starts to work normally (I can't do a reload on the 5510, as it would break the connection with the rest of remote locations).
The only clue I have is that it can only affect one of the several IPSec SAs of the IKE session while the rest of SAs of that session keep on working and, when failing, the data rekey lifetime of that IPSec SA is 0 KB:
WORKING SA:
IPSec:
Session ID   : 2
Local Addr   : X.X.X.X/255.255.255.0/0/0
Remote Addr : X.X.X.X/255.255.255.0/0/0
Encryption   : 3DES                   Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 18401 Seconds
Rekey Int (D): 3825000 K-Bytes        Rekey Left(D): 3824715 K-Bytes
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Bytes Tx     : 22570303               Bytes Rx     : 35752322
Pkts Tx      : 490855                 Pkts Rx      : 408700
FAILING SA:
IPSec:
Session ID   : 3
Local Addr   : X.X.X.X/255.255.255.0/0/0
Remote Addr : X.X.X.X/255.255.255.0/0/0
Encryption   : 3DES                   Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 14862 Seconds
Rekey Int (D): 3825000 K-Bytes        Rekey Left(D): 0 K-Bytes
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Bytes Tx     : 67264                  Bytes Rx     : 0
Pkts Tx      : 1051                   Pkts Rx      : 0
This led me to notice that, even when both 5510 and 5505 have the same traffic volume lifetime settings for the SA, the Rekey Data interval of the SAs is different between 5505 and 5510 (4275000 KB for 5505 and 3825000 KB for 5510 for by default setting of 4608000 KB; I tried changing this value to 5000000 in both devices and their new intervals were also different between them). I don't know if it's something to do with my problem, but seems quite odd.
I've looked for a solution in manuals and also browsed the Internet but with no result, so I would be very grateful if someone could give me some advice.
Thanks and regards

Does the version upgrade need to be applied to the head-end firwall (5510) or the remote firewall (5505)? I may be having this same issue, but it only affects VPN connections from ASA firewalls and not from PIX firewalls, so I was thinking it would have to do with the 5505 code. Except that I see two ISAKMP SAs on the corporate side, one showing rekey. I hadn't checked the ASP table or looked to see if the data was at 0k.
The reason I ask which device needs to be running the fixed version is that our head-end firewall is already running 8.3(2) which is in the fixed version list. We are running 8.2(2)22 on our remote ASA5505 firewalls which are the only ones that are having the issue.
Thanks,
Mark

ASA 5505 ssh access question

Hi,
Currently any ip address can ssh to my asa 5505 firewall outside interface. What should I do to restrict only certain IP can? What's the command to see the current ssh management access rule?
Thanks.
Ye

I tried this and got an error. Please help.
CL-T179-12IH# ssh 162.221.204.59 255.255.255.255 outside
^
ERROR: % Invalid input detected at '^' marker.
Also when I do "show run ssh" I see below line. How to remove it?
ssh 0.0.0.0 0.0.0.0 outside
Thanks.
Ye

ASA 5515 management interface

I started to configure a new ASA 5515 to replace an 5510. When I attempted to remove the "management-only" command from the Management0/0 interface I was greeted with the following error:
"ERROR: It is not allowed to make changes to this option for management interface on this platform."
Does this mean we can't use the managment interface anymore on these newer ASAs? I was planning on using that port when we bought it. If this is the case, let this be a warning to whoever is counting the managment port as a 7th interface on the 5515!

Update: I just found out that you can't use the management interface for failover purposes either. Argggggg.
"Management interface cannot be configured for failover on this platform."

ASA 5505 Unable to assign ip to DMZ vlan interface

hi all,
I have ASA 5505 with base license.
I created 3rd vlan on it.it was created.
but i am unable to assign IP to it.
i assign ip address it takes it.
But when i do sh int ip brief it does not show any ip.
ciscoasa# sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0/0                unassigned      YES unset up                    up
Ethernet0/1                unassigned      YES unset up                    up
Ethernet0/2                unassigned      YES unset up                    up
Ethernet0/3                unassigned      YES unset administratively down down
Ethernet0/4                unassigned      YES unset administratively down down
Ethernet0/5                unassigned      YES unset administratively down down
Ethernet0/6                unassigned      YES unset administratively down down
Ethernet0/7                unassigned      YES unset administratively down down
Internal-Data0/0           unassigned      YES unset up                    up
Internal-Data0/1           unassigned      YES unset up                    up
Vlan1                      192.168.1.1     YES CONFIG up                    up
Vlan2                      192.168.11.2    YES CONFIG up                    up
Vlan3                      unassigned      YES manual up                    up*************************************************************
Virtual0                   127.0.0.1       YES unset up                    up
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# ip ad
ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
ciscoasa(config-if)# end
ciscoasa# wr mem
Building configuration...
Cryptochecksum: 808baaba ced2a226 07cfb41f 9f6ec4f8
4608 bytes copied in 1.630 secs (4608 bytes/sec)
[OK]
ciscoasa# sh int ip brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Ethernet0/0                unassigned      YES unset up                    up
Ethernet0/1                unassigned      YES unset up                    up
Ethernet0/2                unassigned      YES unset up                    up
Ethernet0/3                unassigned      YES unset administratively down down
Ethernet0/4                unassigned      YES unset administratively down down
Ethernet0/5                unassigned      YES unset administratively down down
Ethernet0/6                unassigned      YES unset administratively down down
Ethernet0/7                unassigned      YES unset administratively down down
Internal-Data0/0           unassigned      YES unset up                    up
Internal-Data0/1           unassigned      YES unset up                    up
Vlan1                      192.168.1.1     YES CONFIG up                    up
Vlan2                      192.168.11.2    YES CONFIG up                    up
Vlan3                      unassigned      YES manual up                    up
Virtual0                   127.0.0.1       YES unset up                    up
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(9)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 17 hours
Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is 001d.a24d.ed0e, irq 11
1: Ext: Ethernet0/0         : address is 001d.a24d.ed06, irq 255
2: Ext: Ethernet0/1         : address is 001d.a24d.ed07, irq 255
3: Ext: Ethernet0/2         : address is 001d.a24d.ed08, irq 255
4: Ext: Ethernet0/3         : address is 001d.a24d.ed09, irq 255
5: Ext: Ethernet0/4         : address is 001d.a24d.ed0a, irq 255
6: Ext: Ethernet0/5         : address is 001d.a24d.ed0b, irq 255
7: Ext: Ethernet0/6         : address is 001d.a24d.ed0c, irq 255
8: Ext: Ethernet0/7         : address is 001d.a24d.ed0d, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
<--- More --->
Need to know does this License support IP to 3rd vlan ?
Thanks
Mahesh

Hi Julio,
I tried to config namef if but here is result
ciscoasa# sh run int vlan 3
interface Vlan3
description DMZ to 3550 New Switch
no nameif
security-level 50
ip address 192.168.12.2 255.255.255.0
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# name
ciscoasa(config-if)# namei
ciscoasa(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.

ASA 5505 Logging Issue - Warning: Configured logging host interface conflicts with route table entry

I am getting this warning on my ASA 5505 when I try to set up logging from my off site FW to the central FW, which is a 5510. What I am trying to do is send the FW logs through the VPN Tunnel into the central 5510 to our logging server at 192.168.22.99, but allow all other traffic out the outside interface so customers can hit our web servers down there. Here is an example of my config with fake IP's. I get this error when trying to do "logging inside host 192.168.22.99". If I try to put in "logging Tunnel host 192.168.22.99" I get the "Warning:Security Level is 1" message
5505
ethe0/0
desc To LA ISP (217.34.122.1)
switchport access vlan2
ethe0/1
desc To Redwood City HQ via VPN Tunnel
switchport access vlan1
ethe0/2
desc To Internal Web Server
switchport access vlan3
VLAN1
desc Tunnel to HQ
ifinterface Tunnel
security level 1
217.34.122.3 255.255.255.248
VLAN3
desc Internal Web Server
ifinterface inside
security level 100
192.168.0.1 255.255.255.0
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0
(No access-group is performed, as I match from the crypto map instead since I have multiple sites going out of HQ - see HQ configs)
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ set peer ip 65.29.211.198
5510 at HQ
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
(again no access-group, since I have a couple other off sites)
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.34.122.3

Hi Jouni,
I have the following configs in place with fake IPs
5505
1 outside interface with security level 0 (vlan1 direct connect to isp 217.33.122.2/30) - goes to ISP
1 Tunnel interface with security level 1 (vlan 2 direct connect to isp 217.33.122.6/30) - goes to Tunnel to our 5510
1 inside interface with security level 100 (servers connected to hub, with vlan3 ip of 192.168.0.1)
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0 - acl to 5510 inside network
route outside 0.0.0.0 0.0.0.0 217.33.122.1 - route for all traffic (except for 192.168.22.0/24) to take the outside connection
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198 - route for 192.168.22.0 destined traffic to take the Tunnel connection
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ 10 set peer ip 65.29.211.198
tunnel-group 65.29.211.198 type ipsec-l2l
5510
1 outside interface with security level 0 (vlan1 direct connect to isp 65.29.211.198) - goes to isp
1 inside interface with security level 100 (vlan2 connection to corporate servers and SIP 192.168.22.0/24)
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list OUTBOUND extended permit icmp host 217.33.122.6 host 192.168.22.99 (allows Nagios monitor to ping the DE interface
access-group OUTBOUND in interface outside
nat (inside,outside) static 192.168.22.99 interface destination static 217.33.122.6
route outside 192.168.0.0 255.255.255.0 217.33.122.6
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.33.122.6
tunnel-group 217.33.122.6 type ipsec-l2l
I am mistaken on the 5510 interfaces. They do not have vlans, and the IP address is directly applied to the interfaces for outside and inside.

Firewall Cisco ASA 5505 new interface license problem

Hi
I have one ASA 5505 with a Base License
The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
And the question is if with this base license the interface cannot be used or only cannot be named?
here the output of my firewall:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is e02f.6de6.7843, irq 11
1: Ext: Ethernet0/0         : address is e02f.6de6.783b, irq 255
2: Ext: Ethernet0/1         : address is e02f.6de6.783c, irq 255
3: Ext: Ethernet0/2         : address is e02f.6de6.783d, irq 255
4: Ext: Ethernet0/3         : address is e02f.6de6.783e, irq 255
5: Ext: Ethernet0/4         : address is e02f.6de6.783f, irq 255
6: Ext: Ethernet0/5         : address is e02f.6de6.7840, irq 255
7: Ext: Ethernet0/6         : address is e02f.6de6.7841, irq 255
8: Ext: Ethernet0/7         : address is e02f.6de6.7842, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

Hi,
The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
For an interface on the ASA to operate it must have a name with the command "nameif"
If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
- Jouni

Need verification of management interface usage on 5510

Hi,
I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510
This is the text in question:
The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
Can anybody validate this, one way or the other?
Thanks,
Dave

No, you dont need a license for it,just follow this doc, it was introduced in version 7.0.1:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2028112
Thanks,
Varun Rao
Security Team,
Cisco TAC

10Mb Metro link between ASA 5505 and ASA 5510

Dear all,
I have encountered one difficult problem, I wished all expert could give my - newie some tips,
Environment
One ASA 5505 - ASA 7.2(1) and ASDM 5.2(1)
One ASA 5510 - ASA 7.2 (1) and ASDM 5.2(1)
These two firewall make site-to-site VPN connection
two ASA has three interface - the one is inside (security level is 100), the another is outside (security level is 0), the finally interface is metro (security level is also 100)
***** I didn't know why around 3 days to one week , these two ASA would hang and make all internal PC cannot access to internet, it need to uplug and replug power, and then the ASA resumed. I didn't know how to shooting this problem, is ASA version is old (7.2(1)), or other problem,
***** I didn't know how to see the log, in the matter of fact, I have already set up a syslog in the one windows server, but I see log, I found no any error log for ASA error or hang message, please everyone.

To see the error logs on ASA; telnet to the device and after authentication give command "show log". This will display a long list of log messages. Point out to the log messages that have been logged at the time when the connection went down. Without the error message or syslog message it would not be possible to figure out the problem. Following link may help you to configure ASA for syslog
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

ASA 5505 backup interface

Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: end

Hi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun

How do I block pings from the outside to the ASA 5505 outside interface?

I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

You are allowing echo-reply, thus it will reply to a ping
try this ACL:
icmp deny any echo-reply outside
From:
https://supportforums.cisco.com/thread/223769
Eric

ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address

Using an ASA 5505 for firewall and VPN. We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
The devices complete the connection and authenticate fine, but then are unable to hit any internal resources. Split tunneling seems to be working, as they can still hit outside resources. Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24). Even the NAT translation looks good in packet tracer.
I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.) This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses. Details:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
current_peer: [VPN CLIENT ADDRESS], username: vpnuser
dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 05BFAE20
current inbound spi : CF85B895
inbound esp sas:
spi: 0xCF85B895 (3481647253)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373998/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFD
outbound esp sas:
spi: 0x05BFAE20 (96448032)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373999/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Any ideas? The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.

I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address

ASA 5505 configured for WebVPN connecting to Citrix Web Interface

ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.

Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay

ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?

Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword.

ASA 5505/5510 Management Interface

Similar Messages

Maybe you are looking for