ASA 5505 9.1 and NAT issues to single dynamic IP

Similar Messages

• CISCO ASA 5505 bandwidth Controll and split

  Dear All,
  Below am giving the infrastructure which i like to do please help me.
  I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
  in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
  i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
  each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
  after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
  Cisco Adaptive Security Appliance Software Version 7.2(4)
  Device Manager Version 5.2(4)
  Compiled on Sun 06-Apr-08 13:39 by builders
  System image file is "disk0:/asa724-k8.bin"
  so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.  
  Thanks 
  Lalu R.S

  There's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
  You can do some crude controls with QoS - the configuration guide chapter on doing that is here.

• Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

  Hello,
  We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
  Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
  : Saved
  ASA Version 8.4(2)
  hostname domainasa
  domain-name adomain.local
  enable password cTfsR84pqF5Xohw. encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 205.101.1.240 255.255.255.248
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 192.168.2.60
  domain-name adomain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network SBS_2011
  host 192.168.2.60
  object network NETWORK_OBJ_192.168.2.0_24
  subnet 192.168.2.0 255.255.255.0
  object network NETWORK_OBJ_192.168.5.192_
  27
  subnet 192.168.5.192 255.255.255.224
  object network Https_Access
  host 192.168.2.90
  description Spam Hero
  object-group network DM_INLINE_NETWORK_1
  network-object object SPAM1
  network-object object SPAM2
  network-object object SPAM3
  network-object object SPAM4
  network-object object SPAM5
  network-object object SPAM6
  network-object object SPAM7
  network-object object SPAM8
  object-group service RDP tcp
  description Microsoft RDP
  port-object eq 3389
  access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
  access-list outside_access_in extended permit tcp any object SBS_2011 eq https
  access-list outside_access_in extended permit icmp any interface outside
  access-list outside_access_in remark External RDP Access
  access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
  access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
  ip local pool VPN_Users 192.168.5.194-192.168.5.22
  0 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
  NETWORK_OBJ_192.168.2.0_24
  destination static NETWORK_OBJ_192.168.5.192_
  27 NETWORK_OBJ_192.168.5.192_
  27 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SBS_2011
  nat (inside,outside) static interface service tcp smtp smtp
  object network Https_Access
  nat (inside,outside) static interface service tcp https https
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-reco
  rd DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.160-192.168.2.19
  9 inside
  dhcpd dns 192.168.2.60 24.29.99.36 interface inside
  dhcpd wins 192.168.2.60 24.29.99.36 interface inside
  dhcpd domain adomain interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy domain internal
  group-policy domain attributes
  wins-server value 192.168.2.60
  dns-server value 192.168.2.60
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value adomain.local
  username ben password zWCAaitV3CB.GA87 encrypted privilege 0
  username ben attributes
  vpn-group-policy domain
  username sdomain password FATqd4I1ZoqyQ/MN encrypted
  username sdomain attributes
  vpn-group-policy domain
  username adomain password V5.hvhZU4S8NwGg/ encrypted
  username adomain attributes
  vpn-group-policy domain
  service-type admin
  username jdomain password uODal3Mlensb8d.t encrypted privilege 0
  username jdomain attributes
  vpn-group-policy domain
  service-type admin
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool VPN_Users
  default-group-policy domain
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e2466a5b754
  eebcdb0cef
  f051bef91d
  9
  : end
  no asdm history enable
  Thanks again

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• ASA 5505 Connection Limit and TIME_WAIT Freezing Device

  My little ASA 5505 is working great and I am quite happy with the purchase now that I've solved a number of the issues we had, thank you all very much for the help.
  The next issue I have is rather annoying.  The device appears to be artificially crippled and limited to 10,000 connections.  This isn't a "CPU limit" it's just some fake limit in the device as far as I can tell.
  The problem we have is that we are only using around 500-600 connections and CPU usage is only like 25%, and yet the connection count is pegged at 10,000 and locks us out of our network.
  I am pretty sure this is because there are a lot of "dead" TIME_WAIT connections hanging around not being used.  In our application we only have the couple hundred connections but they do move around a bit every now and then.
  Is there anyway to get the device to ignore the "dead" connections and not count them towards the artificial limit on the device given that it's pretty clear the CPU / etc., is not utilized sufficiently.  These aren't real connections, we only have a couple 100 established, they do just move around a bit however.
  We are really only using 500-700 connections according to our servers, the others are just sitting in TIME_WAIT doing nothing.
  Anyone had this issue before or can offer solutions or workarounds?

  Hello,
  Have you checked the output of 'show conn' and 'show local-host' at a time when the connection count is maxed out? If the ASA is not removing idle connections, you should open a TAC case to have this investigated. Otherwise, the above commands should show you which hosts are maxing out the connections and you can take steps to remediate those problem hosts.
  -Mike

• ASA 5505 Failure replaced and need to move the license key?

  Can someone point me in the right direction? My ASA 5505 died due to a power surge and I swapped it with a spare. I had Security Plus and a 50 user license and need to move the license keys from the failed ASA 5505 to the new one. I kept both my emails with the activation keys, but not sure how I get this transferred?  Thanks in advance.
  Joe

  I think this is totally unacceptable. For anyone else who uses a 5505 at home and has bought licenses and the hardware out of their own pocket, the idea here should be that you've already bought the hardware and the license. Seems obvious, right?
  Yes I can see the license being device specific if not only because that's the way you've designed your licensing activation schema; but if I've just had your product fail and bought another replacement, there should be an understanding or agreement between Cisco and the user that we can reinstate any licenses we've already bought.
  Do you really believe it's fair to make someone buy something from you twice, something that they've already bought from you? Do you actually believe that? I believe that the people in the Cisco Licensing department would agree with my viewpoint and I have a pending case with them for this issue right now. I will post my result here.
  Make your products last and perhaps I can give credence to your licensing beliefs, until then your products fail and so does your licensing logic.

• ASA 5505 - Cannot ping outside natted interface

  Hello,
  I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
  Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
  Thank you in advance
  the config are:
  : Saved
  ASA Version 8.2(1)
  hostname ciscoasa
  domain-name domain
  enable password ********** encrypted
  passwd ************ encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 172.88.188.122 255.255.255.248
  interface Vlan3
  no forward interface Vlan2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name domain
  same-security-traffic permit intra-interface
  access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
  access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
  access-list outside_in extended permit tcp any host 172.88.188.123 eq www
  access-list outside_in extended permit icmp any any
  access-list outside_in extended permit icmp any any echo-reply
  access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
  access-list inside_out extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu backup 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  global (outside) 1 172.88.188.128
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
  static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
  static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
  route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd lease 1048575
  dhcpd auto_config outside
  dhcpd address 192.168.1.100-192.168.1.200 inside
  dhcpd dns 8.8.8.8 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:865943aa325eb75812628fec3b1e7249
  : end

  You are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
  Hairpinning would look like this in your scenario.
  same-security-traffic permit intra-interface
  global (inside) 1 interface
  static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
  static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
  static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255

• ASA 5505:Static Routing and Deny TCP connection because of bad flag

  Hi Everybody,
  I have a problem. I made a VPN site-2-site with 2 ASA 5505. The VPN works great. And I create a redondant link if the VPN failed.
  In fact, I use Dual ISP with route tracking. If the VPN fails, the default route change to an ISDN router, situated on the inside interface.
  When I simulated a VPN fail, the ASAs routes switch automatically on backup ISDN routers. If I ping elements, it works great. But when i try TCP connection like telnet, the ASAs deny connections:
  %PIX|ASA-6-106015: Deny TCP (no connection) from 172.16.10.57/35066 to 172.16.18.1/23 flags tcp_flags on interface interface_name.
  the security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
  thanks!
  EDIT: On the schema, The interface of the main asa is 172.16.18.148...

  Check if the xlate timer is set greater than or equal to what the conn timer, so as not to have connections waiting on xlates that no longer exist. To minimize the number of attempts, enable "service resetinbound" . The PIX will reset the connection and make it go away. Without service resetinbound, the PIX Firewall drops packets that are denied and generates a syslog message stating that the SYN was a denied connection.

• ASA 5505 Site to Site VPN issue

  I have been trying to configure a siste to site vpn for a few days now, but not able to get it to connect. The only difference between the two, is one has a dynamic ip. this vpn isn't a priority, so there isn't a need to have the dynamic moved to a static at this time. Here is my configs on both ASA's. any help would be greatly appreciated. I replaced the IP's with x.x.x.x
  ASA 1:
  Result of the command: "SHOW RUN"
  : Saved
  ASA Version 9.0(1)
  hostname ciscoasa
  enable password Yn8Esq3NcXIHL35v encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPNDHCP 10.50.50.1-10.50.50.100 mask 255.0.0.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport trunk allowed vlan 1,3
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  switchport trunk allowed vlan 1,3,13
  interface Ethernet0/4
  switchport access vlan 3
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 13
  switchport trunk allowed vlan 1,3
  switchport mode trunk
  interface Vlan1
  nameif Internal
  security-level 100
  ip address 10.0.0.1 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan1
  nameif Guest
  security-level 50
  ip address 192.168.1.1 255.255.255.0
  interface Vlan23
  nameif EP
  security-level 100
  ip address 192.168.20.254 255.255.255.0
  boot system disk0:/asa901-k8.bin
  boot system disk0:/asa844-1-k8.bin
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network GLE-A-Network
  subnet 10.0.0.0 255.0.0.0
  object network GLE-B-Network
  subnet 192.168.2.0 255.255.255.0
  object network Web-Server
  host 10.0.61.230
  object network obj-Guest
  subnet 192.168.1.0 255.255.255.0
  description Guest Wireless
  object network Spiceworks
  host 10.0.1.2
  object network NETWORK_OBJ_10.50.50.0_25
  subnet 10.50.50.0 255.255.255.128
  object network Remote-Desktop-Services
  host 10.0.1.2
  object network Web-Server-SSL
  host 10.0.23.1
  object service RDP
  service tcp source eq 3389 destination eq 3389
  object network RemoteDesktop
  host 10.0.61.240
  object network obj-PerryCameras-1
  host 10.0.36.1
  object network obj-PerryCameras-2
  host 10.0.36.1
  object network obj-PerryCameras-3
  host 10.0.36.1
  object network DHCP-Server
  host 10.0.1.1
  object network GLE-B-Firewall
  host X.X.X.X
  object network EP-Network
  subnet 192.168.26.0 255.255.255.0
  object network EP-Firewall
  host X.X.X.X
  object network obj-BLDGa
  subnet 192.168.33.0 255.255.255.0
  object network FTP
  host 10.0.61.230
  object-group service SpiceworksPorts tcp
  description https
  port-object eq https
  object-group service RemoteDesktopServices
  service-object tcp-udp destination eq 3389
  object-group service RDS tcp
  description Remote Desktop Services
  port-object eq 3389
  port-object eq https
  object-group service Phone1 tcp
  port-object eq 5522
  object-group service Phone udp
  port-object range 10001 20000
  port-object eq 5522
  object-group service Phones tcp-udp
  port-object range 10001 20000
  port-object eq 5222
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service PerryCameras tcp-udp
  port-object eq 180
  port-object eq 181
  port-object eq 9000
  object-group service Camera1 tcp-udp
  port-object eq 9000
  object-group service Camera2 tcp-udp
  port-object eq 881
  object-group service Camera3 tcp-udp
  port-object eq 1801
  access-list outside_cryptomap extended permit ip object GLE-A-Network object GLE-B-Network
  access-list outside_access_in extended permit tcp any4 object Web-Server eq www
  access-list outside_access_in extended permit tcp any object Web-Server-SSL eq https
  access-list outside_access_in extended permit tcp any object RemoteDesktop eq 3389
  access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-1 object-group Camera1
  access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-2 object-group Camera2
  access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-3 object-group Camera3
  access-list outside_access_in extended permit tcp any4 object FTP eq ftp
  access-list guest_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list guest_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list guest_in extended deny udp any4 any4 eq domain
  access-list guest_in extended permit ip any4 any4
  access-list EP_access_in extended permit object-group TCPUDP any4 any4 eq domain
  access-list EP_access_in extended permit ip any4 any4
  access-list outside_cryptomap_1 extended permit ip object GLE-A-Network object EP-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu Internal 1500
  mtu outside 1500
  mtu Guest 1500
  mtu EP 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-702.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Internal,outside) source static any any destination static NETWORK_OBJ_10.50.50.0_25 NETWORK_OBJ_10.50.50.0_25 no-proxy-arp route-lookup
  nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static GLE-B-Network GLE-B-Network no-proxy-arp route-lookup
  nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
  nat (EP,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
  object network obj_any
  nat (Internal,outside) dynamic interface
  object network Web-Server
  nat (Internal,outside) static interface service tcp www www
  object network obj-Guest
  nat (Guest,outside) dynamic interface
  object network Spiceworks
  nat (Internal,outside) static interface service tcp 8080 8080
  object network Web-Server-SSL
  nat (Internal,outside) static interface service tcp https https
  object network RemoteDesktop
  nat (Internal,outside) static interface service tcp 3389 3389
  object network obj-PerryCameras-1
  nat (Internal,outside) static interface service tcp 9000 9000
  object network obj-PerryCameras-2
  nat (any,outside) static interface service tcp 881 881
  object network obj-PerryCameras-3
  nat (Internal,outside) static interface service tcp 1801 1801
  object network FTP
  nat (Internal,outside) static interface service tcp ftp ftp
  access-group outside_access_in in interface outside
  access-group guest_in in interface Guest
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 1:00:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server PolicyServer protocol radius
  aaa-server PolicyServer (Internal) host 10.0.1.1
  timeout 5
  key *****
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 Internal
  http authentication-certificate Internal
  snmp-server host Internal 10.200.200.11 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 2 match address outside_cryptomap_1
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer X.X.X.X
  crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  crl configure
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable Internal
  crypto ikev2 enable outside
  crypto ikev1 enable Internal
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.5-192.168.1.229 Guest
  dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
  dhcprelay server 10.0.1.1 Internal
  dhcprelay enable Guest
  dhcprelay setroute Guest
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  dynamic-filter enable interface Internal
  dynamic-filter enable interface outside
  dynamic-filter enable interface Guest
  dynamic-filter drop blacklist
  ntp server 10.0.1.1 source Internal prefer
  webvpn
  anyconnect-essentials
  group-policy GroupPolicy_X.X.X.X internal
  group-policy GroupPolicy_X.X.X.X attributes
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  group-policy GroupPolicy_X.X.X.X internal
  group-policy GroupPolicy_X.X.X.X attributes
  vpn-tunnel-protocol ikev1 ikev2
  group-policy VPNUSER internal
  group-policy VPNUSER attributes
  dns-server value 10.0.1.1 192.168.2.230
  vpn-tunnel-protocol ikev1
  username admin password kSXIy6qd1ZTBFL9/ encrypted
  username danpoynter password XEQ0M75K1B1E6VtM encrypted privilege 0
  username danpoynter attributes
  vpn-group-policy VPNUSER
  tunnel-group X.X.X.X type ipsec-l2l
  tunnel-group X.X.X.X general-attributes
  default-group-policy GroupPolicy_X.X.X.X
  tunnel-group X.X.X.X ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  tunnel-group X.X.X.X type ipsec-l2l
  tunnel-group X.X.X.X general-attributes
  default-group-policy GroupPolicy_X.X.X.X
  tunnel-group X.X.X.X ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:b29f5ff3b9db58467b0eb509bc068c2f
  : end
  ASA 2:
  Result of the command: "SHOW RUN"
  : Saved
  ASA Version 9.0(1)
  hostname ciscoasa
  enable password TYEBBb7SkpIC3BiW encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool remotevpnusers 192.168.12.25-192.168.12.55 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 4
  interface Ethernet0/2
  switchport access vlan 3
  switchport trunk allowed vlan 3-4
  interface Ethernet0/3
  switchport access vlan 20
  interface Ethernet0/4
  switchport access vlan 21
  interface Ethernet0/5
  switchport access vlan 22
  interface Ethernet0/6
  switchport access vlan 4
  switchport trunk allowed vlan 3-4,20-22
  switchport mode trunk
  interface Ethernet0/7
  interface Vlan1
  nameif Management
  security-level 100
  ip address 192.168.31.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.240
  interface Vlan3
  description EP Guest Network
  no forward interface Vlan4
  nameif Guest
  security-level 50
  ip address 192.168.27.1 255.255.255.0
  interface Vlan4
  nameif Internal
  security-level 100
  ip address 192.168.26.254 255.255.255.0
  interface Vlan20
  description BLDG-A Subnet
  nameif BLDG-A
  security-level 100
  ip address 192.168.20.254 255.255.255.0
  interface Vlan21
  nameif BLDG-B
  security-level 100
  ip address 192.168.21.254 255.255.255.0
  interface Vlan22
  nameif BLDG-C
  security-level 100
  ip address 192.168.22.254 255.255.255.0
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_192.168.12.0_26
  subnet 192.168.12.0 255.255.255.192
  object network NETWORK_OBJ_192.168.26.0_24
  subnet 192.168.26.0 255.255.255.0
  object network obj-KeoweeCameras
  host 192.168.26.10
  description Keowee Street Cameras
  object network Inside
  subnet 192.168.26.0 255.255.255.0
  description Inside Network Route
  object network Guest
  subnet 192.168.27.0 255.255.255.0
  description Guest Network Route
  object network Internal
  subnet 192.168.26.0 255.255.255.0
  object network obj-HunterCameras
  host 192.168.21.20
  description Hunter Cameras
  object network obj-Spiceworks
  host 192.168.26.8
  object network Electro-Polish-Network
  subnet 192.168.26.0 255.255.255.0
  object network GLE-Firewall
  host x.x.x.x
  object network GLE-Network
  subnet 10.0.0.0 255.0.0.0
  object network BLDG-A
  subnet 192.168.20.0 255.255.255.0
  object network BLDG-B
  subnet 192.168.21.0 255.255.255.0
  object network BLDG-C
  subnet 192.168.22.0 255.255.255.0
  object network DCG-Server01
  host 192.168.26.9
  object network NETWORK_OBJ_192.168.21.0_24
  subnet 192.168.21.0 255.255.255.0
  object network VPN-POOL
  subnet 192.168.12.0 255.255.255.0
  object network EP-VPN-Network
  subnet 192.168.26.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service CameraSystem tcp-udp
  port-object eq 18004
  port-object eq 26635
  port-object eq 76
  access-list electroremote_splitTunnelAcl standard permit 192.168.26.0 255.255.255.0
  access-list electroremote_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list electroremote_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0
  access-list electroremote_splitTunnelAcl standard permit 192.168.22.0 255.255.255.0
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-KeoweeCameras object-group CameraSystem
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-HunterCameras object-group CameraSystem
  access-list outside_access_in extended permit tcp any4 object obj-Spiceworks eq https
  access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq https
  access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq www
  access-list Guest_access_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list Guest_access_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list Guest_access_in extended deny udp any4 any4 eq domain
  access-list Guest_access_in extended permit ip any4 any4
  access-list inside_access_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list inside_access_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list inside_access_in extended deny udp any4 any4 eq domain
  access-list inside_access_in extended permit ip any4 any4
  access-list Internal_access_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list Internal_access_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list Internal_access_in extended deny udp any4 any4 eq domain
  access-list Internal_access_in extended permit ip any any4
  access-list ip-qos extended permit ip 192.168.27.0 255.255.255.0 any
  access-list ip-qos extended permit ip any 192.168.27.0 255.255.255.0
  access-list electroremote_splittunnelacl standard permit 192.168.20.0 255.255.255.0
  access-list electroremote_splittunnelacl standard permit 192.168.21.0 255.255.255.0
  access-list electroremote_splittunnelacl standard permit 192.168.22.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.26.0 255.255.255.0 object GLE-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu Management 1500
  mtu outside 1500
  mtu Guest 1500
  mtu Internal 1500
  mtu BLDG-A 1500
  mtu BLDG-B 1500
  mtu BLDG-C 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-702.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (BLDG-A,outside) source static BLDG-A BLDG-A destination static VPN-POOL VPN-POOL
  nat (BLDG-B,outside) source static BLDG-B BLDG-B destination static VPN-POOL VPN-POOL
  nat (BLDG-C,outside) source static BLDG-C BLDG-C destination static VPN-POOL VPN-POOL
  nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
  nat (Internal,outside) source static Electro-Polish-Network Electro-Polish-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
  nat (Internal,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
  nat (outside,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
  nat (Internal,outside) source static EP-VPN-Network EP-VPN-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
  nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static GLE-Network GLE-Network no-proxy-arp route-lookup
  object network obj_any
  nat (Internal,outside) dynamic interface
  object network obj-KeoweeCameras
  nat (Internal,outside) static x.x.x.x
  object network Inside
  nat (Internal,outside) dynamic interface
  object network Guest
  nat (Guest,outside) dynamic x.x.x.x
  object network Internal
  nat (Internal,outside) dynamic interface
  object network obj-HunterCameras
  nat (BLDG-B,outside) static x.x.x.x
  object network obj-Spiceworks
  nat (Internal,outside) static x.x.x.x service tcp https https
  object network BLDG-A
  nat (BLDG-A,outside) dynamic interface
  object network BLDG-B
  nat (BLDG-B,outside) dynamic interface
  object network BLDG-C
  nat (BLDG-C,outside) dynamic interface
  object network DCG-Server01
  nat (any,any) static x.x.x.x
  access-group inside_access_in in interface Management
  access-group outside_access_in in interface outside
  access-group Guest_access_in in interface Guest
  access-group Internal_access_in in interface Internal
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server IAS protocol radius
  aaa-server IAS (Internal) host 192.168.26.1
  timeout 5
  key *****
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.31.0 255.255.255.0 Management
  http 192.168.26.0 255.255.255.0 Internal
  http x.x.x.x 255.255.255.255 outside
  http authentication-certificate Management
  snmp-server host Internal 192.168.26.8 community ***** version 2c
  snmp-server location Building A
  snmp-server contact Dan Poynter
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer x.x.x.x
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map BLDG-B_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map BLDG-B_map interface BLDG-B
  crypto map BLDG-A_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map BLDG-A_map interface BLDG-A
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 enable Internal
  crypto ikev1 enable outside
  crypto ikev1 enable Internal
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.26.0 255.255.255.0 Internal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access Internal
  dhcpd auto_config outside
  dhcpd address 192.168.27.50-192.168.27.100 Guest
  dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
  dhcprelay server 192.168.26.1 Internal
  dhcprelay server 192.168.26.2 Internal
  dhcprelay enable Guest
  dhcprelay enable BLDG-A
  dhcprelay enable BLDG-B
  dhcprelay enable BLDG-C
  dhcprelay setroute Guest
  dhcprelay setroute BLDG-A
  dhcprelay setroute BLDG-B
  dhcprelay setroute BLDG-C
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_x.x.x.x internal
  group-policy GroupPolicy_x.x.x.x attributes
  vpn-tunnel-protocol ikev1 ikev2
  group-policy electroremote internal
  group-policy electroremote attributes
  dns-server value 192.168.26.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value electroremote_splitTunnelAcl
  default-domain value electropolish.local
  username epadmin password Iu2OqCfOGoYIZ5iC encrypted privilege 15
  username epadmin attributes
  service-type nas-prompt
  tunnel-group electroremote type remote-access
  tunnel-group electroremote general-attributes
  address-pool remotevpnusers
  authentication-server-group IAS
  default-group-policy electroremote
  tunnel-group electroremote ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x general-attributes
  default-group-policy GroupPolicy_x.x.x.x
  tunnel-group x.x.x.x ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map icmp-class
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  class-map qos
  description qos policy
  match access-list ip-qos
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map icmp_policy
  class icmp-class
  inspect icmp
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  policy-map qos
  class qos
  police output 1048500 1048576
  police input 256000 256000
  service-policy global_policy global
  service-policy icmp_policy interface outside
  service-policy qos interface Guest
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:3f2034bf1ad61529c601c097d6f60bad
  : end

  Hi,
  Are you saying that all traffic is working from central site to remote site when remote sites devices are in the "inside" Vlan? All but the phones even if they are in the "inside" Vlan?
  Are you sure you have the NAT configurations correctly on the remote site for the other LAN interface?
  Are you seing any connections from the phones when they are in the original "inside" interface of the remote ASA? Dont they usually get the Call Manager IPs from the DHCP server and then connect with TFTP to the Call Manager after which they form a TCP/2000 port connection to the Call Manager? I'm not really familiar with Cisco Phones other than what I see on the firewalls from time to time.
  Are you sure you remote ASA and Switch are configure correctly when you add the second Vlan to the switch? Can you see the phones on the remote ASA with "show arp" command when they are powered on?
  There should not be identical security-levels on the interfaces of the remote ASA unless the phones need to connect to the other local "inside" network. Then it would be logical for the interfaces both to be security-level 100. Interface "outside" is usually set to 0.
  Guess we would need to see the configurations for the ASAs to confirm that everything is in order.
  - Jouni

• ASA 5505 9.1(2) NAT/return traffic problems

  As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
  For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
  I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
  Network is extremely basic:
  DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
                                                                    ^
                                                                   |----------------------- guest vlan (10.0.1.X)
  show running-config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 9.1(2)
  hostname border
  domain-name mydomain.com
  enable password aaa encrypted
  passwd bbb encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport trunk allowed vlan 1,3
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.50.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  nameif Guest-VLAN
  security-level 10
  ip address 10.0.1.1 255.255.255.0
  boot system disk0:/asa912-k8.bin
  boot system disk0:/asa911-k8.bin
  boot system disk0:/asa831-k8.bin
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 208.104.2.36
  domain-name domain
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 255.255.255.0
  object network Guest-WLAN
  subnet 0.0.0.0 255.255.255.0
  description Interent access for guest Wireless
  object network xbox-nat-tcp3074
  host 192.168.50.54
  object network xbox-nat-udp3074
  host 192.168.50.54
  object network xbox-nat-udp88
  host 192.168.50.54
  object service xbox-live-88
  service udp destination eq 88
  object network xbox
  host 192.168.50.54
  object network obj-inside
  subnet 192.168.50.0 255.255.255.0
  object network obj-xbox
  host 192.168.50.54
  object network plex-server
  host 192.168.50.5
  object network ubuntu-server
  host 192.168.50.5
  description Ubuntu Linux Server
  object network ntp
  host 192.168.50.5
  object network plex
  host 192.168.50.5
  object network INTERNET
  subnet 0.0.0.0 0.0.0.0
  object-group service xbox-live-3074 tcp-udp
  port-object eq 3074
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service plex-server-32400 tcp
  description Plex Media Server
  port-object eq 32400
  access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
  access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
  access-list outside_access_in extended permit tcp any any eq echo
  access-list outside_access_in remark Plex Live access
  access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
  access-list outside_access_in extended permit icmp any any time-exceeded
  access-list outside_access_in extended permit icmp any any unreachable
  access-list outside_access_in extended permit icmp any any echo-reply
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu Guest-VLAN 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network xbox-nat-tcp3074
  nat (inside,outside) static interface service tcp 3074 3074
  object network xbox-nat-udp3074
  nat (inside,outside) static interface service udp 3074 3074
  object network xbox-nat-udp88
  nat (inside,outside) static interface service udp 88 88
  object network plex
  nat (inside,outside) static interface service tcp 32400 32400
  object network INTERNET
  nat (inside,outside) dynamic interface
  nat (Guest-VLAN,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  no user-identity enable
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.50.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=border
  crl configure
  crypto ca trustpool policy
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca xxxx
    quit
  crypto ca certificate chain ASDM_TrustPoint0
  certificate xxxx
    quit
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  telnet timeout 5
  ssh 192.168.50.0 255.255.255.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpn-addr-assign local reuse-delay 60
  dhcp-client client-id interface outside
  dhcpd auto_config outside
  dhcpd address 192.168.50.5-192.168.50.132 inside
  dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
  dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
  dhcpd lease 86400 interface Guest-VLAN
  dhcpd enable Guest-VLAN
  threat-detection basic-threat
  threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 152.19.240.5 source outside prefer
  ssl trust-point ASDM_TrustPoint0 outside
  username xxx password xxx/ encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  service call-home
  call-home reporting anonymous
  call-home
  contact-email-addr [email protected]
  profile CiscoTAC-1
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  hpm topN enable
  Cryptochecksum:xxx
  : end

  Hi,
  Configuration seems fine.
  With regards to the ICMP, you could also add this
  class inspection_default
    inspect icmp error
  I would probably start by trying out some other software level on the ASA
  Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
  One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
  - Jouni

• Double computer name on network and NAT issue with Back to My Mac

  These are the problems I am having:
  When my MacPro workstation (which on the network is named "The Beast") wakes from sleep - I get a message saying "there is already a computer on the network with the name "The Beast". Other computers on the network can now find you at "The Beast-2"" and it gives me a new name in the file sharing preferences - even though it is the only computer on the network with that name.
  Why is this happening???
  The other problem is with BackTo My Mac - When I try to enable it - I get an error message saying "Turn off NAT Addressing" - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
  Here is my network setup which consists of the Modem / Router from my ISP - an Airport Extreme Base Station and one Airport Express - which is connected to my MacPro via ethernet. The MacPro does not have an airport card installed and is running OSX 10.6.8 - all other computers / devices are running 10.7.x and iOS6).
  VDSL Modem / Router (from Internet provider) with wireless turned off - (so it is not broadcasting a competing wireless signal) - connected via ethernet to my Airport Extreme Base Station.
  Here are all the settings on the AEBS and the Airport Express: - I am using Airport Utility 5.6.1 on my Mac Pro running OSX 10.6.8 - so the setup prefs are different than the newer version of Airport Utility found on 10.7.x systems - but both work fine. Although I did notice that the option to allow ethernet clients to connect to the Airport Express does not exist (or I just didn't find it) in the newer version of Airport Utility.
  Airport Extreme Base Station is set up as follows:
  Wireless Mode: Create a Wireless Network
  Wireless Settings:
  Allow this network to be extended IS CHECKED
  Radio Mode: 802.11n (b and g compatible)
  Wireless Security: WPA/WPA2 Personal
  Access Control:
  MAC Address Access Control: Not Enabled
  Internet Settings:
  Internet Connection:
  Connect Using: Ethernet
  Connection Sharing: OFF (Bridge Mode).
  TCP/IP:
  Configure IPv4: Using DHCP
  Advanced Settings:
  Logging & Statistics:
  Syslog Destination Address is blank (as in nothing appears in this field).
  Syslog Level: 5 - Notice
  Allow SNMP is CHECKED
  MobileMe:
  Back to my Mac is turned off - but if I try to turn it on I get an error message saying "Turn off NAT Addressing - which I thought was turned off since the AEBS is in Bridge Mode. Why is this happening?
  IPv6:
  IPv6 Mode: Link-local only
  As stated - my MacPro with no wifi card -  is connected via ethernet to an Airport Express which connects wirelessly to the AEBS for network and internet access.
  Airport Express Settings:
  Airport Settings:
  Wireless Mode: Join a Wireless Network
  Allow Ethernet Clients IS CHECKED
  Wireless Security WPA/WPA2 Personal
  Internet Settings: Are grayed out (as in I can't change these settings - I assume because they are being controlled by the AEBS) and read as follows:
  Connect Using: Wireless Network
  Connection Sharing: OFF (Bridge Mode)
  TCP/IP:
  Configure IPv4: using DHCP
  All other settings are identical to the AEBS.
  All other WiFi devices in the house (MacBook Pro, iPhones, iPad's, iMac, Apple TV, Nintendo Wii etc…all are able to connect to the network and connect to the internet - no problem.
  Thanks for any insights into what might be causing the double name on the network and why it is asking me to turn off NAT addressing - when both my Airport devices are in Bridge Mode?

  I am also having this issue... any updates on this??

• Time Capsule, hardwired to TWO xbox 360's, and NAT issues.

  Hello All,
  I currently have an older Linksys WRT54G (version 1.0 LOL) which has been working fine for years. I recently bought my son an XBOX 360 for Christmas and we went through the issues of NAT and Call of Duty, and basically I have become quite knowledgeable on this topic. I recently added a SECOND XBOX 360, as it became apparent that one would not do with three boys in the house (Plus COD is a blast on line).
  So I created a second Live Account and got the two xbox's running online stably with NAT wide open on both. This required abandoning the Linksys Firmware and installing "Tomato" on the WRT54G. That works GREAT. No modifications were required for the rest of the network including...
  Macbook by Wifi, Minimac Hardwired (ya ya wifi works but hardwire is better), Airport Express (used only to stream music to stereo in family room - from ANY PC/MAC running Itunes...Itunes is VERY NICE), HP printer with network adapter, 5 other PC's including a mix of VISTA, XP, XP Pro, and multiple IPHONES, A Palm Tungsten C, WII, DS and of course the two hard wired XBOXs. NO Problems. The Tomato configuration only required the modifications for the XBOXs specifically as the rest of the network settings were not change after the firmware update.
  What am I interested in? I'd like to upgrade to a Time Capsule for several reasons. One Newer wifi, faster, two frequencies, backup space for growing Mac branch of our network, and as the internet sharing router. AND to be able to access the TC from the internet for file access anywhere! LOVE THAT FEATURE. This requires the TC to be the first device after the cable modem as far as I can tell at this point. (any input on this specific feature would be great).
  So I want to configure the TC with the input from the Cable modem as the main distribution of the internet. Then from the other NETWORK ports connect to my 20 port router for the rest of the house, as well as to the other items currently connected at the site of the current LinkSys Router (Mac Mini, Sony TV).
  Also I need to maintain the current XBOX set up with (as well as Wii) with full open NAT on both XBOXs.
  My question: Anyone here currently using the TC for hardwired connectivity for an XBOX with XBOX live running with open NAT for TWO XBOXs?
  The issues with NAT and TWO XBOXs is that you cannot simply use PORT FORWARDing or PORT Triggering to make sure that the traffic goes to the correct xbox. The XBOX uses specific communication ports and the ROUTER needs to keep the traffic flowing properly or you get disconnected or never get open NAT (must have for XBOX live and internet gaming). There are many write ups on using Port Forwarding for one XBOX and setting the second one in the DMZ, but this does not work all the time.
  The "Tomato" firmware on the LINKSYS allows fooling the router into giving a 'pseudo static' ip address to the XBOX's by doing MAC address based reservation of an IP number and then letting the DHCP give the xbox an IP address. The MAC address based reservation makes sure that the XBOX always gets the same IP address which for some GD reason must be in order for the traffic to be routed to the correct device. (you can of course use the same MAC address reservation for any device on the network).
  Second Question: For those using the TC AND a second WiFi Router to do WIRELESS connection to the XBOX - which device do you have configured as the main INTERNET sharing router? I have read hear what appears to state that the TC is the main router and the other WiFi the secondary. Thus the ROUTING is still being done by the TC and the other wifi device is being used simply as a WiFi Access point/switch. If this is the case would the firmware on the TC allow the proper routing for TWO XBOXs on the network?
  Thank you,
  Mike

  The ports are 53, 80, 88, and 3074. Since you are trying to make two Xbox consoles use those ports and you are trying to connect to a server, what you need to do is to use Port Range Triggering. You can't use Port Range Forwarding since it will only set those ports into listening mode to the IP address you set it. So if you use Port Range Forwarding it will only be open/available to one console(the one using the IP address).
  You need to use PORT RANGE TRIGGERING. Disable Port Range Forwarding and DMZ. You need to enable UPnP as well if your Linksys router have this option (other model doesn't have this option but it is said to be enabled in default settings according to their tech support).
  To solve the lag problem set your MTU size to 1364. This settings will work even if you have one or multiple consoles running behind the router.

• H323 and NAT issue

  Hello all,
  I have a router 1812 Version 12.4(15)T16, RELEASE SOFTWARE (fc2). Router is doing NAT.
  I have a lifesize videoconference system. Calls with h323 are dropped after 30 seconds.
  I have ip inspect rule :
  - ip inspect name SDM_LOW h323
  - ip inspect name SDM_LOW h323callsigalt
  interface FastEthernet0
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  ip access-group 102 in
  ip verify unicast reverse-path
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat outside
  ip inspect SDM_LOW out
  ip virtual-reassembly
  ip route-cache flow
  speed 100
  full-duplex
  crypto map SDM_CMAP_1
  service-policy input sdmappfwp2p_SDM_LOW
  service-policy output sdmappfwp2p_SDM_LOW
  When I start a communication, I have
  sh ip inspect sessions
  Session 85AE7150 (50.59.87.241:60118)=>(192.168.200.200:60016) h323-RTP-audio SIS_OPEN
  Session 85AE12C0 (50.59.87.241:60119)=>(192.168.200.200:60017) h323-RTCP-audio SIS_OPEN
  Session 85AE39B0 (192.168.200.200:60001)=>(50.59.87.241:62830) h245-media-control SIS_OPEN
  Session 841F7CEC (192.168.200.200:60005)=>(50.59.87.241:1720) h323 SIS_OPEN
  Session 85AE20A8 (50.59.87.241:60120)=>(192.168.200.200:60018) h323-RTP-video SIS_OPENING
  Session 85ADE0B0 (50.59.87.241:60121)=>(192.168.200.200:60019) h323-RTCP-video SIS_OPENING
  Session 85AE4D28 (50.59.87.241:60122)=>(192.168.200.200:60020) h323-RTP-data SIS_OPENING
  Session 85ADCD38 (50.59.87.241:60123)=>(192.168.200.200:60021) h323-RTCP-data SIS_OPENING
  Pre-gen session 85ADA648  192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
  Pre-gen session 85AD92D0  192.168.200.200[1024:65535]=>50.59.87.241[60121:60121] h323-RTCP-video
  Pre-gen session 85ADB6F8  192.168.200.200[1024:65535]=>50.59.87.241[60123:60123] h323-RTCP-data
  Pre-gen session 85AD9008  192.168.200.200[1024:65535]=>50.59.87.241[60118:60118] h323-RTP-audio
  Pre-gen session 85AE5848  192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
  Where 192.168.200.200 is local IP and 50.59.87.241 the server I try to reach.
  Any idea of what is going on ? Why calls are dropped after 30 seconds ?
  Something with NAT ?

  Hi Alessandro,
  configuration below :
  ip inspect tcp reassembly queue length 200
  ip inspect tcp reassembly timeout 10
  ip inspect name SDM_LOW appfw SDM_LOW
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW tcp
  ip inspect name SDM_LOW udp
  ip inspect name SDM_LOW http
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW h323callsigalt
  ip inspect name SDM_LOW skinny
  ip inspect name SDM_LOW sip-tls
  ip inspect name SDM_LOW sip
  ip inspect name SDM_LOW esmtp max-data 50000000
  ip inspect name SDM_LOW cuseeme
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW streamworks
  WAN_INTERFACE = xxx.xxx.xxx
  interface FastEthernet0
  ip address WAN_INTERFACE.226 255.255.255.248
  ip access-group 102 in
  ip verify unicast reverse-path
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat outside
  ip inspect SDM_LOW out
  ip virtual-reassembly
  ip route-cache flow
  speed 100
  full-duplex
  crypto map SDM_CMAP_1
  service-policy input sdmappfwp2p_SDM_LOW
  service-policy output sdmappfwp2p_SDM_LOW
  Inbound ACL
  access-list 102 remark SDM_ACL Category=3
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq www log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 443 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 558 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1023 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1024 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1503 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1718 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1719 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1720 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 4001 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 11720 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 17518 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60000 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60001 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60002 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60003 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60004 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60005 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60000 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 1023 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 1024 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 1718 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 1719 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 1720 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 5060 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 17518 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60001 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60002 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60003 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60004 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60005 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60006 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60007 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60008 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60009 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60010 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60011 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60012 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60013 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60014 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60015 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60016 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60017 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60018 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60019 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60020 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60021 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60022 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60023 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60024 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 60025 log
  access-list 102 permit udp any host WAN_INTERFACE.228 eq 3389 log
  access-list 102 permit tcp any host WAN_INTERFACE.228 eq 3389 log
  [ Some ipsec rubles]
  access-list 102 permit tcp any host WAN_INTERFACE.230 eq 22
  access-list 102 permit tcp any host WAN_INTERFACE.230 eq www
  access-list 102 permit tcp any host WAN_INTERFACE.227 eq smtp
  access-list 102 permit udp any host WAN_INTERFACE.227 eq 80
  access-list 102 permit tcp any host WAN_INTERFACE.227 eq www
  access-list 102 permit tcp any host WAN_INTERFACE.227 eq ftp
  access-list 102 permit tcp any host WAN_INTERFACE.226 eq 1723
  access-list 102 permit tcp any host WAN_INTERFACE.226 eq 47
  ip nat inside source static udp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_32 extendable
  ip nat inside source static tcp LAN_INTERFACE 80 WAN_INTERFACE.228 80 route-map SDM_RMAP_15 extendable
  ip nat inside source static tcp LAN_INTERFACE 443 WAN_INTERFACE.228 443 route-map SDM_RMAP_7 extendable
  ip nat inside source static tcp LAN_INTERFACE 558 WAN_INTERFACE.228 558 route-map SDM_RMAP_47 extendable
  ip nat inside source static tcp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_77 extendable
  ip nat inside source static udp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_78 extendable
  ip nat inside source static tcp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_73 extendable
  ip nat inside source static udp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_74 extendable
  ip nat inside source static tcp LAN_INTERFACE 1503 WAN_INTERFACE.228 1503 route-map SDM_RMAP_75 extendable
  ip nat inside source static tcp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_86 extendable
  ip nat inside source static udp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_87 extendable
  ip nat inside source static tcp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_42 extendable
  ip nat inside source static udp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_43 extendable
  ip nat inside source static tcp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_28 extendable
  ip nat inside source static udp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_44 extendable
  ip nat inside source static tcp LAN_INTERFACE 4001 WAN_INTERFACE.228 4001 route-map SDM_RMAP_72 extendable
  ip nat inside source static udp LAN_INTERFACE 5060 WAN_INTERFACE.228 5060 route-map SDM_RMAP_29 extendable
  ip nat inside source static tcp LAN_INTERFACE 11720 WAN_INTERFACE.228 11720 route-map SDM_RMAP_71 extendable
  ip nat inside source static tcp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_45 extendable
  ip nat inside source static udp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_46 extendable
  ip nat inside source static tcp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_30 extendable
  ip nat inside source static tcp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_31 extendable
  ip nat inside source static udp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_33 extendable
  ip nat inside source static tcp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_66 extendable
  ip nat inside source static udp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_34 extendable
  ip nat inside source static tcp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_67 extendable
  ip nat inside source static udp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_35 extendable
  ip nat inside source static tcp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_68 extendable
  ip nat inside source static udp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_36 extendable
  ip nat inside source static tcp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_69 extendable
  ip nat inside source static udp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_37 extendable
  ip nat inside source static udp LAN_INTERFACE 60006 WAN_INTERFACE.228 60006 route-map SDM_RMAP_38 extendable
  ip nat inside source static udp LAN_INTERFACE 60007 WAN_INTERFACE.228 60007 route-map SDM_RMAP_39 extendable
  ip nat inside source static udp LAN_INTERFACE 60008 WAN_INTERFACE.228 60008 route-map SDM_RMAP_48 extendable
  ip nat inside source static udp LAN_INTERFACE 60009 WAN_INTERFACE.228 60009 route-map SDM_RMAP_49 extendable
  ip nat inside source static udp LAN_INTERFACE 60010 WAN_INTERFACE.228 60010 route-map SDM_RMAP_50 extendable
  ip nat inside source static udp LAN_INTERFACE 60011 WAN_INTERFACE.228 60011 route-map SDM_RMAP_51 extendable
  ip nat inside source static udp LAN_INTERFACE 60012 WAN_INTERFACE.228 60012 route-map SDM_RMAP_52 extendable
  ip nat inside source static udp LAN_INTERFACE 60013 WAN_INTERFACE.228 60013 route-map SDM_RMAP_53 extendable
  ip nat inside source static udp LAN_INTERFACE 60014 WAN_INTERFACE.228 60014 route-map SDM_RMAP_54 extendable
  ip nat inside source static udp LAN_INTERFACE 60015 WAN_INTERFACE.228 60015 route-map SDM_RMAP_55 extendable
  ip nat inside source static udp LAN_INTERFACE 60016 WAN_INTERFACE.228 60016 route-map SDM_RMAP_56 extendable
  ip nat inside source static udp LAN_INTERFACE 60017 WAN_INTERFACE.228 60017 route-map SDM_RMAP_57 extendable
  ip nat inside source static udp LAN_INTERFACE 60018 WAN_INTERFACE.228 60018 route-map SDM_RMAP_58 extendable
  ip nat inside source static udp LAN_INTERFACE 60019 WAN_INTERFACE.228 60019 route-map SDM_RMAP_59 extendable
  ip nat inside source static udp LAN_INTERFACE 60020 WAN_INTERFACE.228 60020 route-map SDM_RMAP_60 extendable
  ip nat inside source static udp LAN_INTERFACE 60021 WAN_INTERFACE.228 60021 route-map SDM_RMAP_61 extendable
  ip nat inside source static udp LAN_INTERFACE 60022 WAN_INTERFACE.228 60022 route-map SDM_RMAP_62 extendable
  ip nat inside source static udp LAN_INTERFACE 60023 WAN_INTERFACE.228 60023 route-map SDM_RMAP_63 extendable
  ip nat inside source static udp LAN_INTERFACE 60024 WAN_INTERFACE.228 60024 route-map SDM_RMAP_64 extendable
  ip nat inside source static udp LAN_INTERFACE 60025 WAN_INTERFACE.228 60025 route-map SDM_RMAP_65 extendable
  ip nat inside source static LAN_INTERFACE WAN_INTERFACE.228 route-map SDM_RMAP_76
  All SMD_RMAP are like this one below
  route-map SDM_RMAP_32 permit 1
  match ip address 141
  access-list 141 remark SDM_ACL Category=2
  access-list 141 deny   ip host LAN_INTERFACE 10.0.5.0 0.0.0.31
  access-list 141 deny   ip host LAN_INTERFACE 10.0.5.40 0.0.0.1
  access-list 141 permit udp host LAN_INTERFACE eq 60000 any

• Asa 5505 transparent firewall issue

  hi i am having uc560 with voice and data vlan and i am having 3560 layer3 switch and my network is working fine the dhcp for voice and data both are running in uc560.
  now i  add asa 5505 between uc560 and switch in transparent mode means from uc560 to asa 5505 outside interface and from asa inside interface to switch,
  i conigured vlan1 -- inside and vlan 2 as outside in asa  5505
  in my uc 560 data is vlan 1 and my voice is vlan 100.
  when i connect my network with transparent mode firewall no dhcp amd no phones are working . but if i remove asa and i connect with uc560 to switch everything is fine.
  is there anyway to work multiple voice and data vlan in asa 5505 transparent mode.

  hi rojas,
  here is my problem,
  my internet and voice all connected in the uc 560 so wat i am doing i am connecting firewall outside to uc 560 trunk port and the from inside to my switch.
  when i connec to my switch it is giving message inconsistant vlan and it is port is blocked. and my phones are not working.
  my data vlan1 is 192.168.123.x
  and my voice vlan100 is  10.1.1.x
  and the firewall ip 192.168.123.3

• Problem with ASA 5505

  Good morning,
  I'm having the following problem. I configured a ASA 5505 with VPN and a VPN Remote Access Site-to-site. Everything is working, but when I reload the ASA does not work anymore VPNs, Remote Access error 412 and the Site-to-site does not connect more to solve, I have to reset and reconfigure the ASA. This is happening dopo updating the ASA, I have version 842-k8 and asdm645-106.
  Does anyone have any idea what can be?
  Thank you.
  Running-config:
  : Saved
  : Written by master at 10:34:14.839 BRDT Mon Oct 10 2011
  ASA Version 8.4(2)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 172.16.0.140 255.255.252.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group gvt
  ip address pppoe setroute
  boot system disk0:/asa842-k8.bin
  ftp mode passive
  clock timezone BRST -3
  clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network NETWORK_OBJ_172.16.0.0_22
  subnet 172.16.0.0 255.255.252.0
  object network NETWORK_OBJ_172.16.0.128_26
  subnet 172.16.0.128 255.255.255.192
  object network NETWORK_OBJ_20.0.0.0_24
  subnet 20.0.0.0 255.255.255.0
  object network NETWORK_OBJ_172.16.11.0_24
  subnet 172.16.11.0 255.255.255.0
  object-group network obj_any
  access-list 1 standard permit 172.16.0.0 255.255.252.0
  access-list 1 standard permit 20.0.0.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.252.0 20.0.0.0 255.255.255.0
  access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.252.0 172.16.11.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool pool 172.16.0.150-172.16.0.160 mask 255.255.252.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645-106.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_172.16.0.128_26 NETWORK_OBJ_172.16.0.128_26 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_20.0.0.0_24 NETWORK_OBJ_20.0.0.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_172.16.11.0_24 NETWORK_OBJ_172.16.11.0_24 no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  route outside 172.16.11.0 255.255.255.0 187.16.33.131 10
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 172.16.0.0 255.255.252.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set peer 189.11.56.237
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 2 match address outside_cryptomap_1
  crypto map outside_map 2 set peer 187.16.33.131
  crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group gvt request dialout pppoe
  vpdn group gvt localname *******@turbonetpro
  vpdn group gvt ppp authentication pap
  vpdn username *******@turbonetpro password *****
  dhcpd auto_config outside
  dhcpd address 172.16.0.144-172.16.1.143 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy crv internal
  group-policy crv attributes
  dns-server value 172.16.0.253 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value 1
  default-domain value crvnatural.com.br
  group-policy GroupPolicy_189.11.56.237 internal
  group-policy GroupPolicy_189.11.56.237 attributes
  vpn-filter value 1
  vpn-tunnel-protocol ikev1 ikev2
  group-policy GroupPolicy_187.16.33.131 internal
  group-policy GroupPolicy_187.16.33.131 attributes
  vpn-filter value 1
  vpn-tunnel-protocol ikev1 ikev2
  username master password kWH7f2vqtjMEg2Yp encrypted
  tunnel-group crv type remote-access
  tunnel-group crv general-attributes
  default-group-policy crv
  dhcp-server 172.16.0.253
  tunnel-group crv ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 189.11.**.*** type ipsec-l2l
  tunnel-group 189.11.**.*** general-attributes
  default-group-policy GroupPolicy_189.11.**.***
  tunnel-group 189.11.**.*** ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key ****
  ikev2 local-authentication pre-shared-key *****
  tunnel-group 187.16.33.*** type ipsec-l2l
  tunnel-group 187.16.33.*** general-attributes
  default-group-policy GroupPolicy_187.16.33.***
  tunnel-group 187.16.33.*** ipsec-attributes
  ikev1 pre-shared-key ******
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:50ed6f55182534a2429d065a26e9b45c
  : end

  David,
  In order to understand why LDAP is not working run a "debug ldap 255" and then try to login or run a AAA test.
  Attach the output to find out the issue.
  Please check this out as well, to make sure that you have the correct settings:
  ASA 8.0: Configure LDAP Authentication for WebVPN Users
  HTH.
  Portu.