ASA 5505 to allow 2nd network segment through mpls

I have been having a heck of a time trying to configure my 5505 to allow the second segment on my network to use the internet.
Office 1 has a fiber internet connection, and all traffic flows fine.
Office 2 had gotten it's internet from AT&T, via a network based firewall injecting a default route into the mpls cloud.
both offices connunicate to each other through the mpls.
When we added the fiber to office 1, we had the mpls people change the default internet route to the inside address of the 5505 and things worked fine.
when AT&T attempted to remove the NBF defaut route, and inject the 5505's address as default, things didn't go so well.
AT&T claims that it is within my nat cmmands on the 5505, but won't tell me anything else. I assume that they are correct, and I assume that I am not good enough with the 5505 ASDM to tell it what to do.
Office 1 uses 10.10.30.xx addresses and Office 2 uses 10.10.10.xx - the 5505 inside interface is 10.10.30.2 the internal interfaces of the mpls are 10.10.30.1 and 10.10.10.1
I don't know what other information you would need, but am stuck here at Office 1 until I can get this working.
Thanks

Hi,
Ok, so IF I have not understood anything wrong (which is still possible ), it would seem to me that the network mask of the ASA is atleast one reason that will cause problems for WI LAN if they try to use the Internet through the ASA5505 on the PA site.
This is what I would presume will happen when a host on the WI LAN initiates a connection to the Internet
WI PC 10.10.10.10 sends a TCP SYN to initiate/open a TCP connection with a Web server on the Internet
The TCP SYN gets forwarded to the default gateway of the PC which is 10.10.10.1
The TCP SYN packet traverses the ISP MPLS network all the way to the PA Site
The PA Site 3900 has a default route probably towards PA ASA 10.10.30.2
TCP SYN gets forwarded from the PA 3900 to the PA ASA according to the above mentioned default route on the PA 3900
TCP SYN arrives on the ASA and gets forwarded to the Internet
TCP SYN,ACK from the Web server arrives on the ASA
ASA will ARP for the MAC address of the WI PC IP address of 10.10.10.10 because it thinks that the host is directly connected to the ASAs "inside" interface because of the "inside" interfaces large /16 network mask which contains addresses between 10.10.0.0 - 10.10.255.255
The ARP request sent from the ASA never receives a reply since the WI PC isnt directly connected
PA ASA will never be able to forward the traffic to the WI PC which is trying to open the connection to the Internet because of the above mentioned problem. Therefore the TCP connection from WI PC never succeeds and timeouts.
Now you might ask, why does the connections between the PA and WI LAN work. To my understanding is that because the traffic from the PA hosts gets first forwarded to the PA 3900 then they have a working route to the WI LAN. The same way the WI LAN has a working route towards the PA LAN since the ASA isnt not involed in anyway.
The PA Internet connection naturally works as the 10.10.30.0/24 hosts are directly connected to the ASA so the above mentioned ARP will not fail on their part and traffic is forwarded just fine between the PA LAN and the Internet.
So to my understanding the solution to this problem would be to change the PA ASA "inside" subnet mask from 255.255.0.0 to 255.255.255.0.
If you are unsure of the of this change I would suggest you do it when there is low network use (so you can revernt the change) Naturally if you are on the PA LAN then you can probably access the Console connection if something were to go wrong. I cant see any configurations on the PA ASA which would imply that you configure the device remotely through the Internet.
Hope I made sense and hope this helps
Naturally ask more if needed
- Jouni

Similar Messages

Cisco ASA 5505 Routing between internal networks

Hi,
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
Here is the running conf:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Hi Jouni,
Yep, Finnish would be good also =)
In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
Here is the conf now, still doesnt work:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Cisco ASA 5505 and PAT

So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
A

Hello ras,
As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
Hope this information is helpful.

ASA 5505 9.1 and NAT issues to single dynamic IP

Good afternoon everybody,
a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP).
As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
In the same time, the consolle connection shows these two messages :
Asa5505# ERROR: NAT unable to reserve ports.
ERROR: NAT unable to reserve ports.
I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
This is the configuration file, I have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
ASA Version 9.1(5)
hostname Asa5505
domain-name home
enable password XXXXXX encrypted
names
interface Ethernet0/0
description ADSLPPoE
switchport access vlan 2
interface Ethernet0/1
description Internal_LAN
interface Ethernet0/2
description Management_Net
switchport access vlan 3
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Uplink
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
description Wireless-POE
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
description Webcam-POE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.250 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group AliceADSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif management
security-level 100
ip address 10.5.1.250 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.4
domain-name home
object network Exchange-HTTPS
host 192.168.1.150
object network Exchange-SMTP
host 192.168.1.150
object network Network_Inside
subnet 192.168.1.0 255.255.255.0
object network Network_Management
subnet 10.5.1.0 255.255.255.0
access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https
access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Exchange-HTTPS
nat (inside,outside) static interface service tcp https https
object network Exchange-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network Network_Inside
nat (inside,outside) dynamic interface
object network Network_Management
nat (management,outside) dynamic interface
access-group Outside_ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 8080
http 10.5.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
vpdn group AliceADSL request dialout pppoe
vpdn group AliceADSL localname aliceadsl
vpdn group AliceADSL ppp authentication pap
vpdn username aliceadsl password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.4 192.168.1.150 interface inside
dhcpd wins 192.168.1.4 interface inside
dhcpd enable inside
dhcpd address 10.5.1.30-10.5.1.40 management
dhcpd dns 208.67.222.222 208.67.220.220 interface management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 10443
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXX
: end
no asdm history enable
Thanks in advance for your precious help !
C.

Update 29th of June :
Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
Two brief questions :
1) in my NAT statements for PAT, does it change anything if I modify them (for example) from
nat (inside,outside) static interface service tcp https https
to
nat (inside,outside) dynamic interface service tcp https https
? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
Thank you for your precious help and patience !
C.

Cisco ASA 5505 AnyConnect SSL VPN problem

Hi!
I have a small network, wiht ASA 5505, 8.4:
Inside network: 192.168.2.0/24
Outside: Static IP
I would like to deploy a SSL AnyConnect setup.
The state:
-I give the correct IP from my predefined VPN pool (10.10.10.0/24).
But, could not reach any resource, could not ping too. My host has given 10.10.10.1 IP, and I had a GW: 10.10.10.2. Where is this GW from?
Could you help me?
Here is my config (I omitted my PUBLIC IP, and GW):
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname valamiASA
domain-name valami.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address MY_STATIC_IP 255.255.255.248
interface Vlan12
description Vendegeknek a valamiHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
management-only
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name valami.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool valami_vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 MY_STATIC_GW 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_valami_VPN internal
group-policy GroupPolicy_valami_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value valami.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group valami_VPN type remote-access
tunnel-group valami_VPN general-attributes
address-pool valami_vpn_pool
default-group-policy GroupPolicy_valami_VPN
tunnel-group valami_VPN webvpn-attributes
group-alias valami_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d54de340bb6794d90a9ee52c69044753
: end

First of all thanks your link.
I know your notes, but i don't understand 1 thing:
if i check nat exemption in the anyconnect wizad, why should i make nat exemption rule?
A tried creating a roule, but it is wrong.
My steps (on ASDM):
1: create network object (10.10.10.0/24), named VPN
2: create nat rule: source any, destination VPN, protocol any
Here is my config:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname companyASA
domain-name company.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address 77.111.103.106 255.255.255.248
interface Vlan12
description Vendegeknek a companyHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name company.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object network WEBSHOP
host 192.168.2.2
object network INSIDE_HOST
host 10.100.130.5
object network VOIP_management
host 192.168.2.215
object network Dev_1
host 192.168.2.2
object network Dev_2
host 192.168.2.2
object network RDP
host 192.168.2.2
object network Mediasa
host 192.168.2.17
object network VOIP_ePhone
host 192.168.2.215
object network NETWORK_OBJ_192.168.4.0_28
subnet 192.168.4.0 255.255.255.240
object network NETWORK_OBJ_10.10.10.8_29
subnet 10.10.10.8 255.255.255.248
object network VPN
subnet 10.10.10.0 255.255.255.0
object network VPN-internet
subnet 10.10.10.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool company_vpn_pool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static VPN VPN
nat (inside,outside) source static inside-net inside-net destination static VPN VPN
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 77.111.103.105 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_company_VPN internal
group-policy GroupPolicy_company_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelall
default-domain value company.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 62.112.192.4 195.70.35.66
vpn-tunnel-protocol ssl-client
default-domain value company.local
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group company_VPN type remote-access
tunnel-group company_VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_company_VPN
tunnel-group company_VPN webvpn-attributes
group-alias company_VPN enable
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:33ee37a3722f228f9be9b84ef43f731e
: end
Could you give me a CLI-code?
(or ASDM steps).

Cisco ASA 5505 VPN Routing/Networking Question

I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs. I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses. I would like to install a second Cisco ASA 5505 in a remote branch office as its peer.
Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center? I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible. It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
What am I missing? Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

You can do it in several different ways.
One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
In windows this is done via the route command
do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
in unix/linux
It is also the route command
Or you can tell your "default gateway" to route that network to the ASA
Good luck
HTH

ASA 5505 as hw vpn client to PIX501 or ASA5505 w network extension mode

Hi!
We have been using a PIX 501 for a couple of years now to access a
local network with Cisco VPN software client. However we now need
access from another site with multiple users so I decided to buy two
ASA 5505 UL bundle to do the job. First i tried to just hook up the
new ASA at the remote site and connect to the PIX 501 with easy vpn.
In went fine. I configured the new ASA right from the box with the old
vpn profile settings and it worked right away. But as we also need the
remote site to be accessed from the main site (PIX side) i tried to
enable "network extension mode" but then the tunnel didnt work
anymore. it connects but no traffic is coming through. I set it back
to normal mode (only client) and it worked again.
Is there anything else I need to do to be able to use network
extension mode than just enabling it in ASDM ?
The samt thing happens when using two ASA 5505 the same way.
Software versions are:
PIX: 6.3
ASA 5505: 7.2.1 (used to be 7.2.2 but I had to downgrade because of a bug in 7.2.2 - vpnclient fails after reboot)
I also did try the latest 8.2 with very little success. Seemed a bit buggy.
Thanks,
Bjorn

Hi!
Thought I could add some info. Our Head unit is 192.168.1.1 and the connecting ASA 5505 is 192.168.10.1. When I try to ping a machine (192.168.1.201) from the remote site I get this in the ASA log:
With network extension mode
302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.10.2/512 laddr 192.168.10.2/512
With only client mode
302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.1.9/1 laddr 192.168.10.2/512
It seemes to me (quite the newbie here on ASA) that the unit does not handle the gateway address correctly when using network extension mode. The PC i use to ping from is 192.168.10.2.
Any ideas from the experts ?
Regards,
B

Cisco ASA 5505 L2TP Pass through

I am having trouble with L2TP pass through on an ASA 5505 device.
L2TP server: OSX 10.6
I can connect with any OSX system and it works fine straight away.
When connecting with a windows computer I get a 789 error. "Error 789: The L2TP connection attempt failed because the security layer encountere a processing error during the initial negotiations with the remote computer."
I did not setup or configure the device to start with and apart from this issue its working fine so I am hessitant at trying to just mess around too much to try and find the problem.
I am using the ASDM 6.4 to manage the device.
Ports look to be forwarded correctly; 1701, 4500 & 500 UDP.
Im just looking for other common issues?
Rob

Below is the commands you wanted.
Where you see: IPNOTWHATIWASEXPECTING
This is an IP I dont know. possible and old IP address.
and
default-domain value domain-notcorrect.local
This is an old domain from years ago.
Result of the command: "show run crypto"
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map-dynamic 1 set pfs group5
crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 2 set pfs
crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 3 set pfs
crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 4 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer IPNOTWHATIWASEXPECTING3
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address acl-amzn
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer IPNOTWHATIWASEXPECTING IPNOTWHATIWASEXPECTING
crypto map outside_map 2 set transform-set transform-amzn
crypto map outside_map 255 ipsec-isakmp dynamic map-dynamic
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 12
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption aes-192
hash sha
group 1
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 22
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 23
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 32
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 33
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 34
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Result of the command: "show run group-policy"
group-policy evertest internal
group-policy evertest attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy petero internal
group-policy petero attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy awsfilter internal
group-policy awsfilter attributes
vpn-filter value amzn-filter
group-policy vpnpptp internal
group-policy vpnpptp attributes
dns-server value 10.100.25.252
vpn-tunnel-protocol l2tp-ipsec
group-policy vanheelm internal
group-policy vanheelm attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy ciscoVPNuser internal
group-policy ciscoVPNuser attributes
dns-server value 10.100.25.10
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy chauhanv2 internal
group-policy chauhanv2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy oterop internal
group-policy oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy Oterop internal
group-policy Oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
group-policy chauhanv internal
group-policy chauhanv attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy bnixon2 internal
group-policy bnixon2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
Result of the command: "show run tunnel-group"
tunnel-group ciscoVPNuser type remote-access
tunnel-group ciscoVPNuser general-attributes
address-pool vpnippool
default-group-policy ciscoVPNuser
tunnel-group ciscoVPNuser ipsec-attributes
pre-shared-key *****
tunnel-group petero type remote-access
tunnel-group petero general-attributes
address-pool vpnippool
default-group-policy petero
tunnel-group petero ipsec-attributes
pre-shared-key *****
tunnel-group oterop type remote-access
tunnel-group oterop general-attributes
address-pool vpnippool
default-group-policy oterop
tunnel-group oterop ipsec-attributes
pre-shared-key *****
tunnel-group vanheelm type remote-access
tunnel-group vanheelm general-attributes
address-pool vpnippool
default-group-policy vanheelm
tunnel-group vanheelm ipsec-attributes
pre-shared-key *****
tunnel-group chauhanv type remote-access
tunnel-group chauhanv general-attributes
default-group-policy chauhanv
tunnel-group Oterop type remote-access
tunnel-group Oterop general-attributes
default-group-policy Oterop
tunnel-group chauhanv2 type remote-access
tunnel-group chauhanv2 general-attributes
address-pool vpnippool
default-group-policy chauhanv2
tunnel-group chauhanv2 ipsec-attributes
pre-shared-key *****
tunnel-group bnixon2 type remote-access
tunnel-group bnixon2 general-attributes
address-pool vpnippool
default-group-policy bnixon2
tunnel-group bnixon2 ipsec-attributes
pre-shared-key *****
tunnel-group vpnpptp type remote-access
tunnel-group vpnpptp general-attributes
address-pool vpnippool
default-group-policy vpnpptp
tunnel-group IPNOTWHATIWASEXPECTING4 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING4 ipsec-attributes
pre-shared-key *****
tunnel-group evertest type remote-access
tunnel-group evertest general-attributes
address-pool vpnippool
default-group-policy evertest
tunnel-group evertest ipsec-attributes
pre-shared-key *****
tunnel-group evertest ppp-attributes
authentication ms-chap-v2
tunnel-group IPNOTWHATIWASEXPECTING3 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING3 ipsec-attributes
pre-shared-key *****
tunnel-group IPNOTWHATIWASEXPECTING2 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING2 general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING2 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group IPNOTWHATIWASEXPECTING type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsec"
INFO: There are presently no active sessions of the type specified
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT"
INFO: There are presently no active sessions of the type specified

Problem with nat / access rule for webserver in inside network asa 5505 7.2

Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?

Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.123.0   255.255.255.0   inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
    hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=188.x.x.213, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

Hey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA.

OWA not accessible after setting up vpn through ASA 5505

I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems.
We recently configured vpn on the ASA 5505 and now no-one can connect to OWA since that time.
Here is what I have for a configuration.
Any thoughts?

I thought OWA uses tcp port 80 by default, or 443 if you use https. Ignore the rest if this fact is wrong. Otherwise ...
In your config there is nothing to allow the www traffic in the access-list outside_access_in
access-list outside_access_in extended permit tcp any interface outside eq 80
and no static nat for this
static (inside,outside) tcp interface 80 192.168.0.254 80 netmask 255.255.255.255
I think these must have got deleted when you made the other changes ? Hope this helps.

ASA 5505 Isolated Networks with Site-to-Site VPN Access

I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.
Remote Site ASA 5505 Interfaces:
Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway)
AMI (Interface 1) (VLAN 742) - 10.40.31.129/25
SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30
I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.
ASA will need to have three IPsec tunnels:
Tunnel 1 to SCADA Firewall
Remote Site - 10.70.0.4/30 Subnet
Central Site - 10.101.41.0/24 Subnet
Tunnel 2 to Corporate Firewall
Remote Site - 10.40.31.129/25 Subnet
Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet
Tunnel 3 to Partner Firewall
Remote Site - 10.40.31.129/25 Subnet
Partner Site Subnets
The ASA is running 9.1(5) and ASDM 7.1(6).
I've attached a diagram of what the connections look like between sites.

I reviewed your diagram attached and trying to give you as much as I can.
other gurus, pls correct me if I am missing anything.
if I remember correctly, with base license, you can set up vpn peers.
interface Ethernet0/0
nameif outside
security-level 0
ip address public ip, subnet mask
int e0/1
nameif AMI
security-level 100
ip add 10.40.31.129 255.255.255.128
int e0/2
nameif SCADA
security-level 10
ip add 10.70.0.5 255.255.255.252
route outside 0.0.0.0 0.0.0.0 public IP
tunnel-group 173.8.244.181 type ipsec-l2l
tunnel-group 173.8.244.181 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyScAdA
tunnel-group 173.8.244.189 type ipsec-l2l
tunnel-group 173.8.244.189 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyC0Rp
tunnel-group 148.80.252.60 type ipsec-l2l
tunnel-group 148.80.252.60 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEypArTN3R
crypto ikev1 enable outside -- enabling for outside interface
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 86400
crypto ipsec ikev1 transform-set kerseyami esp-aes-256 esp-sha-hmac
crypto map VPN 10 match address SCADA
crypto map VPN 10 set peer 173.8.244.181
crypto map VPN 10 set ikev1 transform-set kerseyami
crypto map VPN 10 set security-association lifetime seconds 86400
crypto map VPN 20 match address CORP
crypto map VPN 20 set peer 173.8.244.189
crypto map VPN 20 set ikev1 transform-set kerseyami
crypto map VPN 20 set security-association lifetime seconds 86400
crypto map VPN 30 match address PARTNER-FW
crypto map VPN 30 set peer 148.80.252.60
crypto map VPN 30 set ikev1 transform-set kerseyami
crypto map VPN 30 set security-association lifetime seconds 86400
access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0
access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0
access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW
Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.
let us know how this works.
JD...

How can I map SSH from an outside network range to an internal host (ASA 5505)

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
- External network range that needs SSH access: 8.8.8.0/24
- Outside interface: 10.1.10.2 (NAT'd from 7.7.7.7)
- Inside Network: 192.168.100.0/24
- Inside host to redirect external SSH to: 192.168.100.98
Hi All,
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought.
Can anyone help with this? What commands should I enter to accomplish mapping SSH from an outside network range to an internal host?
Many thanks,
Tarran

This may or may not work depending on how your modem handles the natting. On your firewall try this -
static (inside,outside) tcp interface 22 192.168.100.98 22
then add this to your acl on the outside interface of your ASA -
access-list outside_in permit tcp 8.8.8.0 255.255.255.0 host 10.1.10.2 eq 22
if you don't have an acl applied then add this extra step -
access-group outside_in in interface outside
Jon

ASA 5505 VPN can't access connected network

I have an ASA 5505 with ipsec VPN configured on it. I am able to connect to the ASA but I can't ping a connected network. I get a dhcp assigned address in the network I am trying to reach but can't access that network on Vlan5. Please help.
I attached the config.

I think final questions, can you have two nat statements that point to the same acl ie.
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.9.0 255.255.255.0
nat (fw-civic) 0 access-list no_nat
nat (fw-civic) 1 192.168.5.0 255.255.255.0
Or do I need to create a new acl for the fw-civic interface?
Thanks

Cisco ASA 5505 - 2 internal Networks

Hi new to ASA's,
Been trying to get the following setup working for ages but can't see what I am missing:
(Got image from another post but exactly what I want but cannot get working)
I can get ping between subnets but nothing else and Lan 2 cannot get to internet.
The reolution for this guy was the following I believe; (from his config he has ASA v8.2)
same-security-traffic permit intra-interface
access-list NONAT permit ip 192.168.50.0 255.255.255.0 10.0.50.0255.255.255.0
access-list NONAT permit ip 10.0.50.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list NONAT
I have tried this but I have ASA v8.4 and whilst commands 1 - 3 work command 4 doesn't.
I get a message about the command being deprecated. I couldn't find a new version I could understand.
Hope nothing stupid and simple but any help greatly appreciated.
BTW, I have reset my ASA back to defaults except internet access is working and internet LAN as I made some many changes I feared one my conflict with the other.
Many thanks for any views or help.

Hi Jumora,
Thanks for the reply.
The 192 network behind the ASA can access the internet but the 10 network past the 1841 router can't.
I have setup tcp bypass already as that got me at least remote access to the PC's on the 10 network from the 192 network.
I had the 1841 router set to use the interface on the 192 subnet as the route to the 0.0.0.0 0.0.0.0 network but I couldn't get out but have just changed this to go to the inside interface of the ASA and can now ping 8.8.8.8 for example but still not internet access.
Also I have found that the ASA seems to occasionally when it feels like it block pings from the 10 subnet to devices in the 192 subnet...... annoying for testing! but I can still access shares even though the ping fails.
e.g. as per above yesterday it stopped when I enabled icmp error inspection but when I switched that off it worked again. Then suddenly again today with no changes it has stopped working again, drives me nuts the inconsistency!
I couldn't find an attach option for the show tech so it has made this post massive.... apologies for that....
ASA5505# show tech
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(9)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
ASA5505 up 8 days 23 hours
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1
0: Int: Internal-Data0/0    : address is 4403.a7a2.e7c7, irq 11
1: Ext: Ethernet0/0         : address is 4403.a7a2.e7bf, irq 255
2: Ext: Ethernet0/1         : address is 4403.a7a2.e7c0, irq 255
3: Ext: Ethernet0/2         : address is 4403.a7a2.e7c1, irq 255
4: Ext: Ethernet0/3         : address is 4403.a7a2.e7c2, irq 255
5: Ext: Ethernet0/4         : address is 4403.a7a2.e7c3, irq 255
6: Ext: Ethernet0/5         : address is 4403.a7a2.e7c4, irq 255
7: Ext: Ethernet0/6         : address is 4403.a7a2.e7c5, irq 255
8: Ext: Ethernet0/7         : address is 4403.a7a2.e7c6, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
This platform has a Base license.
Serial Number: JMX3434343T
Running Permanent Activation Key: 0x8509ef7f 0x2cff5895 0xa4675895 0x7989798 0xc1323132
Configuration register is 0x1
Configuration last modified by enable_15 at 16:21:28.863 UTC Wed Oct 23 2013
------------------ show disk0: controller ------------------
Flash Model: SMART CF
------------------ show clock ------------------
04:43:59.822 UTC Thu Oct 24 2013
------------------ show crashinfo ------------------
No crash file found.
------------------ show module ------------------
Mod Card Type                                    Model              Serial No.
0 ASA 5505 Adaptive Security Appliance         ASA5505            JMX3434343T
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
0 1255.a3a4.e3bf to 1233.a4a4.e4c4 0.1          1.0(12)13    8.4(4)1
Mod SSC Application Name           Status           SSC Application Version
Mod Status             Data Plane Status     Compatibility
0 Up Sys             Not Applicable
------------------ show memory ------------------
Free memory:         283382600 bytes (53%)
Used memory:         253488312 bytes (47%)
Total memory:        536870912 bytes (100%)
------------------ show conn count ------------------
76 in use, 704 most used
------------------ show xlate count ------------------
80 in use, 814 most used
------------------ show vpn-sessiondb summary ------------------
No sessions to display.
------------------ show blocks ------------------
SIZE    MAX    LOW    CNT
     0    400    399    400
4    100     99     99
    80    347    332    347
   256    200    192    195
1550   6374   6306   6371
2048   1200   1199   1200
2560    264    264    264
4096    100     99    100
8192    100     99    100
16384    100     99    100
65536     16     15     16
CORE LIMIT ALLOC   HIGH    CNT       FAILED
   0 24576     26     26     25            0
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2832 bytes (default)
History analysis time limit: 100 msec
Please see 'show blocks exhaustion snapshot' for more information
------------------ show interface ------------------
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7bf, MTU not set
IP address unassigned
8257648 packets input, 9051289473 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
6222 switch ingress policy drops
6399241 packets output, 1011134108 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c0, MTU not set
IP address unassigned
1330699 packets input, 312264395 bytes, 0 no buffer
Received 63097 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
1738131 packets output, 637935280 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 4
Interface config status is active
Interface state is active
Interface Ethernet0/2 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c1, MTU not set
IP address unassigned
5028958 packets input, 693527818 bytes, 0 no buffer
Received 28835 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1 switch ingress policy drops
7782140 packets output, 8316018900 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 5
Interface config status is active
Interface state is active
Interface Ethernet0/3 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c2, MTU not set
IP address unassigned
17048409 packets input, 21350059442 bytes, 0 no buffer
Received 75081 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
18 switch ingress policy drops
8319277 packets output, 5138543287 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c3, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 7
Interface config status is not active
Interface state is active
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c4, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 8
Interface config status is not active
Interface state is active
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c5, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 9
Interface config status is not active
Interface state is active
Interface Ethernet0/7 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 4403.a7a2.e7c6, MTU not set
IP address unassigned
7293552 packets input, 4521902362 bytes, 0 no buffer
Received 6520 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
16232858 packets output, 21234947011 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is y88acs06, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 4403.a2a2.e2c2, MTU not set
IP address unassigned
15222257 packets input, 10134321711 bytes, 0 no buffer
Received 173531 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
15128507 packets output, 10256870512 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (512/487)
output queue (blocks free curr/low): hardware (512/450)
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0000.0003.0002, MTU not set
IP address unassigned
15128465 packets input, 10256855882 bytes, 0 no buffer
Received 1967 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 switch ingress policy drops
15222217 packets output, 10134318430 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 11
Interface config status is active
Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 4403.a7a2.e7c7, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
4183727 packets input, 523675346 bytes
5702790 packets output, 5851485425 bytes
142576 packets dropped
      1 minute input rate 22 pkts/sec, 2839 bytes/sec
      1 minute output rate 30 pkts/sec, 22751 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 33 pkts/sec, 3746 bytes/sec
      5 minute output rate 46 pkts/sec, 20906 bytes/sec
      5 minute drop rate, 1 pkts/sec
Control Point Interface States:
Interface number is 14
Interface config status is active
Interface state is active
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 4403.a7a2.e7c7, MTU 1492
IP address 98.22.77.33, subnet mask 255.255.255.255
Traffic Statistics for "outside":
10541983 packets input, 11433817622 bytes
3793777 packets output, 526586888 bytes
13654 packets dropped
      1 minute input rate 47 pkts/sec, 41657 bytes/sec
      1 minute output rate 18 pkts/sec, 2802 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 80 pkts/sec, 38519 bytes/sec
      5 minute output rate 29 pkts/sec, 3749 bytes/sec
      5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 15
Interface config status is active
Interface state is active
Interface Virtual0 "_internal_loopback", is up, line protocol is up
Hardware is Virtual          MAC address 0000.0000.0000, MTU 1500
IP address 127.0.0.1, subnet mask 255.255.255.0
Traffic Statistics for "_internal_loopback":
1 packets input, 28 bytes
1 packets output, 28 bytes
1 packets dropped
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 12
Interface config status is active
Interface state is active
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 12%; 1 minute: 8%; 5 minutes: 8%
------------------ show cpu hogging process ------------------
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 23, LASTHOG: 23
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x0853e1f4 (suspend)
Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 23, LASTHOG: 23
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x0853e1f4 (suspend)
Call stack:   0x0853e1f4 0x0853ec36 0x0854182c 0x0869cc4b 0x08415ae7 0x0840ae40 0x0806e6cf
              0x08aade2b 0x0806e6cf 0x084a0a44 0x0849986d 0x08499aac 0x08499dd6 0x084a0909
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 2, MAXHOG: 18, LASTHOG: 18
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x0853fb48 (suspend)
Process:      Unicorn Admin Handler, NUMHOG: 2, MAXHOG: 18, LASTHOG: 18
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x0853fb48 (suspend)
Call stack:   0x0853fb48 0x0853fd1d 0x0853e1bc 0x0853ec36 0x0854182c 0x0869cc4b 0x08415ae7
      0x0840ae40 0x0806e6cf 0x08aade2b 0x0806e6cf 0x084a0a44 0x0849986d 0x08499aac
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 2, MAXHOG: 24, LASTHOG: 24
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x084167d2 (suspend)
Process:      Unicorn Admin Handler, NUMHOG: 2, MAXHOG: 24, LASTHOG: 24
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x084167d2 (suspend)
Call stack:   0x08538afd 0x0853fa3a 0x0853fd1d 0x0853e1bc 0x0853ec36 0x0854182c 0x0869cc4b
              0x08415ae7 0x0840ae40 0x0806e6cf 0x08aade2b 0x0806e6cf 0x084a0a44 0x0849986d
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 12, LASTHOG: 12
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x08ee9b4e (suspend)
Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 12, LASTHOG: 12
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x08ee9b4e (suspend)
Call stack:   0x08ee9e12 0x084a1032 0x0849986d 0x08499aac 0x08499dd6 0x084a0909 0x080689bc
Process:      Dispatch Unit, PROC_PC_TOTAL: 2, MAXHOG: 12, LASTHOG: 12
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x081e208a (suspend)
Process:      Dispatch Unit, NUMHOG: 2, MAXHOG: 12, LASTHOG: 12
LASTHOG At:   06:01:57 UTC Oct 15 2013
PC:           0x081e208a (suspend)
Call stack:   0x081e208a 0x080689bc
Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 180, LASTHOG: 180
LASTHOG At:   07:24:33 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Call stack:   0x0806a8c2 0x08a8ebd7 0x08a8f7c8 0x08a914fa 0x080ddd6f 0x080df9db 0x080f4132
              0x080f5b16 0x080dd956 0x080de0ef 0x080de876 0x080dea37 0xdd6e6c1c 0xdd6e71b5
Process:      rtcli async executor process, NUMHOG: 14, MAXHOG: 94, LASTHOG: 82
LASTHOG At:   07:28:06 UTC Oct 19 2013
PC:           0x08f262e3 (suspend)
Call stack:   0x0806a881 0x08f262e3 0x08f432a2 0x09064ba8 0x0903dfa9 0x0904f88d 0x0903ed70
              0x09036221 0x0903d29b 0x0903d49f 0x09035ffa 0x09055321 0x0903dfa9 0x0904f88d
Process:      rtcli async executor process, PROC_PC_TOTAL: 27, MAXHOG: 319, LASTHOG: 88
LASTHOG At:   07:28:06 UTC Oct 19 2013
PC:           0x08f4212d (suspend)
Process:      rtcli async executor process, NUMHOG: 27, MAXHOG: 319, LASTHOG: 88
LASTHOG At:   07:28:06 UTC Oct 19 2013
PC:           0x08f4212d (suspend)
Call stack:   0x08069faa 0x08f4212d 0x08f260b6 0x08f27b85 0x08f27c35 0xcb147b98
Process:      rtcli async executor process, PROC_PC_TOTAL: 12, MAXHOG: 45, LASTHOG: 10
LASTHOG At:   07:28:14 UTC Oct 19 2013
PC:           0x08f2594b (suspend)
Process:      rtcli async executor process, NUMHOG: 12, MAXHOG: 45, LASTHOG: 10
LASTHOG At:   07:28:14 UTC Oct 19 2013
PC:           0x08f2594b (suspend)
Call stack:   0x0806a881 0x08f2594b 0x08f27b85 0x08f27c35 0xcb147b98
Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 11, LASTHOG: 11
LASTHOG At:   07:28:14 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Call stack:   0x0806a8c2 0x08a8ebd7 0x08b9aa46 0x08b9ad0e 0x080dc76f 0xdd6e6961 0xdd6e71b5
              0xdd6e7b07 0xdd6e8d5c 0xdd6e138d 0xdd6e247a 0x080dcb22 0x0849f899 0x084981c7
Process:      rtcli async executor process, PROC_PC_TOTAL: 83, MAXHOG: 298, LASTHOG: 119
LASTHOG At:   07:28:16 UTC Oct 19 2013
PC:           0x08f262e3 (suspend)
Process:      rtcli async executor process, NUMHOG: 47, MAXHOG: 298, LASTHOG: 119
LASTHOG At:   07:28:16 UTC Oct 19 2013
PC:           0x08f262e3 (suspend)
Call stack:   0x0806a881 0x08f262e3 0x08f38fad 0x08f3acc0 0x0905a29e 0x0905b2ba 0x0903dfa9
              0x0903ecb5 0x0904f6f5 0x0903ed70 0x09036221 0x0903d29b 0x0903d49f 0x09035ffa
Process:      Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 180, LASTHOG: 180
LASTHOG At:   07:28:16 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Call stack:   0x0806a881 0x0806a8c2 0x0816261b 0x095302a7 0x0954abef 0x0954acc3 0x0815aabe
              0x08134da6 0x08c64632 0x08ea8079 0x08ea8481 0x08ea85f7 0x08f41adc 0x0806e6cf
Process:      Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 15, LASTHOG: 15
LASTHOG At:   07:28:20 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Call stack:   0x0806a881 0x0806a8c2 0x0947a399 0x0946d24d 0x0946d364 0x08c2b0e6 0x08c38f65
              0x08ea810b 0x08ea8481 0x08ea85f7 0x08f41adc 0x0806e6cf 0x08f3cc48 0x092afca6
Process:      Unicorn Admin Handler, NUMHOG: 3, MAXHOG: 64, LASTHOG: 64
LASTHOG At:   07:28:20 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Call stack:   0x0806a881 0x0806a8c2 0x0947a3e4 0x09479cf9 0x094750eb 0x08c3f645 0x08c3fcab
              0x08c2b235 0x08c38f65 0x08ea810b 0x08ea8481 0x08ea85f7 0x08f41adc 0x0806e6cf
Process:      IP Thread, NUMHOG: 4, MAXHOG: 14, LASTHOG: 14
LASTHOG At:   07:28:24 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Call stack:   0x0806a8c2 0x0947a399 0x0946d24d 0x0946d364 0x08c2b0e6 0x08c38f65 0x08ea810b
              0x08ea8481 0x08ea85f7 0x08ea5f86 0x090e086e 0x090e0b6e 0x090b9a99 0x090b6b00
Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 22, MAXHOG: 180, LASTHOG: 64
LASTHOG At:   07:28:24 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Process:      IP Thread, NUMHOG: 4, MAXHOG: 64, LASTHOG: 64
LASTHOG At:   07:28:24 UTC Oct 19 2013
PC:           0x0806a8c2 (suspend)
Call stack:   0x0806a8c2 0x0947a3e4 0x09479cf9 0x094750eb 0x08c3f645 0x08c3fcab 0x08c2b235
              0x08c38f65 0x08ea810b 0x08ea8481 0x08ea85f7 0x08ea5f86 0x090e086e 0x090e0b6e
CPU hog threshold (msec): 10.240
Last cleared: None
------------------ show process ------------------
    PC       SP       STATE       Runtime    SBASE     Stack Process
Lwe 0x08058ba4 0xc82baf84 0x0a345788          0 0xc82b7078 15760/16384 block_diag
Mrd 0x081e1e11 0xc82ed54c 0x0a346144     430188 0xc82cd6e0 120548/131072 Dispatch Unit
Msi 0x087509a4 0xc82fdcb4 0x0a3458b0        713 0xc82f9da8 15688/16384 WebVPN KCD Process
Msi 0x09200c7b 0xc839b3d4 0x0a3458b0       3466 0xc83974c8 15688/16384 y88acs06 OneSec Thread
Mwe 0x080718dd 0xc83a3804 0x0a3458b0          0 0xc839f948 15808/16384 Reload Control Thread
Mwe 0x080849b9 0xc83ae79c 0x0a346e2c          0 0xc83aabe0 15256/16384 aaa
Mwe 0x08f4212d 0xc8d3d1e4 0x0a3458b0          9 0xc83aed78 15056/16384 UserFromCert Thread
Mwe 0x08f4212d 0xc9003fe4 0x0a3458b0         14 0xc83b2f50 14528/16384 aaa_shim_thread
Mwe 0x080b477c 0xc83bfa1c 0x0a347eb4          0 0xc83bbb20 15760/16384 CMGR Server Process
Mwe 0x080b6ded 0xc83c3b64 0x0a3458b0          0 0xc83bfcb8 15832/16384 CMGR Timer Process
Lwe 0x081e0474 0xc83d83bc 0x0a3568e0          0 0xc83d44b0 15488/16384 dbgtrace
Mwe 0x084de0ed 0xc83ef574 0x0a3458b0          0 0xc83e76d8 31680/32768 idfw_proc
Mwe 0x084ea35b 0xc83f75b4 0x0a3458b0          0 0xc83ef708 32216/32768 idfw_service
Mwe 0x084f5fc5 0xc83fb70c 0x0a3458b0          0 0xc83f78a0 15524/16384 idfw_adagent
Mwe 0x085351b5 0xc84038dc 0x0a3458b0         89 0xc83ffbd0 11568/16384 eswilp_svi_init
Mwe 0x08f4212d 0xc8770564 0x0a3458b0          0 0xc8433aa0 15280/16384 netfs_thread_init
Mwe 0x09576795 0xc844c10c 0x0a3458b0          0 0xc8448290 15848/16384 Chunk Manager
Msi 0x08ae10be 0xc84508ac 0x0a3458b0       3523 0xc844c9c0 15656/16384 PIX Garbage Collector
Mwe 0x08ac328a 0xc8461a0c 0x0a1d5d24          0 0xc845db00 16104/16384 IP Address Assign
Mwe 0x08d0477a 0xc85f7534 0x0a251838          0 0xc85f3628 16104/16384 QoS Support Module
Mwe 0x08b5c32a 0xc85fb70c 0x0a1d6c88          0 0xc85f7800 16104/16384 Client Update Task
Lwe 0x095d54f5 0xc860009c 0x0a3458b0     109750 0xc85fc1f0 14448/16384 Checkheaps
Mwe 0x08d093ed 0xc861080c 0x0a3458b0        454 0xc86089a0 19328/32768 Quack process
Mwe 0x08d8569d 0xc86189c4 0x0a3458b0        533 0xc8610b38 31952/32768 Session Manager
Mwe 0x08ed964d 0xc8620cd4 0xcadf5b08          8 0xc861ce68 15464/16384 uauth
Mwe 0x08e66621 0xc8624f0c 0x0a264a10          0 0xc8621000 15632/16384 Uauth_Proxy
Msp 0x08ea87de 0xc86313d4 0x0a3458b0        561 0xc862d4c8 15688/16384 SSL
Mwe 0x08ed72d4 0xc863554c 0x0a26bc14          0 0xc8631660 15708/16384 SMTP
Mwe 0x08ed170c 0xc86396a4 0x0a26af38      23255 0xc86357f8 13608/16384 Logger
Mwe 0x08ecfd1d 0xc863d80c 0x0a3458b0          0 0xc8639990 15784/16384 Syslog Retry Thread
Mwe 0x08ecadf5 0xc86419d4 0x0a3458b0          0 0xc863db28 15600/16384 Thread Logger
Mwe 0x08ed50b4 0xc866457c 0x0a26b5e0          0 0xc8660680 15464/16384 syslogd
Mwe 0x09132032 0xc8681094 0x0a2a5688          0 0xc867d1a8 15328/16384 vpnlb_thread
Mwe 0x092037ec 0xc86916c4 0x0a2aa9e8          0 0xc868d808 16024/16384 pci_nt_bridge
Mwe 0x082beb95 0xc8756e44 0x0a3458b0          0 0xc8752fb8 15864/16384 TLS Proxy Inspector
Msi 0x08da221c 0xc87d44a4 0x0a3458b0       2749 0xc87d0598 15688/16384 emweb/cifs_timer
Mwe 0x08852cc4 0xc88291f4 0x0a1c4c44          0 0xc88252f8 15712/16384 netfs_mount_handler
Msi 0x086b4248 0xc8316454 0x0a3458b0      27304 0xc8312568 15312/16384 arp_timer
Mwe 0x086bc58e 0xc8447fb4 0x0a371110          0 0xc84440f8 16024/16384 arp_forward_thread
Mwe 0x08eddb77 0xc8f2e27c 0x0a26c680          0 0xc8f2a380 15672/16384 tcp_fast
Mwe 0x08ee69a8 0xc8f3229c 0x0a26c680          0 0xc8f2e3b0 15656/16384 tcp_slow
Mwe 0x08f1df34 0xc8f42fac 0x0a2745d0          0 0xc8f3f0b0 16000/16384 udp_timer
Mwe 0x0814110d 0xc8fb133c 0xc83ca8d0          4 0xc8fad4a0 15664/16384 IPsec message handler
Mwe 0x087515c6 0xc8fdc834 0x0a376060          1 0xc8fd8958 16056/16384 Lic TMR
Mwe 0x087513bc 0xc8fe0884 0x0a1c0ea0        242 0xc8fdc988 16088/16384 Lic HA
Msi 0x08153267 0xc84270dc 0x0a3458b0      54986 0xc8423440 13872/16384 CTM message handler
Mwe 0x0811bd2d 0xc843bb8c 0x0a3458b0          0 0xc8437ce0 15832/16384 CTCP Timer process
Mwe 0x090d3d95 0xc843fbac 0x0a3458b0          0 0xc843bd10 15816/16384 L2TP data daemon
Mwe 0x090d6605 0xc9b5b24c 0x0a3458b0          0 0xc9b573b0 15816/16384 L2TP mgmt daemon
Mwe 0x090c2b27 0xc9b9339c 0x0a29a3ec       2228 0xc9b8f4e0 15480/16384 ppp_timer_thread
Msi 0x0913239d 0xc9b973ec 0x0a3458b0       4093 0xc9b93510 15640/16384 vpnlb_timer_thread
Mwe 0x081c7708 0xc9c67c84 0x0a13ef88       2899 0xc9c47f18 118548/131072 tmatch compile thread
Mwe 0x08d38b2d 0xcac940cc 0x0a3458b0          0 0xcac90210 15848/16384 ICMP event handler
Mwe 0x0908081d 0xcac98254 0x0a3458b0          0 0xcac943a8 15832/16384 Dynamic Filter VC Housekeeper
Mwe 0x08a1b612 0xcacc47f4 0x0a3458b0        819 0xcacc0938 13860/16384 IP Background
Mwe 0x08c26e63 0xcaed904c 0x0a3458b0          0 0xcaed51a0 15832/16384 Crypto CA
Mwe 0x08c60c18 0xcaedd1e4 0x0a3458b0          0 0xcaed9338 15896/16384 CERT API
Mwe 0x08c257d5 0xcaee6e24 0x0a3458b0          0 0xcaee2f58 15928/16384 Crypto PKI RECV
Mwe 0x0878dd85 0xc862d1cc 0x0a3458b0        187 0xc8629330 15272/16384 ESW_MRVL switch interrupt service
Mwe 0x08cae62c 0xc866c89c 0x0a1ea7e0          0 0xc86689b0 15832/16384 lina_int
Mrd 0x0959948b 0xc8684f1c 0x0a346144   28493079 0xc8681340 13824/16384 esw_stats
Lsi 0x08af3199 0xc86958bc 0x0a3458b0        152 0xc86919a0 15704/16384 uauth_urlb clean
Lwe 0x08acbd76 0xc83ff8b4 0x0a3458b0       4432 0xc83fba38 14308/16384 pm_timer_thread
Mwe 0x08555f8d 0xc8418b0c 0x0a3458b0          0 0xc8414c60 15832/16384 IKE Common thread
Mwe 0x0858cecd 0xcaf8688c 0x0a3458b0          0 0xcaf82a60 15704/16384 IKE Timekeeper
Mwe 0x0857bad1 0xcaf8ccc4 0x0a1bc678          1 0xcaf890e8 12116/16384 IKE Daemon
Mwe 0x08629eb3 0xcaf90c64 0x0a3458b0        964 0xcaf8d118 14744/16384 IKEv2 Daemon
Mwe 0x08628e7c 0xcaf94ff4 0x0a3458b0       1095 0xcaf91148 15640/16384 IKEv2 DPD Client Process
Mwe 0x08e7d2e4 0xcafafd7c 0x0a2690f4          0 0xcafabe90 16072/16384 RADIUS Proxy Event Daemon
Mwe 0x08e41f35 0xcafb3d74 0xcb07e358          7 0xcafb0028 14912/16384 RADIUS Proxy Listener
Mwe 0x08e7ca0d 0xcafb806c 0x0a3458b0          0 0xcafb41c0 15832/16384 RADIUS Proxy Time Keeper
Mwe 0x086a1e44 0xcafbc184 0x0a3710c8          0 0xcafb8358 15264/16384 Integrity FW Task
Mrd 0x082c923a 0xcaffce54 0x0a346144          0 0xcaff8f98 14552/16384 CP Threat-Detection Processing
Mwe 0x081fb74e 0xcb0cc4bc 0x09c4a8bc       2497 0xcb0acd60 122448/131072 ci/console
Msi 0x08b0ea8c 0xcb0d0e14 0x0a3458b0     217583 0xcb0ccef8 14004/16384 update_cpu_usage
Mwe 0x08ef5ff5 0xcb0d4ecc 0x0a3458b0         77 0xcb0d1090 15360/16384 npshim_thread
Msi 0x08b0eb14 0xcb0e1224 0x0a3458b0          0 0xcb0dd428 13104/16384 NIC status poll
Mwe 0x08dd5f2c 0xcb0e54bc 0x0a259ec8        228 0xcb0e15c0 15540/16384 SNMP Notify Thread
Mwe 0x086aba0e 0xcb12ebe4 0x0a37170c     235813 0xcb126d08 25428/32768 IP Thread
Mwe 0x086b31fe 0xcb132d9c 0x0a371100       9150 0xcb12eea0 9700/16384 ARP Thread
Mwe 0x084be3ae 0xcb136f8c 0x0a3716c8       1743 0xcb1331b0 12696/16384 icmp_thread
Mwe 0x08f1f443 0xcb13b1e4 0x0a3458b0        158 0xcb137348 15728/16384 udp_thread
Mwe 0x08ee0f44 0xcb13f0bc 0x0a37178c          0 0xcb13b4e0 15288/16384 tcp_thread
Mwe 0x08f4212d 0xcb1bccd4 0x0a3458b0      12848 0xcb13fd70 26600/32768 rtcli async executor process
Mwe 0x090e408d 0xcb4dff64 0x0a3458b0          0 0xcb4dc0a8 14608/16384 PPPOE background daemon
Mwe 0x090e53c4 0xcb4e3fb4 0x0a29aa4c          1 0xcb4e00d8 14656/16384 PPPOE CLI daemon
Mwe 0x0824ff45 0xcb501e4c 0x0a3458b0        258 0xcb4fdf90 15624/16384 Timekeeper
Mwe 0x08e41f35 0xcb89a6d4 0xcb89eb10          7 0xcb896998 15392/16384 EAPoUDP-sock
Mwe 0x0822323d 0xcb89e544 0x0a3458b0          0 0xcb89a9c8 15016/16384 EAPoUDP
Mwe 0x08204371 0xcb3df9dc 0x0a3458b0        149 0xcb3dbb20 15168/16384 DHCPD Timer
Mwe 0x082066a1 0xcb3e6404 0x0a3458b0       1286 0xcb3e25a8 7172/16384 dhcp_daemon
Mwe 0x0910dfd4 0xcbc3b4e4 0x0a2a5380          0 0xcbc335e8 32472/32768 vpnfol_thread_msg
Msi 0x09116252 0xcbc3fac4 0x0a3458b0       2657 0xcbc3bbd8 15656/16384 vpnfol_thread_timer
Mwe 0x09114882 0xcbc44074 0x0a2a53c0          0 0xcbc401c8 16008/16384 vpnfol_thread_sync
Msi 0x09115fdc 0xcbc486b4 0x0a3458b0      11061 0xcbc447b8 15672/16384 vpnfol_thread_unsent
Mwe 0x0869e365 0xc8689384 0x0a3458b0          0 0xc86854d8 15832/16384 Integrity Fw Timer Thread
Msi 0x08852fd6 0xc868d55c 0x0a3458b0        206 0xc8689670 15656/16384 netfs_vnode_reclaim
Mwe 0x08f4212d 0xcb2a1914 0x0a3458b0       1277 0xcbd38510 15008/16384 Unicorn Proxy Thread
Mwe 0x0825afcb 0xcbc61254 0x0a3458b0        335 0xcbc5d788 14272/16384 emweb/https
Mwe 0x08eef828 0xcbd4dd0c 0xcbd4fd7c          0 0xcbd49fd0 14888/16384 listen/telnet
Mwe 0x08aac530 0xcbdbd754 0xcbd6c9fc        102 0xcbd9def8 127432/131072 Unicorn Admin Handler
Mwe 0x08aab345 0xcbddd644 0x0a3458b0        105 0xcbdbdf28 123712/131072 Unicorn Admin Handler
Mwe 0x08cd7c6f 0xcaf358cc 0x0a49edc8          0 0xcaf31bb0 15384/16384 qos_metric_daemon
Mwe 0x08218c82 0xcb2693fc 0x0a3458b0          3 0xcb265560 13248/16384 DHCP Client
Mwe 0x08f1d929 0xcb4bb0fc 0xc8f3ece4          0 0xcb4b3300 31552/32768 DHCPC Receiver
M* 0x08a86f55 0xdcc1df2c 0x0a346144        274 0xcb34deb8 19696/32768 telnet/ci
-           -          -          -          0          -      -      DATAPATH-0-455
-           -          -          - 744377118          -      -      scheduler
-           -          -          - 774156778          -      -      total elapsed
------------------ show kernel process ------------------
PID PPID PRI NI      VSIZE      RSS      WCHAN STAT RUNTIME COMMAND
1    0 20 0    2080768      616 3725686580    S      630 init
2    0 15 -5          0        0 3725738556    S        0 kthreadd
3    2 15 -5          0        0 3725692956    S        0 ksoftirqd/0
4    2 15 -5          0        0 3725728656    S        0 events/0
5    2 15 -5          0        0 3725728656    S        0 khelper
50    2 15 -5          0        0 3725728656    S        0 kblockd/0
53    2 15 -5          0        0 3726777703    S        0 kseriod
99    2 20 0          0        0 3725848262    S        0 pdflush
100    2 20 0          0        0 3725848262    S        0 pdflush
101    2 15 -5          0        0 3725861131    S        0 kswapd0
102    2 15 -5          0        0 3725728656    S        0 aio/0
103    2 15 -5          0        0 3725728656    S        0 nfsiod
214    2 15 -5          0        0 3725728656    S        0 hid_compat
215    2 15 -5          0        0 3725728656    S        0 rpciod/0
240    1 16 -4    1789952      600 3725997327    S        4 udevd
272 240 18 -2    1785856      564 3725997327    S        0 udevd
277 240 18 -2    1785856      552 3725997327    S        0 udevd
421    1 20 0    5201920     1600 4294967295    S       11 lwsmd
423 421 20 0   16736256     3600 4294967295    S      102 lwregd
448    1 20 0    2084864      512 3725686580    S        1 sh
449 448 20 0   10186752      528 4294967295    S        2 lina_monitor
451 449   0 -20 440270848    53000 4294967295    S 77713055 lina
------------------ show kernel cgroup-controller detail ------------------
memory controller:
memory.limit_in_bytes: unlimited
memory.usage_in_bytes: 61665280   (11%)
memory.max_usage_in_bytes: 64245760   (12%)
memory.failcnt: 0
tasks:
group "normal"
memory.limit_in_bytes: unlimited
memory.usage_in_bytes: 77824   (0%)
memory.max_usage_in_bytes: 544768   (0%)
memory.failcnt: 0
tasks:
       PID         RSS COMMAND
         1      630784 init
         2           0 kthreadd
         3           0 ksoftirqd/0
         4           0 events/0
         5           0 khelper
        50           0 kblockd/0
        53           0 kseriod
        99           0 pdflush
       100           0 pdflush
       101           0 kswapd0
       102           0 aio/0
       103           0 nfsiod
       214           0 hid_compat
       215           0 rpciod/0
       240      614400 udevd
       272      577536 udevd
       277      565248 udevd
       448      524288 sh
group "privileged"
memory.limit_in_bytes: unlimited
memory.usage_in_bytes: 22327296   (4%)
memory.max_usage_in_bytes: 22515712   (4%)
memory.failcnt: 0
tasks:
       PID         RSS COMMAND
       449      540672 lina_monitor
       450           0 lina_monitor
       451    54280192 lina
       452           0 lina
       453           0 lina
       454           0 lina
       455           0 lina
group "restricted"
memory.limit_in_bytes: 23068672   (4%)
memory.usage_in_bytes: 1724416   (0%)
memory.max_usage_in_bytes: 1900544   (0%)
memory.failcnt: 0
tasks:
       PID         RSS COMMAND
       421     1638400 lwsmd
       422           0 lwsmd
       423     3686400 lwregd
       425           0 lwregd
       426           0 lwregd
       427           0 lwregd
       428           0 lwregd
       429           0 lwregd
       430           0 lwsmd
       431           0 lwsmd
       432           0 lwsmd
       433           0 lwsmd
       434           0 lwsmd
cpu controller:
cpu.shares: 1024
cpuacct.usage: 777015353084076
tasks:
group "normal"
cpu.shares: 1024
cpuacct.usage: 53525955783   (0%)
tasks:
       PID         RSS COMMAND
         1      630784 init
         2           0 kthreadd
         3           0 ksoftirqd/0
         4           0 events/0
         5           0 khelper
        50           0 kblockd/0
        53           0 kseriod
        99           0 pdflush
       100           0 pdflush
       101           0 kswapd0
       102           0 aio/0
       103           0 nfsiod
       214           0 hid_compat
       215           0 rpciod/0
       240      614400 udevd
       272      577536 udevd
       277      565248 udevd
       448      524288 sh
       449      540672 lina_monitor
       450           0 lina_monitor
       451    54280192 lina
       452           0 lina
       453           0 lina
       454           0 lina
group "privileged"
cpu.shares: 16384
cpuacct.usage: 776952528547140   (100%)
tasks:
       PID         RSS COMMAND
       455           0 lina
group "restricted"
cpu.shares: 1024
cpuacct.usage: 1291957168   (0%)
tasks:
       PID         RSS COMMAND
       421     1638400 lwsmd
       422           0 lwsmd
       423     3686400 lwregd
       425           0 lwregd
       426           0 lwregd
       427           0 lwregd
       428           0 lwregd
       429           0 lwregd
       430           0 lwsmd
       431           0 lwsmd
       432           0 lwsmd
       433           0 lwsmd
       434           0 lwsmd
------------------ show traffic ------------------
inside:
received (in 422169.300 secs):
4183910 packets          523687951 bytes
9 pkts/sec          1006 bytes/sec
transmitted (in 422169.300 secs):
5702974 packets          5851550584 bytes
3 pkts/sec          13006 bytes/sec
      1 minute input rate 22 pkts/sec, 2839 bytes/sec
      1 minute output rate 30 pkts/sec, 22751 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 33 pkts/sec, 3746 bytes/sec
      5 minute output rate 46 pkts/sec, 20906 bytes/sec
      5 minute drop rate, 1 pkts/sec
outside:
received (in 422169.300 secs):
10542135 packets          11433861540 bytes
4 pkts/sec          27002 bytes/sec
transmitted (in 422169.300 secs):
3793870 packets          526596330 bytes
8 pkts/sec          1003 bytes/sec
      1 minute input rate 47 pkts/sec, 41657 bytes/sec
      1 minute output rate 18 pkts/sec, 2802 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 80 pkts/sec, 38519 bytes/sec
      5 minute output rate 29 pkts/sec, 3749 bytes/sec
      5 minute drop rate, 0 pkts/sec
_internal_loopback:
received (in 422168.950 secs):
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
transmitted (in 422168.950 secs):
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Aggregated Traffic on Physical Interface
Ethernet0/0:
received (in 776992.730 secs):
8257731 packets          9051312645 bytes
5 pkts/sec          11002 bytes/sec
transmitted (in 776992.730 secs):
6399342 packets          1011145708 bytes
2 pkts/sec          1002 bytes/sec
      1 minute input rate 26 pkts/sec, 24481 bytes/sec
      1 minute output rate 20 pkts/sec, 3472 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 40 pkts/sec, 20147 bytes/sec
      5 minute output rate 29 pkts/sec, 4280 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 776992.730 secs):
1330771 packets          312271947 bytes
1 pkts/sec          3 bytes/sec
transmitted (in 776992.730 secs):
1738316 packets          638003030 bytes
2 pkts/sec          3 bytes/sec
      1 minute input rate 4 pkts/sec, 405 bytes/sec
      1 minute output rate 11 pkts/sec, 3333 bytes/sec
<--- More --->
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 7 pkts/sec, 735 bytes/sec
      5 minute output rate 13 pkts/sec, 4410 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 776993.220 secs):
5028958 packets          693527818 bytes
0 pkts/sec          2 bytes/sec
transmitted (in 776993.220 secs):
7782202 packets          8316039741 bytes
4 pkts/sec          10000 bytes/sec
      1 minute input rate 1 pkts/sec, 153 bytes/sec
      1 minute output rate 2 pkts/sec, 391 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec, 187 bytes/sec
      5 minute output rate 3 pkts/sec, 1011 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 776993.220 secs):
17219822 packets          21609826615 bytes
0 pkts/sec          27005 bytes/sec
transmitted (in 776993.220 secs):
8373382 packets          5142266559 bytes
5 pkts/sec          6004 bytes/sec
<--- More --->
      1 minute input rate 8384 pkts/sec, 12695156 bytes/sec
      1 minute output rate 2657 pkts/sec, 203156 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 8010 pkts/sec, 12112337 bytes/sec
      5 minute output rate 2525 pkts/sec, 188122 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/4:
received (in 776993.680 secs):
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
transmitted (in 776993.680 secs):
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/5:
received (in 776993.690 secs):
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
transmitted (in 776993.690 secs):
<--- More --->
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/6:
received (in 776994.140 secs):
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
transmitted (in 776994.140 secs):
0 packets          0 bytes
0 pkts/sec          0 bytes/sec
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/7:
received (in 776994.140 secs):
7328915 packets          4524298170 bytes
<--- More --->
3 pkts/sec          5004 bytes/sec
transmitted (in 776994.140 secs):
16345245 packets          21405489647 bytes
4 pkts/sec          27001 bytes/sec
      1 minute input rate 2330 pkts/sec, 158045 bytes/sec
      1 minute output rate 7422 pkts/sec, 11264540 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 2481 pkts/sec, 168427 bytes/sec
      5 minute output rate 7977 pkts/sec, 12105867 bytes/sec
      5 minute drop rate, 0 pkts/sec
Internal-Data0/0:
received (in 776994.640 secs):
15222548 packets          10134365294 bytes
3 pkts/sec          13004 bytes/sec
transmitted (in 776994.640 secs):
15128813 packets          10256961010 bytes
2 pkts/sec          13001 bytes/sec
      1 minute input rate 45 pkts/sec, 24860 bytes/sec
      1 minute output rate 49 pkts/sec, 26647 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 73 pkts/sec, 24918 bytes/sec
      5 minute output rate 75 pkts/sec, 26334 bytes/sec
      5 minute drop rate, 0 pkts/sec
Internal-Data0/1:
<--- More --->
received (in 776994.640 secs):
15128721 packets          10256943282 bytes
2 pkts/sec          13001 bytes/sec
transmitted (in 776994.640 secs):
15222455 packets          10134357062 bytes
3 pkts/sec          13004 bytes/sec
      1 minute input rate 48 pkts/sec, 26530 bytes/sec
      1 minute output rate 45 pkts/sec, 24826 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 75 pkts/sec, 26323 bytes/sec
      5 minute output rate 73 pkts/sec, 24908 bytes/sec
      5 minute drop rate, 0 pkts/sec
------------------ show perfmon ------------------
PERFMON STATS:                     Current      Average
Xlates                                0/s          0/s
Connections                           0/s          0/s
TCP Conns                             0/s          0/s
UDP Conns                             0/s          0/s
URL Access                            0/s          0/s
URL Server Req

ASA 5505 to allow 2nd network segment through mpls

Similar Messages

Maybe you are looking for