ASA 5505 version 9.1(4) NAT issue
Hi,
I am using ASA 5505 version 9.1(4) and using dynamic NAT command to NAT(PAT) inside subnet 192.168.3.0/24 with outside interface 192.168.100.2/24
But unable to ping from inside host to internet or router interface 192.168.100.1 . Please suggest the show running is mentioned below.
Following is the logical diagram
192.168.100.1/24 192.168.100.2/24 192.168.3.1
Internet(ISP) ------------------->------------------ Router------------------------->(e0/0) ASA 5505 (9.1) eth0/4 ----- ---------- Host (192.168.3.22)
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ciscoasa(config)# object network Generic_All_Network
ciscoasa(config-network-object)# sub
ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
ciscoasa(config-network-object)# ex
ciscoasa(config)# nat (inside,outside) source dynamic Generic_All_Network inte$
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: fe5175c6 25dfd45a 117bd6e3 867486db
3211 bytes copied in 1.120 secs (3211 bytes/sec)
[OK]
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source dynamic Generic_All_Network interface
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:fe5175c625dfd45a117bd6e3867486db
: end
yep I have already removed nat (inside,outside) source dynamic Generic_All_Network interface
Following is the latest show-running
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list capi extended permit ip host 192.168.3.22 host 192.168.100.1
access-list capi extended permit ip host 192.168.100.1 host 192.168.3.22
access-list capo extended permit ip host 192.168.100.2 any
access-list capo extended permit ip any host 192.168.100.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:b5958fd342c81895465887026d1423b3
: end
Similar Messages
-
ASA 5505 version 8.2 Base License - getting more anyconnect licensing
Is it possible to increase the number of IPSec VPN peers from 10 to 25 on an ASA 5505 version 8.2 with the base license, simply by adding
L-ASA-AC-E-5505= and not having to upgrade to the security plus license?
ASA 5505
Base License: 10 sessions (25 combined IPSec and SSL VPN1 ).
Security Plus License: 25 sessions (25 combined IPSec and SSL VPN1).
Thank YouI tried reloading the ASA but to no avail. The ISP cleared their ARP cache as well.While I had the ISP online and they didn't see the printers DHCP request.
Of course this is all remote but I can see the interface state change when I have the users turn the printer off then on. When I plug the printer into the local LAN it obtains a local DHCP address and I can access it.
So I'm thinking the printers DHCP request is being blocked at the ASA or somthing else is causing the issue. I am at a loss. -
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Configurate cisco ipsec vpn client at asa 5505 version 8.4
Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
thank you.are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
what version of vpn client ? -
ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)
Greetings all. I've searched through the forums and have found some similar situations to mine but nothing specific. I'm hoping this is an easy fix... :/
I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4). They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images. Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already. So...
The network admin on the Fortinet side assinged me 172.31.1.0/24. I have established a connection but obviously, cannot route anywhere to the other side. Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
Thank you in advance everyone.Hello Chris,
For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
Basically the NAT configuration will be like this:
object network Local-net
subnet 192.168.1.0 255.255.255.0
object network Translated-net
subnet 172.31.1.0 255.255.255.0
object network Fortinet-net
subnet 10.10.115.0 255.255.255.0
nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
Obviously, you can change the name of the objects.
Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
Let me know if you have any doubts.
Daniel Moreno
Please rate any posts you find useful -
ASA 5510 9.1.x ACL/NAT issues
Forgoing some security concern have you tried "permit ip" instead?
Good afternoon.
I'm hoping one of you spiceheads might be able to help a fellow out. We upgraded our 5510 from 8.2 to 9.1 and now none of our NAT'd public servers are working.
we cleared out every thing and did step by step to create the new NAT connection and even though the ACL shows any4 for the private IP address, we are getting access denied.
access-list outside_access_1 extended permit tcp any4 host 10.201.0.130
We have the same config and IOS version running on our 5505 and don't have any issues.
Thoughts?
This topic first appeared in the Spiceworks Community -
Cisco ASA 5505 IPSEC, one endpoint behind NAT device
We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.
Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50
It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
Does anyone have any idea?
195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1Hi,
on 212 is see
tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
pre-shared-key
When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
Regards,
Abaji. -
ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP
Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3fHi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan -
Problem with nat / access rule for webserver in inside network asa 5505 7.2
Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=188.x.x.213, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
How can I map SSH from an outside network range to an internal host (ASA 5505)
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
- External network range that needs SSH access: 8.8.8.0/24
- Outside interface: 10.1.10.2 (NAT'd from 7.7.7.7)
- Inside Network: 192.168.100.0/24
- Inside host to redirect external SSH to: 192.168.100.98
Hi All,
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought.
Can anyone help with this? What commands should I enter to accomplish mapping SSH from an outside network range to an internal host?
Many thanks,
TarranThis may or may not work depending on how your modem handles the natting. On your firewall try this -
static (inside,outside) tcp interface 22 192.168.100.98 22
then add this to your acl on the outside interface of your ASA -
access-list outside_in permit tcp 8.8.8.0 255.255.255.0 host 10.1.10.2 eq 22
if you don't have an acl applied then add this extra step -
access-group outside_in in interface outside
Jon -
Cisco ASA 5505 Configurations. Help... Beyond Frustrated
Hello All,
I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
hostname AMDASA
domain-name asa.(mydomain).com
enable password (encrypted)
passwd (encrypted)
interface Ethernet0/0
description TWCoutside
switchport access vlan 2
no shutdown
write mem
exit
interface Ethernet0/1
description Port1inside
switchport access vlan 1
no shutdown
write mem
exit
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
write mem
exit
interface Vlan2
nameif outside
security-level 0
ip address 24.39.245.36 255.255.255.240
write mem
exit
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
write mem
exit
ftp mode passive
write mem
clock timezone EST -5
clock summer-time EDT recurring
write mem
exit
dns server-group DefaultDNS
domain-name asa.adcmotors.com
write mem
exit
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-group acl_outside in interface outside
access-list acl_inside extended permit icmp any any object-group DefaultICMP
access-group acl_inside in interface inside
write mem
exit
write mem
That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!Hi our desperate friend .
First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
That said, I also think that your ASA lacks of some basic configuration as of now. If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
route outside 0.0.0.0 0.0.0.0 24.39.245.33
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
Now regarding the VPN Client configuration you would need to something like this:
Create an isakmp policy:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create a couple of ACLs that we will use later:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tun standard permit 192.168.0.0 255.255.255.0
Create a Pool for the VPN Clients to use:
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
Create a Group Policy:
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
Create a group:
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TestPool
authentication-server-group ABTVPN
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key cisco123
Create crypto map and do a NAT 0:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
nat (inside) 0 access-l nonat
Finally create a user that you will use to connect:
username test password test123
Then you would need to configure your VPN Client to connect with the ASA.
Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
Have fun.
Raga -
Internet Connection Became Slow after Introduction of Cisco ASA 5505 to the Network
I configured a Cisco ASA 5505 (Version Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
in transparent firewall mode and inserted after Cisco 1700 router. However, the internet connection became very slow and users are compaining that they cannot load any pages.
My setup looks like:
Internet --> Cisco 1700 --> Cisco ASA 5505 --> LAN
The license information is:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
My running-config looks like:
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Vlan1
nameif inside
security-level 100
no shut
interface Vlan2
nameif outside
security-level 0
no shut
interface Ethernet0/0
switchport access vlan 2
no shut
interface Ethernet0/1
no shut
interface Ethernet0/2
no shut
interface Ethernet0/3
no shut
interface Ethernet0/4
no shut
interface Ethernet0/5
no shut
interface Ethernet0/6
no shut
interface Ethernet0/7
no shut
passwd 2KFQnbNIdI.2KYOU encrypted
regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.diretube\.com"
regex domainlist3 "\.youtube\.com"
regex domainlist4 "\.vimeo\.com"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_in extended permit ip any any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
match regex domainlist4
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map type regex match-any URLBlockList
match regex urllist1
match regex urllist2
match regex urllist3
match regex urllist4
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
class-map type inspect http match-all BlockURLsClass
match request uri regex class URLBlockList
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
class AppHeaderClass
drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log
class BlockURLsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:8ab1a53df6ae3c202aee236d6080edfd
: end
Could the slow internet connection be due to license limitations? Or is there something wrong with my configuration?
Please see the configuration and help.
ThanksI have re-configured the ASA 5505 yesterday and so far it's working fine. I am not sure if the problem will re-appear later on. Anyways here is my sh tech-support
ciscoasa# sh tech-support
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 14 hours 16 mins
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001f.9ee8.ffa2, irq 11
1: Ext: Ethernet0/0 : address is 001f.9ee8.ff9a, irq 255
2: Ext: Ethernet0/1 : address is 001f.9ee8.ff9b, irq 255
3: Ext: Ethernet0/2 : address is 001f.9ee8.ff9c, irq 255
4: Ext: Ethernet0/3 : address is 001f.9ee8.ff9d, irq 255
5: Ext: Ethernet0/4 : address is 001f.9ee8.ff9e, irq 255
6: Ext: Ethernet0/5 : address is 001f.9ee8.ff9f, irq 255
<--- More --->
7: Ext: Ethernet0/6 : address is 001f.9ee8.ffa0, irq 255
8: Ext: Ethernet0/7 : address is 001f.9ee8.ffa1, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Serial Number: JMX1211Z2N4
Running Activation Key: 0xaf0ed046 0xbcf18ebf 0x80b38508 0xba785cc0 0x05250493
Configuration register is 0x1
Configuration has not been modified since last system restart.
<--- More --->
------------------ show clock ------------------
18:32:58.254 UTC Tue Nov 26 2013
------------------ show memory ------------------
Free memory: 199837144 bytes (74%)
Used memory: 68598312 bytes (26%)
Total memory: 268435456 bytes (100%)
------------------ show conn count ------------------
1041 in use, 2469 most used
------------------ show xlate count ------------------
0 in use, 0 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
0 100 68 100
<--- More --->
4 300 299 299
80 100 92 100
256 100 94 100
1550 6174 6166 6174
2048 1124 551 612
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2136 bytes (default)
------------------ show interface ------------------
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is y88acs06, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 001f.9ee8.ffa2, MTU not set
IP address unassigned
18491855 packets input, 11769262614 bytes, 0 no buffer
Received 213772 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops, 0 demux drops
18185861 packets output, 11626494317 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
<--- More --->
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/55) software (0/0)
Control Point Interface States:
Interface number is unassigned
Interface Internal-Data0/1 "", is administratively down, line protocol is up
Hardware is 88E6095, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 0000.0003.0002, MTU not set
IP address unassigned
18184216 packets input, 11625360131 bytes, 0 no buffer
Received 206655 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 switch ingress policy drops
18490057 packets output, 11768078777 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Loopback0 "_internal_loopback", is up, line protocol is up
Hardware is VirtualMAC address 0000.0000.0000, MTU 1500
IP address 127.1.0.1, subnet mask 255.255.0.0
<--- More --->
Traffic Statistics for "_internal_loopback":
1 packets input, 28 bytes
1 packets output, 28 bytes
1 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 28
Interface config status is active
Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa2, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "inside":
7742275 packets input, 903584114 bytes
10645034 packets output, 10347291114 bytes
184883 packets dropped
1 minute input rate 320 pkts/sec, 35404 bytes/sec
1 minute output rate 325 pkts/sec, 313317 bytes/sec
<--- More --->
1 minute drop rate, 17 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa3, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "outside":
10750090 packets input, 10432619059 bytes
7541331 packets output, 870613684 bytes
109911 packets dropped
1 minute input rate 328 pkts/sec, 313770 bytes/sec
1 minute output rate 301 pkts/sec, 32459 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
Control Point Interface States:
Interface number is 2
<--- More --->
Interface config status is active
Interface state is active
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001f.9ee8.ff9a, MTU not set
IP address unassigned
10749794 packets input, 10630700889 bytes, 0 no buffer
Received 2506 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
3 switch ingress policy drops
7541070 packets output, 1028190148 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
<--- More --->
Available but not configured via nameif
MAC address 001f.9ee8.ff9b, MTU not set
IP address unassigned
7741977 packets input, 1064586806 bytes, 0 no buffer
Received 211282 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
10644663 packets output, 10543362751 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9c, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
<--- More --->
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9d, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
<--- More --->
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9e, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
<--- More --->
Interface number is unassigned
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9f, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
<--- More --->
MAC address 001f.9ee8.ffa0, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ffa1, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
<--- More --->
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 12%; 1 minute: 11%; 5 minutes: 11%
------------------ show cpu hogging process ------------------
Process: Dispatch Unit, NUMHOG: 1, MAXHOG: 133, LASTHOG: 140
LASTHOG At: 04:45:59 UTC Nov 26 2013
PC: 8be0f7
Traceback: 8bed19 8bf553 302b87 3030a5 2fad69 7674bf 75ca16
c6251d c62a4c c62f6c 75c653 767820 797f64 769c85
<--- More --->
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Mwe 00c9bb24 01bb8700 013e3250 0 01733fc8 15616/16384 emweb/cifs
Lwe 001072ac 0176f9c4 013e32d0 0 0176d9f0 8132/8192 block_diag
Mrd 00223a67 01783d5c 013e33b0 314854 0177be18 25752/32768 Dispatch Unit
Msi 00f82847 01b07b84 013e3250 229 01b05bc0 7984/8192 y88acs06 OneSec Thread
Mwe 0011b1a5 01b09cfc 013e3250 0 01b07d88 7864/8192 Reload Control Thread
Mwe 00120606 01b1260c 013e5258 0 01b10988 7256/8192 aaa
Mwe 001486aa 01b19404 013e5ae8 0 01b15450 16020/16384 CMGR Server Process
Mwe 0014c3c5 01b1b4d4 013e3250 0 01b19570 7968/8192 CMGR Timer Process
Lwe 002227a1 01b239b4 013ee360 0 01b219f0 7524/8192 dbgtrace
Mwe 004e1ba5 01b29c34 013e3250 157 01b27d50 6436/8192 eswilp_svi_init
Mwe 01064b1d 01b4a7f4 013e3250 0 01b48890 7848/8192 Chunk Manager
Msi 008b61b6 01b52d54 013e3250 230 01b50da0 7856/8192 PIX Garbage Collector
Lsi 00ecb6ac 01b54e94 013e3250 12 01b52ec0 7552/8192 route_process
Mwe 008a5ddc 01b5dc04 0133b430 0 01b5bc40 8116/8192 IP Address Assign
Mwe 00acb779 01b60604 01346e10 0 01b5e640 8116/8192 QoS Support Module
Mwe 0091eba9 01b6275c 0133c530 0 01b60798 8116/8192 Client Update Task
Lwe 01083c8e 01b656d4 013e3250 123088 01b63770 7840/8192 Checkheaps
Mwe 00acfd7d 01b6b824 013e3250 623 01b69ad0 3476/8192 Quack process
Mwe 00b2a260 01b6dad4 013e3250 22 01b6bbf0 7364/8192 Session Manager
Mwe 00c55efd 01b78564 031d0478 4 01b74a50 14768/16384 uauth
<--- More --->
Mwe 00be3c9e 01b7aaec 0135c010 0 01b78b28 7524/8192 Uauth_Proxy
Mwe 00c52759 01b80e0c 01361770 0 01b7ee88 7712/8192 SMTP
Mwe 00c3f7b9 01b82eec 01361710 0 01b80fa8 7412/8192 Logger
Mwe 00c3fd26 01b8502c 013e3250 0 01b830c8 7492/8192 Thread Logger
Mwe 00f62272 01b9596c 013ac520 0 01b939c8 7188/8192 vpnlb_thread
Msi 00b4097c 01c598c4 013e3250 190 01c578f0 8000/8192 emweb/cifs_timer
Msi 005bd338 017a909c 013e3250 25855 017a7108 7412/8192 arp_timer
Mwe 005c76bc 01b486e4 013fba50 20643 01b46770 7348/8192 arp_forward_thread
Mwe 00c5a919 023fa5fc 013619e0 0 023f8648 7968/8192 tcp_fast
Mwe 00c5a6e5 023fc624 013619e0 0 023fa670 7968/8192 tcp_slow
Mwe 00c754d1 0240d42c 013628a0 0 0240b478 8100/8192 udp_timer
Mwe 0019cb17 01b404a4 013e3250 0 01b3e530 7984/8192 CTCP Timer process
Mwe 00efe8b3 0308c15c 013e3250 0 0308a208 7952/8192 L2TP data daemon
Mwe 00efef23 0308e194 013e3250 0 0308c230 7968/8192 L2TP mgmt daemon
Mwe 00eea02b 030c62ac 013a5c10 43 030c2338 16244/16384 ppp_timer_thread
Msi 00f62d57 030c82f4 013e3250 264 030c6360 7924/8192 vpnlb_timer_thread
Mwe 001b96e6 01b7cbbc 01b1e9c8 1 01b7ac48 7728/8192 IPsec message handler
Msi 001c9bac 01b8d4dc 013e3250 2917 01b8b548 7648/8192 CTM message handler
Mwe 00af93b8 031465b4 013e3250 0 03144640 7984/8192 ICMP event handler
Mwe 00831003 0314a724 013e3250 387 031467b0 16100/16384 IP Background
Mwe 0021b267 031a83c4 013123c0 31 03188450 123488/131072 tmatch compile thread
Mwe 009f2405 03290044 013e3250 0 0328c0c0 16072/16384 Crypto PKI RECV
Mwe 009f305a 03294144 013e3250 0 032901e0 16040/16384 Crypto CA
Mwe 0064d4fd 01b3e24c 013e3250 8 01b3c2f8 7508/8192 ESW_MRVL switch interrupt service
<--- More --->
Msi 00646f5c 032c134c 013e3250 3059378 032bf448 7184/8192 esw_stats
Lsi 008cbb80 032dc704 013e3250 3 032da730 7908/8192 uauth_urlb clean
Lwe 008afee7 034a0914 013e3250 197 0349e9b0 6636/8192 pm_timer_thread
Mwe 0052f0bf 034a35ac 013e3250 0 034a1648 7968/8192 IKE Timekeeper
Mwe 00520f6b 034a8adc 0132e2b0 0 034a4e38 15448/16384 IKE Daemon
Mwe 00bf5c78 034ac7ac 01360680 0 034aa7f8 8100/8192 RADIUS Proxy Event Daemon
Mwe 00bc32de 034ae79c 034dcbe0 0 034ac918 7208/8192 RADIUS Proxy Listener
Mwe 00bf5e0f 034b099c 013e3250 0 034aea38 7968/8192 RADIUS Proxy Time Keeper
Mwe 005aac4c 034b3154 013fb980 0 034b1250 7492/8192 Integrity FW Task
M* 008550a5 0009fefc 013e33b0 3183 034e3b20 24896/32768 ci/console
Msi 008eb694 034ed9d4 013e3250 2370 034ebc40 6176/8192 update_cpu_usage
Msi 008e6415 034f7dac 013e3250 1096 034f5eb8 6124/8192 NIC status poll
Mwe 005b63e6 03517d1c 013fbd10 1963 03515d78 7636/8192 IP Thread
Mwe 005becbe 03519e4c 013fbcb0 3 03517e98 7384/8192 ARP Thread
Mwe 004c2b36 0351befc 013fbae0 0 03519fe8 7864/8192 icmp_thread
Mwe 00c7722e 0351e06c 013e3250 0 0351c108 7848/8192 udp_thread
Mwe 00c5d126 0352008c 013fbd00 0 0351e228 7688/8192 tcp_thread
Mwe 00bc32de 03a6982c 03a5ee18 0 03a679b8 7512/8192 EAPoUDP-sock
Mwe 00266c15 03a6b614 013e3250 0 03a699e0 7032/8192 EAPoUDP
Mwe 005a6728 01b27b94 013e3250 0 01b25c30 7968/8192 Integrity Fw Timer Thread
- - - - 47686621 - - scheduler
- - - - 51253819 - - total elapsed
------------------ show failover ------------------
<--- More --->
ERROR: Command requires failover license
------------------ show traffic ------------------
inside:
received (in 51429.740 secs):
7749585 packets905087345 bytes
67 pkts/sec17013 bytes/sec
transmitted (in 51429.740 secs):
10653162 packets10355908020 bytes
40 pkts/sec201026 bytes/sec
1 minute input rate 412 pkts/sec, 51803 bytes/sec
1 minute output rate 475 pkts/sec, 522952 bytes/sec
1 minute drop rate, 24 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
outside:
received (in 51430.240 secs):
10758403 packets10441440193 bytes
42 pkts/sec203021 bytes/sec
transmitted (in 51430.240 secs):
7548339 packets872053854 bytes
<--- More --->
63 pkts/sec16037 bytes/sec
1 minute input rate 479 pkts/sec, 523680 bytes/sec
1 minute output rate 387 pkts/sec, 46796 bytes/sec
1 minute drop rate, 3 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
_internal_loopback:
received (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Aggregated Traffic on Physical Interface
<--- More --->
Ethernet0/0:
received (in 51431.740 secs):
10758462 packets10640075825 bytes
42 pkts/sec206042 bytes/sec
transmitted (in 51431.740 secs):
7548383 packets1029818127 bytes
63 pkts/sec20023 bytes/sec
1 minute input rate 485 pkts/sec, 537048 bytes/sec
1 minute output rate 395 pkts/sec, 54546 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 485 pkts/sec, 511723 bytes/sec
5 minute output rate 387 pkts/sec, 65495 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 51433.570 secs):
7749780 packets1066328930 bytes
67 pkts/sec20064 bytes/sec
transmitted (in 51433.570 secs):
10653359 packets10552787020 bytes
40 pkts/sec205006 bytes/sec
1 minute input rate 419 pkts/sec, 59621 bytes/sec
1 minute output rate 480 pkts/sec, 533950 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 399 pkts/sec, 67618 bytes/sec
<--- More --->
5 minute output rate 482 pkts/sec, 511073 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
<--- More --->
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/4:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/5:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
<--- More --->
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/6:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/7:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
<--- More --->
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/0:
received (in 51435.510 secs):
18513901 packets11784250044 bytes
25 pkts/sec229023 bytes/sec
transmitted (in 51435.510 secs):
18207269 packets11641332179 bytes
19 pkts/sec226078 bytes/sec
1 minute input rate 891 pkts/sec, 595715 bytes/sec
1 minute output rate 863 pkts/sec, 588935 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 885 pkts/sec, 584035 bytes/sec
5 minute output rate 870 pkts/sec, 580393 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/1:
received (in 51436.010 secs):
18207323 packets11641364184 bytes
<--- More --->
19 pkts/sec226076 bytes/sec
transmitted (in 51436.010 secs):
18513954 packets11784281987 bytes
25 pkts/sec229022 bytes/sec
1 minute input rate 855 pkts/sec, 575808 bytes/sec
1 minute output rate 884 pkts/sec, 582339 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 869 pkts/sec, 578350 bytes/sec
5 minute output rate 883 pkts/sec, 581924 bytes/sec
5 minute drop rate, 0 pkts/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 17/s 6/s
TCP Conns 8/s 2/s
UDP Conns 7/s 2/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept 0/s 0/s
HTTP Fixup 0/s 0/s
<--- More --->
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show counters ------------------
Protocol Counter Value Context
IP IN_PKTS 168960 Summary
IP OUT_PKTS 169304 Summary
IP TO_ARP 61 Summary
------------------ show history ------------------
------------------ show firewall ------------------
Firewall mode: Transparent
------------------ show running-config ------------------
<--- More --->
: Saved
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
enable password
names
interface Vlan1
nameif inside
security-level 100
interface Vlan2
nameif outside
security-level 0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
<--- More --->
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd
regex domain1 ".facebook\.com"
regex domain2 ".fb\.com"
regex domain3 ".youtube\.com"
ftp mode passive
access-list ACL_IN extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
<--- More --->
arp timeout 14400
access-group ACL_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domain1
match regex domain2
match regex domain3
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
<--- More --->
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:bb5115ea1d14ee42e7961ef0c9aaed86
: end
<--- More --->
------------------ show startup-config errors ------------------
INFO: No configuration errors
------------------ console logs ------------------
Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
Total SSMs found: 0
Message #15 :
Total NICs found: 10
Message #16 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #17 : MAC: 0000.0003.0002
Message #18 : 88E6095 rev 2 Ethernet @ index 08Message #19 : MAC: 001f.9ee8.ffa1
Message #20 : 88E6095 rev 2 Ethernet @ index 07Message #21 : MAC: 001f.9ee8.ffa0
Message #22 : 88E6095 rev 2 Ethernet @ index 06Message #23 : MAC: 001f.9ee8.ff9f
Message #24 : 88E6095 rev 2 Ethernet @ index 05Message #25 : MAC: 001f.9ee8.ff9e
Message #26 : 88E6095 rev 2 Ethernet @ index 04Message #27 : MAC: 001f.9ee8.ff9d
Message #28 : 88E6095 rev 2 Ethernet @ index 03Message #29 : MAC: 001f.9ee8.ff9c
Message #30 : 88E6095 rev 2 Ethernet @ index 02Message #31 : MAC: 001f.9ee8.ff9b
Message #32 : 88E6095 rev 2 Ethernet @ index 01Message #33 : MAC: 001f.9ee8.ff9a
Message #34 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001f.9ee8.ffa2
Message #35 :
Licensed features for this platform:
Message #36 : Maximum Physical Interfaces : 8
<--- More --->
Message #37 : VLANs : 3, DMZ Restricted
Message #38 : Inside Hosts : Unlimited
Message #39 : Failover : Disabled
Message #40 : VPN-DES : Enabled
Message #41 : VPN-3DES-AES : Enabled
Message #42 : VPN Peers : 10
Message #43 : WebVPN Peers : 2
Message #44 : Dual ISPs : Disabled
Message #45 : VLAN Trunk Ports : 0
Message #46 :
This platform has a Base license.
Message #47 :
Message #48 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Message #49 : Boot microcode : CNlite-MC-Boot-Cisco-1.2
Message #50 : SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
Message #51 : IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Message #52 : --------------------------------------------------------------------------
Message #53 : . .
Message #54 : | |
Message #55 : ||| |||
Message #56 : .|| ||. .|| ||.
Message #57 : .:||| | |||:..:||| | |||:.
Message #58 : C i s c o S y s t e m s
Message #59 : --------------------------------------------------------------------------
<--- More --->
Message #60 :
Cisco Adaptive Security Appliance Software Version 7.2(3)
Message #61 :
Message #62 : ****************************** Warning *******************************
Message #63 : This product contains cryptographic features and is
Message #64 : subject to United States and local country laws
Message #65 : governing, import, export, transfer, and use.
Message #66 : Delivery of Cisco cryptographic products does not
Message #67 : imply third-party authority to import, export,
Message #68 : distribute, or use encryption. Importers, exporters,
Message #69 : distributors and users are responsible for compliance
Message #70 : with U.S. and local country laws. By using this
Message #71 : product you agree to comply with applicable laws and
Message #72 : regulations. If you are unable to comply with U.S.
Message #73 : and local laws, return the enclosed items immediately.
Message #74 :
Message #75 : A summary of U.S. laws governing Cisco cryptographic
Message #76 : products may be found at:
Message #77 : http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
Message #78 :
Message #79 : If you require further assistance please contact us by
Message #80 : sending email to [email protected].
Message #81 : ******************************* Warning *******************************
Message #82 :
<--- More --->
Message #83 : Copyright (c) 1996-2007 by Cisco Systems, Inc.
Message #84 : Restricted Rights Legend
Message #85 : Use, duplication, or disclosure by the Government is
Message #86 : subject to restrictions as set forth in subparagraph
Message #87 : (c) of the Commercial Computer Software - Restricted
Message #88 : Rights clause at FAR sec. 52.227-19 and subparagraph
Message #89 : (c) (1) (ii) of the Rights in Technical Data and Computer
Message #90 : Software clause at DFARS sec. 252.227-7013.
Message #91 : Cisco Systems, Inc.
Message #92 : 170 West Tasman Drive
Message #93 : San Jose, California 95134-1706
ciscoasa# -
ASA 5505 external interface dying
Hi,
We have an ASA 5505 ( version 9.1(2) ) that frequently stopped functioning ie the external interface refuses to pass any traffic , ASDM wont connect,etc.
The internal interface does continue to function and if we SSH into the unit and do a reload , everything springs back into life again.
What are the best steps to troubleshooting and finding a fix to this problem?
ChrisHi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun -
Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues
Hey all,
I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
Things I have successfully been able to do:
1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
3. Install and run ASDM 7.3(2)
4. Went through the start-up wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy.
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Attached is a copy of my running-config and version. Any help with this would be greatly appreciated.Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
So your Exchange server in the 10.10.12.0/24 subnet will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well. -
ASA 5505 9.1 and NAT issues to single dynamic IP
Good afternoon everybody,
a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP).
As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
In the same time, the consolle connection shows these two messages :
Asa5505# ERROR: NAT unable to reserve ports.
ERROR: NAT unable to reserve ports.
I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
This is the configuration file, I have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
ASA Version 9.1(5)
hostname Asa5505
domain-name home
enable password XXXXXX encrypted
names
interface Ethernet0/0
description ADSLPPoE
switchport access vlan 2
interface Ethernet0/1
description Internal_LAN
interface Ethernet0/2
description Management_Net
switchport access vlan 3
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Uplink
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
description Wireless-POE
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
description Webcam-POE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.250 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group AliceADSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif management
security-level 100
ip address 10.5.1.250 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.4
domain-name home
object network Exchange-HTTPS
host 192.168.1.150
object network Exchange-SMTP
host 192.168.1.150
object network Network_Inside
subnet 192.168.1.0 255.255.255.0
object network Network_Management
subnet 10.5.1.0 255.255.255.0
access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https
access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Exchange-HTTPS
nat (inside,outside) static interface service tcp https https
object network Exchange-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network Network_Inside
nat (inside,outside) dynamic interface
object network Network_Management
nat (management,outside) dynamic interface
access-group Outside_ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 8080
http 10.5.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
vpdn group AliceADSL request dialout pppoe
vpdn group AliceADSL localname aliceadsl
vpdn group AliceADSL ppp authentication pap
vpdn username aliceadsl password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.4 192.168.1.150 interface inside
dhcpd wins 192.168.1.4 interface inside
dhcpd enable inside
dhcpd address 10.5.1.30-10.5.1.40 management
dhcpd dns 208.67.222.222 208.67.220.220 interface management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 10443
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXX
: end
no asdm history enable
Thanks in advance for your precious help !
C.Update 29th of June :
Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
Two brief questions :
1) in my NAT statements for PAT, does it change anything if I modify them (for example) from
nat (inside,outside) static interface service tcp https https
to
nat (inside,outside) dynamic interface service tcp https https
? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
Thank you for your precious help and patience !
C.
Maybe you are looking for
-
Nokia Lumia 1520 Overheating & Battery Drain after...
Hello, I've been experiencing an intermintent problem with my Nokia Lumia 1520 (AT&T, 16GB model) where my phone overheats and the battery drains. The problem started after I upgraded to Windows Phone 8.1 and Lumia Cyan. As of now I haven't figured o
-
Hello! I have a question about upgrading a phone on another line with my line's upgrade on Sprint, but let me provide a little information. According to Sprint, I can't switch phones from line to line until my rebates have been processed. (up to 30
-
Payload empty in creating form (wizard)
Hi I have a proces that uses objects from the business catalog in order to build a human task worklist screen. After generated the taskform the first time successfully I updated some fields in the used data objects. After the update I tried to re-gen
-
Business Rules for Business Users
Folks, There is a requirement from my clients to use Business rules by Business users, apparently it is difficult to give them jdeveloper and ask to devlop, have you come across such situation? if so what is the best way to handle such scenarios. FYI
-
Incorporating html site into iWeb
As a newcomer to iWeb I'd be very grateful for some advice on incorporating html pages. I realise I can add html snippets, but even a fairly simple addition introduces complications. When iWeb creates a completely plain page, call it xxx.html, it gen