ASA 5505 with Backup ISP
I am working with a client that currently has an ASA 5505 with two ISPs for failover using a tracked interface. I would like to configure logging so that the ASA will email us when the Primary ISP goes down and fails over to the backup. Here is what I have so far...
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 12
interface Ethernet0/2
speed 100
duplex full
interface Ethernet0/3
switchport access vlan 22
speed 100
duplex full
interface Ethernet0/4
switchport access vlan 22
interface Ethernet0/5
switchport access vlan 22
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.76.252.33 255.255.255.248
interface Vlan12
nameif backup
security-level 0
ip address 168.93.174.130 255.255.255.248
interface Vlan22
nameif Phones
security-level 100
ip address 192.168.3.1 255.255.255.0
logging enable
logging buffered warnings
logging asdm warnings
logging from-address [email protected]
logging recipient-address [email protected] level errors
route outside 0.0.0.0 0.0.0.0 DG-Commcast 128 track 1
route backup 0.0.0.0 0.0.0.0 DG-FirstCom 255
sla monitor 123
type echo protocol ipIcmpEcho 73.120.130.1 interface outside
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
Let me know if you need any more info from the config; it's quite long and not sure what all is needed...
The primary interface is Outside and the backup is obviously Backup
Thanks!
Tony
Hi Tony,
As long as the event covered under 'errors' list - inaddition to the above config, you need to add..
loging mail errors
smtp-server
Check the below link for more information on ASA message logging..
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml
hth
MS
Similar Messages
-
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: endHi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun -
ASA 5505 - 2 Internet Connections, Problems with the Default Route
Hey there,
i have a Problem at a Customer Site at the moment. The customer uses an ASA 5505 with two internet connections attached to it. On the first connection (which is the only one in use at the moment) he has some Static-PAT's from Outside to Inside where he translates different services to the internal servers. He also has a site-2-site VPN terminating there and AnyConnect.
He now wants to switch the Internet Traffic from Inside to the new Internet Connection. Therefore changing the default route to that new ISPs Gateway. The problem now is, that no traffic recieved on the old "outside" Interface is transmitted back out of that old "outside" Interface. And this happens although the "same-security permit intra-interface" command is set.
Can you tell me what's wrong here? For every Static-PAT from outside to inside there is also a dynamic PAT from inside to outside. But the ASA seems to ignore this. I have not looked into the Logs yet, was too busy finding the problem because i had no real time window to test on the productive ASA.
Can it be achieved in any way? Having a default route on the ASA which leads any traffic to the second internet connection while still having connections on the first internet connection where no explicit route can be set? Because connections arrive from random IPs?
Many thanks for your help in advance!
SteffenPhillip, indeed , I have as well read may comments,it all depends on your environment as they all differ from one another, you best bet is to have a good solid plan for upgrade and fall back. You do have a justification to upgrade for features needed, so I would suggest the following:
1- Do a search again in forum for ASA code upgrades and look at comments from users that have gone through this process and note their impact in fuctionality if any. I believe this is good resource to collect information .
2- Very important , look into release notes for a particular version. For example version 8.0, look into open CAVEATS usually at the end of the link page, reading the open bugs gives you clues what has not yet been resolved for that particular code and if in fact could impact you in your environment, it is possible that a particular bug does not realy apply to your environment becuase you have yet not implemented that particualr configuration. Usually we all try to aim towards a GD (General Deployment) code which is what we all understand is most stable but not necesarily means you have to be stack in that code waiting for another GD release, in my personal experience I have upgraded our firewall from 7.2 to 8.0(3) long ago and had no issues, and recently upgraded to 8.0(4)when it was first release in August this year.
Release notes
http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html
3- AS a good practice precaution -
a-Backup firewall configs in clear text as well as via tftp code.
b-Backup running code and ASDM version code currently running in firewall.
c- Save the output of " show version " to have as reference for all the feature licenses you currently have running as asll as activation keys - good info to have to compare with after upgrade.
d- Ensure that the code you will be using to upgrade also uses correct ASDM version code.
I think with thorough assesment and preparation you can indeed minimize impact.
Rgds
Jorge -
ASA 5505 ISP Failover (PPPoE/DHCP)
Hello,
I have 2 WAN uplinks:
The primary is VDSL (PPPoE) - very fast, and I have a static IP + /29 subnet 'assigned' to me.
The secondary is DSL (DHCP) - slower
What I'm trying to do is setup ISP failover on my ASA 5505 with security plus licence... and the way I have it currently setup 'half-works'. If the primary goes down - the primary route is removed from the routing table and the secondary route is 'inserted'. I have the NATs setup so I have internet access and all seems well. The problem however is when the primary ISP comes online again, the ASA doesn't switch back over. It maintains the backup route until I manually switch it (by temporarily disabling the backup ISP switch port).
This is what I did to configure it:
config t
sla monitor 10
type echo protocol ipicmpecho x.x.x.x interface outside-primary
frequency 5
exit
sla monitor schedule 10 life forever start-time now
track 1 rtr 10 reachability
route outside-primary 0 0 x.x.x.x 1 track 1
route outside-backup 0 0 y.y.y.y 2
nat (inside,outside-primary) after-auto source dynamic any interface
nat (inside,outside-backup) after-auto source dynamic any interface
Have I missed anything? Is there a better way to set this up? I noticed in the ADSM if you edit an interface there seems to be the ability to set tracker IDs, SLA IDs, etc - but couldn't really find anything on google that helped.
Any assistance would be greatly appreciated.
Thanks!
RobertHi Robert,
you need this command:
no ip verify reverse-path interface outside_primary
Problem:
SLA monitoring does not work after the ASA is upgrade to version 8.0.
Solution:
The problem is possibly be due to the IP Reverse-Path command configured in the OUTSIDE interface. Remove the command in ASA and try to check the SLA Monitoring.
For reference:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
https://supportforums.cisco.com/blog/150001
HTH
"Plz don't forget to choose correct answer and rate help full answer " -
ASA 5505 - Backup and restore to another device of same model and version
How can I backup the configuration of the ASA 5505 on 8.x and restore it to another ASA 5505 with same version? I have tried to save the running config to a file and then copy it to the new device and use the boot config: filename but it doesn't work. Or is there any other way to try? Thanks.
Thanks Andrew, I had tried it but I was having issues with the fact that I kept both ver 7 and ver 8 of the OS images on the flash. So it booted from the first found (ver 7) and creating confusion for me as the config file was for ver 8.
I noticed that it keeps the 192.168.1.1 IP even though in the config file it has another IP assigned. Is there other things that I need to check that do not change apart the IP address?
Thanks. -
Cisco ASA 5505 - problem with negotiating IP address from PPPoE
Hi all,
I have problem with negotiating IP address from PPPoE. There is following design: ISP providing vDSL ending on VDSL modem in bridge mode. Behind brigde modem is ASA 5505 terminting PPPoE on OUTSIDE. Everything works fine except negotiating IP address from PPPoE server.
I have configured ASA 5505 with (ASA Version 9.2(2)4) for PPPoE like this [1.]. But If i try to "show" IP address on OUTSIDE interface a get this [2.], ok strange but let's continue. If list "show vpdn pppinterface id 1" i get this [3.]. Seems that I got public IP addres what was right, but this IP address was not associated with interface OUTSIDE?
Well, if I set IP address manually like this [4.] and also set a default route everything works fine but what will happen when ISP change reservation for my IP address or default gateway.
I have tried different version of ASA OS like 8.4, 9.1 but without luck.
Can anybody help me. Thanks a lot.
Regards
Karel
[1.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address pppoe setroute
vpdn group O2 request dialout pppoe
vpdn group O2 localname O2
vpdn group O2 ppp authentication chap
vpdn username O2 password *****
interface Ethernet0/0
description >>uplink O2 vDSL<<
switchport access vlan 100
[2.]
ciscoasa(config-if)# show ip address vlan 100 pppoe
ciscoasa(config-if)# 0.0.0.0 255.255.255.255 on Interface: OUTSIDE
ciscoasa(config-if)# show interface vlan 100 detail
Interface Vlan2 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1492
IP address unassigned
Traffic Statistics for "OUTSIDE":
28 packets input, 1307 bytes
31 packets output, 721 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 3 bytes/sec
1 minute output rate 0 pkts/sec, 1 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 15
Interface config status is active
Interface state is active
[3.]
ciscoasa(config-if)# show vpdn pppinterface id 1
PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is 88.103.200.41
Our ip address is 85.71.188.158
Transmitted Pkts: 20, Received Pkts: 16, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
ciscoasa(config-if)# show vpdn session state
%No active L2TP tunnels
%No active PPTP tunnels
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf State Last Chg
22298 2 OUTSIDE SESSION_UP 561 secs
[4.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address 85.71.188.158 255.255.255.255 pppoe setroute
route OUTSIDE 0.0.0.0 0.0.0.0 88.103.200.41 1You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK -
Good morning,
I'm having the following problem. I configured a ASA 5505 with VPN and a VPN Remote Access Site-to-site. Everything is working, but when I reload the ASA does not work anymore VPNs, Remote Access error 412 and the Site-to-site does not connect more to solve, I have to reset and reconfigure the ASA. This is happening dopo updating the ASA, I have version 842-k8 and asdm645-106.
Does anyone have any idea what can be?
Thank you.
Running-config:
: Saved
: Written by master at 10:34:14.839 BRDT Mon Oct 10 2011
ASA Version 8.4(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 172.16.0.140 255.255.252.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group gvt
ip address pppoe setroute
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone BRST -3
clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_172.16.0.0_22
subnet 172.16.0.0 255.255.252.0
object network NETWORK_OBJ_172.16.0.128_26
subnet 172.16.0.128 255.255.255.192
object network NETWORK_OBJ_20.0.0.0_24
subnet 20.0.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.11.0_24
subnet 172.16.11.0 255.255.255.0
object-group network obj_any
access-list 1 standard permit 172.16.0.0 255.255.252.0
access-list 1 standard permit 20.0.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.252.0 20.0.0.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 172.16.0.0 255.255.252.0 172.16.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 172.16.0.150-172.16.0.160 mask 255.255.252.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_172.16.0.128_26 NETWORK_OBJ_172.16.0.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_20.0.0.0_24 NETWORK_OBJ_20.0.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 destination static NETWORK_OBJ_172.16.11.0_24 NETWORK_OBJ_172.16.11.0_24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
route outside 172.16.11.0 255.255.255.0 187.16.33.131 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 189.11.56.237
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 187.16.33.131
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group gvt request dialout pppoe
vpdn group gvt localname *******@turbonetpro
vpdn group gvt ppp authentication pap
vpdn username *******@turbonetpro password *****
dhcpd auto_config outside
dhcpd address 172.16.0.144-172.16.1.143 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy crv internal
group-policy crv attributes
dns-server value 172.16.0.253 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 1
default-domain value crvnatural.com.br
group-policy GroupPolicy_189.11.56.237 internal
group-policy GroupPolicy_189.11.56.237 attributes
vpn-filter value 1
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_187.16.33.131 internal
group-policy GroupPolicy_187.16.33.131 attributes
vpn-filter value 1
vpn-tunnel-protocol ikev1 ikev2
username master password kWH7f2vqtjMEg2Yp encrypted
tunnel-group crv type remote-access
tunnel-group crv general-attributes
default-group-policy crv
dhcp-server 172.16.0.253
tunnel-group crv ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 189.11.**.*** type ipsec-l2l
tunnel-group 189.11.**.*** general-attributes
default-group-policy GroupPolicy_189.11.**.***
tunnel-group 189.11.**.*** ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key ****
ikev2 local-authentication pre-shared-key *****
tunnel-group 187.16.33.*** type ipsec-l2l
tunnel-group 187.16.33.*** general-attributes
default-group-policy GroupPolicy_187.16.33.***
tunnel-group 187.16.33.*** ipsec-attributes
ikev1 pre-shared-key ******
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:50ed6f55182534a2429d065a26e9b45c
: endDavid,
In order to understand why LDAP is not working run a "debug ldap 255" and then try to login or run a AAA test.
Attach the output to find out the issue.
Please check this out as well, to make sure that you have the correct settings:
ASA 8.0: Configure LDAP Authentication for WebVPN Users
HTH.
Portu. -
Problem with saving config on asa 5505
I have asa 5505 with 512mb , i am trying to save ios on it but i failed many times , I have sandisk 2GB and i formatted with windows on fat but every time i see disk0 failed , any ideas what is the problem ?
ThanksI have asa 5505 with 512mb , i am trying to save ios on it but i failed many times , I have sandisk 2GB and i formatted with windows on fat but every time i see disk0 failed , any ideas what is the problem ?
Thanks -
ASA 5505 Problem with outbound PPTP-connection on non-native vlan
Hi, why am I not being able to make a PPTP connection on vlan80 (trunked to AP Cisco 1142N) compared to vlan10? And yes, I've configured the "
inspect pptp"
ASA 5505 with sec plus licenseHi mate,
I don't know how to solve your problem but I strongly reccommend you to remove your password from the first post and to update it on your ASA device -
Problem with asa 5505 routing,nating
i have the asa 5505 with asdm 6.4(5). my inside lan is 192.168.0.0/24. the outside of asa is connected on lan 10.13.74.0/24 and i need over lan 10.13.74.0/24 connect on lan 10.15.100.0/24. i puted nat rule on asa 5505 and acl rule and users from lan 10.15.100.0/24 can connect on my server, but i can't connect on from inside of asa connecet on lan 10.15.100.0/24 and 10.13.74.0/24. my configuration asa is
Result of the command: "show running-config": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1 switchport access vlan 3!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object service ParagrafLex service tcp source eq 6190 destination eq 6190 object network sharepoint host 192.168.0.22access-list outside_access_in extended permit ip host 10.13.74.35 any access-list outside_access_in_1 extended permit ip any object server access-list outside_access_in_1 extended permit object ParagrafLex 10.15.100.0 255.255.255.0 object server access-list outside_access_in_1 extended permit object ParagrafLex any object server pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400!object network obj_any nat (inside,outside) dynamic interfaceobject network server nat (any,any) static 10.13.74.34access-group outside_access_in in interface outside control-planeaccess-group outside_access_in_1 in interface outsideroute inside 0.0.0.0 0.0.0.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.1.0 255.255.255.0 insidehttp 10.13.74.0 255.255.255.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:791a1fa6b6fcccaa3177fed821d1f392: end
what i do that connect on lan 10.15.100.0/24. i cant ping my outside interface, puted rules on acl, i enabled sevice policy rule for icmp ,but nothing. pleas help me
thanksmy configuration asa 5505 is now
Result of the command: "show running-config"
: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.17 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.13.74.33 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server
host 192.168.0.20
object service ParagrafLex
service tcp source eq 6190 destination eq 6190
object network sharepoint
host 192.168.0.22
object network uzzpro
range 10.13.74.40 10.13.74.45
object network share
host 192.168.0.22
object-group network internalnetwork
network-object 192.168.0.0 255.255.255.0
object-group network uzzpro-1
network-object object uzzpro
access-list outside_access_in extended permit ip host 10.13.74.35 any
access-list outside_access_in_1 extended permit ip any object server
access-list outside_access_in_1 extended permit object ParagrafLex 10.15.100.0 255.255.255.0 object server
access-list outside_access_in_1 extended permit object ParagrafLex any object server
access-list outside_access_in_1 extended permit ip any object share
access-list outside_access_in_1 extended permit icmp any object sharepoint echo-reply
access-list inside_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network server
nat (inside,outside) static 10.13.74.34
object network share
nat (any,any) static 10.13.74.39
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside control-plane
access-group outside_access_in_1 in interface outside
route inside 0.0.0.0 0.0.0.0 10.13.74.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.13.74.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cde649be1382dd8249eca185657d9de7
: end -
How to set up Split Tunneling on ASA 5505
Good Morning,
I have an ASA 5505 with security plus licensing. I need to set up split tunneling on the ASA and not sure how. I am very new to Cisco but am learning quickly. What I want to accomplish, if possible is to send all traffic to our corporate web site (static ip address) straight out to the internet and all other traffic to go though the tunnel as normal. Basically we have a remote office that is using a local ISP to provide internet service. IF our connection at the main office goes down, we want the branch office to still be able to get to our corporate website without having to unplug cables and connect their computer directly to the local ISP modem. Any help with be greatly appriciated. Thanks in advance. Below is a copy of our current config.
ASA Version 7.2(4)
hostname TESTvpn
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 any
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0 any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:953e50e9cbc02e1b264830dab4a3f2bd
: endSo I tried to use the exclude way that you suggested. Here is my new config. It is still not working. The address I put in for the excluded list was 4.2.2.2 and when I do a trace route to it from the computer, it still goes though the vpn to the main office and out the switch at the main office and not from the local isp. Any other suggestions?
hostname TESTvpn
domain-name default.domain.invalid
enable password rBtWtkaB8W1R3ub8 encrypted
passwd rBtWtkaB8W1R3ub8 encrypted
names
name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.155.0 TESTvpn
interface Vlan1
nameif inside
security-level 100
ip address 172.31.155.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Corp_Voice
security-level 100
ip address 172.30.155.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network SunVoyager
network-object host 64.70.8.160
network-object host 64.70.8.242
object-group network Corp_Networks
network-object Corp_LAN 255.0.0.0
network-object Corp_Voice 255.255.255.0
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 a
ny
access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0
any
access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
access-list VPN extended permit ip TESTvpn 255.255.255.0 any
access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
access-list TEST standard permit host 4.2.2.2
pager lines 24
logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Corp_Voice 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list data-vpn
nat (inside) 1 TESTvpn 255.255.255.0
nat (Corp_Voice) 0 access-list voice-vpn
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Corp_Voice_access_in in interface Corp_Voice
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http TESTvpn 255.255.255.0 inside
http Corp_LAN 255.0.0.0 inside
http 65.170.136.64 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 66.170.136.65
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh Corp_LAN 255.0.0.0 inside
ssh TESTvpn 255.255.255.0 inside
ssh 65.170.136.64 255.255.255.224 outside
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 192.168.64.4 192.168.64.3
dhcpd address 172.31.155.10-172.31.155.30 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside
dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
dhcpd domain sun.ins interface Corp_Voice
dhcpd enable Corp_Voice
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy excludespecified
split-tunnel-network-list value TEST
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
tunnel-group 66.170.136.65 type ipsec-l2l
tunnel-group 66.170.136.65 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b3caaecf2a0dec7334633888081c367
: end -
ASA 5505 Dual WAN - Ping inactive wan from outside?
I currently have some small branch offices using ASA 5505 with Security Plus license and dual wan connections. They are configured wil an sla monitor so if the primary WAN goes down the secondary connection becomes active. This works as expected, however...
I can't ping the non-active interface from an outside source. I beleive this is by design or due to some limitation on the 5505. The problem is that I don't know if the backup WAN connection is functioning normally without forcing the ASA to make it active. We use a flaky wireless connection for the backups. The problem recently bit me because both WAN connections were offline.
I'm looking for an easy way to monitor the inactive wan interface, preferably by pinging from an outside location. Is this possible?Hello,
This wont work because the ASA receives the ping on the backup link but has the default route pointing to the outside.
You would have to add a more spefic route for your IP.
Example:
If you want to ping coming from IP 1.1.1.1
route outside 0 0 x.x.1.1 1 track 1
route backup 0 0 x.x.2.2 250
route backup 1.1.1.1 255.255.255.255 x.x.2.2
Regards,
Felipe.
Remember to rate useful posts. -
ASA 5505 Unable to assign ip to DMZ vlan interface
hi all,
I have ASA 5505 with base license.
I created 3rd vlan on it.it was created.
but i am unable to assign IP to it.
i assign ip address it takes it.
But when i do sh int ip brief it does not show any ip.
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 192.168.11.2 YES CONFIG up up
Vlan3 unassigned YES manual up up*************************************************************
Virtual0 127.0.0.1 YES unset up up
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# ip ad
ciscoasa(config-if)# ip address 192.168.12.2 255.255.255.0
ciscoasa(config-if)# end
ciscoasa# wr mem
Building configuration...
Cryptochecksum: 808baaba ced2a226 07cfb41f 9f6ec4f8
4608 bytes copied in 1.630 secs (4608 bytes/sec)
[OK]
ciscoasa# sh int ip brief
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 192.168.11.2 YES CONFIG up up
Vlan3 unassigned YES manual up up
Virtual0 127.0.0.1 YES unset up up
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(9)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 17 hours
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 001d.a24d.ed0e, irq 11
1: Ext: Ethernet0/0 : address is 001d.a24d.ed06, irq 255
2: Ext: Ethernet0/1 : address is 001d.a24d.ed07, irq 255
3: Ext: Ethernet0/2 : address is 001d.a24d.ed08, irq 255
4: Ext: Ethernet0/3 : address is 001d.a24d.ed09, irq 255
5: Ext: Ethernet0/4 : address is 001d.a24d.ed0a, irq 255
6: Ext: Ethernet0/5 : address is 001d.a24d.ed0b, irq 255
7: Ext: Ethernet0/6 : address is 001d.a24d.ed0c, irq 255
8: Ext: Ethernet0/7 : address is 001d.a24d.ed0d, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
<--- More --->
Need to know does this License support IP to 3rd vlan ?
Thanks
MaheshHi Julio,
I tried to config namef if but here is result
ciscoasa# sh run int vlan 3
interface Vlan3
description DMZ to 3550 New Switch
no nameif
security-level 50
ip address 192.168.12.2 255.255.255.0
ciscoasa# config t
ciscoasa(config)# int vlan 3
ciscoasa(config-if)# name
ciscoasa(config-if)# namei
ciscoasa(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured. -
Firewall Cisco ASA 5505 new interface license problem
Hi
I have one ASA 5505 with a Base License
The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
And the question is if with this base license the interface cannot be used or only cannot be named?
here the output of my firewall:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is e02f.6de6.7843, irq 11
1: Ext: Ethernet0/0 : address is e02f.6de6.783b, irq 255
2: Ext: Ethernet0/1 : address is e02f.6de6.783c, irq 255
3: Ext: Ethernet0/2 : address is e02f.6de6.783d, irq 255
4: Ext: Ethernet0/3 : address is e02f.6de6.783e, irq 255
5: Ext: Ethernet0/4 : address is e02f.6de6.783f, irq 255
6: Ext: Ethernet0/5 : address is e02f.6de6.7840, irq 255
7: Ext: Ethernet0/6 : address is e02f.6de6.7841, irq 255
8: Ext: Ethernet0/7 : address is e02f.6de6.7842, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledHi,
The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
For an interface on the ASA to operate it must have a name with the command "nameif"
If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
- Jouni
Maybe you are looking for
-
My iTunes wont launch even though a correct administrator password is given Why?
It seems that every time iTunes gets updated I get problems with the launch of it. For instance, if I click on the task-bar icon, a request for an administrator password to allow Apple to do its thing on my hard drive comes up and I type it in and it
-
Using a Mail rule to run an AppleScript
I've been trying to get a Mail rule to run a very simple AppleScript on 10.5.3 and it just doesn't work, period. I've tried making everything as simple as possible: 1. My Mail rule sets the background color of a message and runs the AppleScript if th
-
We are planning to implement OSB result caching feature in our project.We did the following to do a POC. 1.Created a DBAdapter to select from a table and created a BS out of that. 2.Enabled Result caching with TTL for 5 mins. 3.Invoked the BS from a
-
Hello all, I want to see which and how many transactional tables are populated with data in SAP . Is there any standard utility for it or will it be carried out through an ABAP program. If yes, then how ? Bundle of thanks, Shehryar
-
Is the Wild card search option availble in flex.