ASA 5510 cannot connect to Microsoft IAS

I'm at a total loss here. I am transitioning from a Microsoft ISA server to a Cisco ASA 5510. So far so good, until it comes to getting AAA functioning properly. I have a Microsoft IAS server that is functioning properly, however when I try to test it through the ASA's ASDM it errors out. When I run a packet trace it shows it's being blocked by the dreaded implicit ACL. The funny thing is that I can ping and traceroute to the IAS server from the ASA. I found numerous config examples for AAA using IAS, but still not working.
Could it possibly be behaving this way because my ASA and my IAS server are on two different internal netowrks? (172.31.1.x-ASA, 10.1.1.x-IAS)
Any help would be greatly appreciated!!

Ohh no no, That is going to work, anything placed from the ASA firewall itself will work cuz it does not have anything that would limit the Control plane.
Now, would you care to share the packet tracer (without the detail command please), remove the addresses and what no to see at which point does it fail?
The security level of the IAS, what is it?
Mike

Similar Messages

Failure - Cannot connect to Microsoft SQL Server on localhost

Hi!
I have a sqlserver installation on localhost and I want to connect with sqldeveloper.
I fill connection name, username, password, hostname: localhost port: 1433
and then click on retrieve database.
I get the following error message: "Status: Failure - Cannot connect to Microsoft
SQL Server on localhost"
I don't know the reason. I can use another connection to another ms sql server
and it's no problem, but can't connect to localhost.
I have special signs in my computername, for example a "-". Is this the problem?
How can I solve it?
Thank you
Andreas

I am able to successfully connect to my local SQLEXPRESS instance using the following settings:
Hostname: localhost
Port: 1433/DBName;instance=SQLEXPRESS
Even though I use this to connect, I cannot open a tcp connection to port 1433 via telnet. I believe this goes hand in hand with specifying the instance. As I understand it, there are two ways to specify the port, one is directly, the other is through a named instance (another port is used as a service to look up the correct port). SQL Server 2005 appears to prefer named instances instead of specific ports. When "instance" is specified, the port can actually be any number, the driver apparently ignores it.
The Retrieve database (list) appears to be only for informational purposes. I have to specify the database in the Port field (DBName) regardless of what I have selected in this list.
Hope this helps!
PS: Retrieve database will give that error until instance is specified in my case.
Edited by: flszen on Feb 4, 2009 1:29 PM

Cannot connect to microsoft services.

I purchased a macbook however i cannot connect to ANYTHING Microsoft. By this i mean remote desktop connection, my hotmail email account as well as windows shares. I get invalid password for every medium i try use. I have been through several forums and the only thing that does actually work is a numeric password to connect to these services, but for security reasons this would not be a good way to go for me. It worked initially with 10.7.4 but after the updates are applied it was neer the same. I have tried all the way to 10.8 and yet nothing. Any help with this is greatly appreciated.

The installation steps are understandable and I’ve followed all steps you basically described … couple of times…and I end up with the same error message: “Following error occurred during Microsoft Azure Backup SnapIn operation.
Error details: The Microsoft Azure Recovery Services Agent cannot connect to the OBEngine service. Verify that the OBEngine service is present in the Services Control Panel and that the port 6049 is available."
The Microsoft Azure Recovery Services Agent (obengine) service is up and running (Started/Manual).
When Microsoft Azure Recovery Services Agent SnapIn is closed and reopened the same message appears in the SnapIn window immediately after opening.
Yesterday I created new backup vault, downloaded and installed Agent, registered server with new credentials, scheduled backup, clicked backup now and …oops same error message…thus
looking for ideas.
Rob

Setting up a ASA 5510 cannot get SMTP to come in

I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
Any help greatly appreciated!!!
Here it is:
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0
description WiFi
object network inside-net
subnet 172.17.1.0 255.255.255.0
object network NOSPAM
host 172.17.1.49
object network BH2
host 172.17.1.60
RVGW# sh run nat
object network inside-net
nat (Inside,Outside) dynamic interface
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
object network BH2
nat (Inside,Outside) static 5.29.79.11 service tcp smtp smtp
RVGW# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Outside_access_in; 2 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit tcp any object NOSPAM eq sm                                     tp 0x49e8de7d
access-list Outside_access_in line 1 extended permit tcp any host 172.17.1.49                                      eq smtp (hitcnt=3) 0x49e8de7d
access-list Outside_access_in line 2 extended permit tcp any object BH2 eq smtp                                      0xddf3d54c
access-list Outside_access_in line 2 extended permit tcp any host 172.17.1.60                                      eq smtp (hitcnt=2) 0xddf3d54c
RVGW# packet-tracer input outside tcp 4.2.2.2 25 172.17.1.49 25
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.17.1.0      255.255.255.0   Inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any object NOSPAM eq smtp
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
Additional Information:
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
RVGW#

hi
Please use the public IP (5.29.79.12) in packet tracer command as a destination , not the private 172.17.1.49
regards,
Mohammad

Cannot Connect to Microsoft Exchange 2003

Hello all ,
I just bought my new iMac , i have been trying ti synchronize my internal emails ( work emails ) with Microsoft exchange 2003 but was not able to do so . I was using my laptop ( power book ) that has leopard 10.5.8 and mail 3.5 , it was working perfectly . Any new update that will fix this issue ? or is there a way to configure mail to synchronize with exchange 2003 ?

What is really weird from Apple is that the Iphone is connecting to exchange without wondering wether it's an exchange 2003 or 2007, but Mail does....
I connected my Iphone in a matter of minutes, but I just realized that it is a 2003 exchange server that I'm connected with.
So I asked my Admin wether I can connect thru IMAP.
Gilles

Cannot Connect to Microsoft Exchange 2007

Hello everyone,
I'm sure this question has been answered somewhere on here already but I can't seem to find it. I am trying to connect to my school employee e-mail which is on Microsoft Exchange 2007. In the mail setup wizard I have Exchange 2007 selected as account type, for my incoming server name I put owa.school.edu, my username and password and it will not connect, giving me the following error message:
The Exchange 2007 server "owa.school.edu" is not responding. Try checking the network connection, and that the server name is correct. Otherwise the server might be temporarily unavailable. If you continue, you might not be able to receive messages.
Now I've used this same information on my iPhone and iPad and haven't had a problem synching with those decices. Why will this not work with the mail app on my MacBook? It may also be helpful to note I am running version 10.6.8 of Mac OS X.

What is really weird from Apple is that the Iphone is connecting to exchange without wondering wether it's an exchange 2003 or 2007, but Mail does....
I connected my Iphone in a matter of minutes, but I just realized that it is a 2003 exchange server that I'm connected with.
So I asked my Admin wether I can connect thru IMAP.
Gilles

I cannot connect to Microsoft SQL Server 2008

I am getting a cannot load when I am trying to download SQL Server 2008.

Hi,
>>1)Can you look into the application log in the eventvwr for a detailed error message and post it here
Where should I look into?
Go to All programs-->Microsoft SQL Server-->configuration Tools-->Sql Server configuration manager-->SQL Server services in the left pane-->right click SQL Server -->
start..you can also see properties where in you can see Log on as tab.
In my machine i have only default instance..Based on the instances running in your machine you can see services running accordingly in here
You already told your SQL Server service is not starting..now you have tried again to start the services and the error would have been logged in the eventvwr.
Start-->cmd-->eventvwr-->Windows Logs-->application-->You can see the errors logged at the time when you tried to start SQL Server on why SQl Server was not able to start on the right side pane.
Please go through that and post those error messages in here. Since you are using it after long time there might be chances you moved your master DB's mdf and ldf files to someother location. Without master DB coming up, your instance will not come up.
Thanks
Please click the Mark as answer button and vote as helpful if this reply solves your problem

Cannot connect with microsoft account

When I want to connect to my skype account I get blank page and it only says ''This page contains errors''.
I'm using Windows XP operating system
Internet browser is Firefox
Tried to uninstall and re.install and still nothing.
Please help,on my laptop with Vista works fine.

What is the version of Internet Explorer installed on your computer?
In Internet Explorer go to Help -> About Internet Explorer.
P.S. Please, don’t say that you are not using Internet Explorer. This is irrelevant. Skype depends on Internet Explorer.

Error -While create a connection to Microsoft SQL Sever from Oracle SQL Dev

Dear All,
While I am trying to create a connection to Microsoft SQL Sever from Oracle SQL Developer. The following error: "Cannot connect to Microsoft SQL Server on localhost" has been occurred.
Can anyone please guide me to solve this..
Thanks in advance,
Rider

Hi,
Issue not supported in sharepoint on-premise team.
In addition, as this issue is related to Powerview, I suggest you create a new thread on for Powerview forum, more experts will assist you.
https://social.technet.microsoft.com/Forums/en-US/home?forum=powerview
Best Regards,
Lisa Chen
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

Cannot connect to iTunes store from PC

Diagnostics below- at bottom it shows last connection today, but I cannot connect.
Microsoft Windows 7 x64 Business Edition Service Pack 1 (Build 7601)
Gigabyte Technology Co., Ltd. P35-DS3L
iTunes 10.5.3.3
QuickTime 7.7.1
FairPlay 1.13.37
Apple Application Support 2.1.6
iPod Updater Library 10.0d2
CD Driver 2.2.0.1
CD Driver DLL 2.1.1.1
Apple Mobile Device 4.0.0.97
Apple Mobile Device Driver 1.57.0.0
Bonjour 3.0.0.10 (0.0)
Gracenote SDK 1.9.5.502
Gracenote MusicID 1.9.5.115
Gracenote Submit 1.9.5.143
Gracenote DSP 1.9.5.45
iTunes Serial Number 0037A74413D62BB0
Current user is not an administrator.
The current local date and time is 2012-03-09 17:57:14.
iTunes is not running in safe mode.
WebKit accelerated compositing is enabled.
HDCP is not supported.
Core Media is supported.
Video Display Information
Advanced Micro Devices, Inc., ATI Radeon HD 4800 Series
**** External Plug-ins Information ****
No external plug-ins installed.
Genius ID: f8c337699275123daabb68ba3a6a762e
iPodService 10.5.3.3 (x64) is currently running.
iTunesHelper 10.5.3.3 is currently running.
Apple Mobile Device service 3.3.0.0 is currently running.
**** Network Connectivity Tests ****
Network Adapter Information
Adapter Name:          {CBCDA5E2-1BCC-4942-ACA8-77D393777DDB}
Description:          Realtek RTL8168B/8111B Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
IP Address:          192.168.0.10
Subnet Mask:          255.255.255.0
Default Gateway:          192.168.0.1
DHCP Enabled:          Yes
DHCP Server:          192.168.0.1
Lease Obtained:          Fri Mar 09 17:50:31 2012
Lease Expires:          Fri Mar 09 18:50:31 2012
DNS Servers:          68.113.206.10
                    24.217.0.5
                    71.92.29.130
Active Connection:          LAN Connection
Connected:          Yes
Online:                    Yes
Using Modem:          No
Using LAN:          Yes
Using Proxy:          No
SSL 3.0 Support:          Enabled
TLS 1.0 Support:          Enabled
Firewall Information
Windows Firewall is off.
Connection attempt to Apple web site was successful.
Connection attempt to browsing iTunes Store was successful.
Connection attempt to purchasing from iTunes Store was successful.
Connection attempt to iPhone activation server was successful.
Connection attempt to firmware update server was successful.
Connection attempt to Gracenote server was successful.
Last successful iTunes Store access was 2012-03-09 17:24:17.

many thanks.
Doublechecking one odd thing from the diagnostics.
Current user is not an administrator.
Is that true? Or does your Windows user acount have full admin rights?
If you do actually have an administrative account, the false result in the iTunes diagnostics can sometimes indicate idiosyncratic permissions trouble that has been known to interfere with Store connections.
Let's try an experiment. I'd like to try doing a "Run as administrator" on your iTunes.
Quit iTunes first.
In Computer, open Local Disk C: or whichever drive you have your program files installed on.
Open the "Program files (x86)" folder.
Open the "iTunes" folder.
Right-click on the iTunes.exe file and select "run as administrator".
Run your network connectivity tests again. Do they now say "Current user isan administrator"? If so, do you also now get a proper Store connection?

Can Teredo for Microsoft DirectAccess work in the DMZ of an ASA 5510?

I'd like to find some way to get Teredo to work with our DirectAccess implementation. To do that, the external facing NIC on the DirectAccess server needs to be configured with a routable public IP address.
We have an ASA 5510 (running 8.3 (2)) that has switches on the Internal and DMZ interfaces, but connects directly to our Internet router through the External interface.
So, I do not have a switch that will allow me to connect our DA server directly to the edge. Short of buying a new switch and putting it outside of the firewall, I wanted to see if there was a way to configure the ASA so that Teredo would work in the DMZ.
Our current DMZ has 2 barracuda devices (spam and web filters) using static NAT objects. The IPs are all 192.168.x.
Is there some way of getting the DirectAccess external interface to work in the DMZ with a public IP address (and our ISP's gateway) without mucking everything else up? I've read about transparency mode, but I cannot figure out if that would affect our other devices.
Thanks in advance!
-Brad

Hi. I'm not 100% sure.......... But I think With UAG service pack 1 or 2 you no longer require a publicly routatable address for the external interface of the UAG server. You can now add the UAG server to your existing DMZ without affecting the addressing. Then you allow the Teredo tunneling traffic to the server.
HTH

Connecting ASA 5510s to a DSL modem with a static IP range

I have DSL service with AT&T and I have a Motorola 3360 modem. We also have a /28 network of static IPs from AT&T. When I login using PPPoE on the modem it gets x.x.x.190 as it's address. Our range is 177-190. I have two ASA 5510s in an active/passive failover configuration with the Ethernet port of the modem and one interface of each of the ASAs on a dumb layer 2 switch.
I want to setup this DSL connection as a backup to our main Internet connection. I cannot figure out what setting on the DSL modem to use to make this happen. I know I cannot use PPPoE in a failover setting so I can't have the modem in bridged mode. There is some mode where it passes the 190 address to the connected device and when I plug in a PC directly to the modem and set it for DHCP it does get 190 as it's address. So do I configure the ASA interface as 190 with one of the other addresses as it's standby? What do I set my route on the ASA to for use of this connection? Can I then make use of these other static addresses when plugging other devices into the layer 2 switch?

Thanks for your prompt response. From your information, your network near the firewalls looks like this:
Your cable modem connects to your provider without any intervention from your equipment, and you are free to assign IP addresses from your assigned block. The cable ISP knows to route traffic to your block down to the layer 2 segment attached to the cable mode.
As you described, the Motorola 3360 DSL modem is an odd fish. I do not have personal experience with that device, but from internet searches that appears to be a model AT&T bundles with small business DSL service. The 3360 appears to have three modes:
--router mode where it uses a single public IP on the WAN side and issues IP addresses in the 192.168.1.x range on the LAN side. The modem performs the PPPoE function in this mode.
--hybrid mode where it gets a single public IP on the WAN side and then passes that through to one device connected on the LAN side. The modem performs the PPPoE function in this mode.
--bridge mode. A device on the LAN side must perform the PPPoE function.
Various links I found indicate folks with static IP address assignments from their ISP (usually AT&T) have difficulty getting those static IP addresses to work with the Motorol 3360 except in bridge mode.
To your original question, I'm guessing you match the configuration you performed on the cable modem side and use two of your static IPs for the ASA's. Howver, it's unclear if the additional IP addresses will work with 3360's odd behavior. If you have internet-exposed hosts (as shown in my simple drawing), try assigning some of the DSL static IPs to those hosts and test communications both ways -- host-->internet, internet-->host. If possible, test two hosts at the same time to verify the 3360 can handle multiple public IPs at the same time (one posting I found claimed it could only handle one public IP address at a time).

Using ASA 5510 and router for dual WAN Connections.

Guys, neeed some help here:
Context:
1- My company has one ASA 5510 configured with Site-to-site VPN, Ipsec Cisco VPN and AnyConnect VPN.
2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the NATing for internal users to go out.
3- A second link is coming in and we will be using ISP 2 to loadbalance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).
4- A router will be deployed in front of the ASA to terminate internet links.
5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2).
Questions:
How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?
Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?.
Finally, which device should be doing the NATing? The ASA just like now or move NATing to the Router?
Thanks
Ndaungwe

Hi,
Check the below link, it gives information on trasperant fw config and limilations. Based on the doc, you may need to move the VPN /anyconnect to router as well. From the routr end you may be able to set up static routes pointing to diff ISP based on traffic needs but this will be compleicated setup and can break things. Wait for other suggestions or if possible stick to ASA to terminate both links and still route the traffic to diff ISPs (Saves the router cost as well).
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
Thx
MS

Cannot connect to ASDM on ASA 5505 over https

Problem: Cannot connect to ASDM on ASA 5505 when vlan1 network is changed from the factory default.
Hi all. I am just getting started on a new ASA 5505, working it in a test lab environment. I ran thru the initial setup wizard. During that time I specified a name for Vlan1 (changed from 'inside' to 'INTR-NET'), modified the Vlan1 IP address to use DHCP, and then populated the Device Config Access table with entries corresponding to the entire Class B network here on the local intranet. I don't recall if the factory-default network was already populated, but if it wasn't I added it as 192.168.1.0/255.255.255.0
I then saved the config, and verified that the ASA got a dhcp address using the RS-232 console. I then reconfigured the laptop I have plugged into port 0/1 with it's normal address on the intranet and discovered that I couldn't reconnect to ASDM. The ASDM client times out, and a web browser opened to https://(ASA5505's dhcp addr) fails as well.
I then used the console to add another http IP address matching the specific IP address (xxx.240.113.129/255.255.255.255) which the laptop is set for, to the list of permissible admin connections, but saw no difference.
This issue is much the same as was reported in this prior forum posting:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&topicID=.ee6e1f8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc16cb8/4
EXCEPT that I was already aware the admin IP address(es) needed to be registered to enable access via SSH/Telnet/HTTPS.
And, I did that step, but it is not working. I have tried adding various combinations of network ranges in the device config access list, including the specific subnet that the lab's dhcp server assigned to the ASA 5505 (xxx.240.112.0/255.255.254.0), but there is no difference. I can traceroute to the laptop and ping the Vlan1 interface from the laptop, but the https ASDM (and ssh connections too) are not successful. This is very frustrating.
The device is brand new, I see that upon boot it loads asa724-k8.bin, and the software banner says Cisco Adaptive Security Appliance Software Version 7.2(4)
Note also that, from the RS-232 console, if I reset the IP address to the static, factory default (192.168.1.1) and manually config my laptop on the same subnet, then ASDM makes the connection. Just like out of the box. But when I put it back onto our intranet and verify the DHCP lease, then ASDM is a no go.
Can you think of what I've missed?

Good question. Let me add that info plus related Vlan config details:
ASA5505A# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 INTR-NET XXX.240.112.92 255.255.254.0 DHCP
Vlan2 VoIP 172.26.99.1 255.255.255.0 manual
Vlan3 dmz-unused 192.168.99.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 INTR-NET XXX.240.112.92 255.255.254.0 DHCP
Vlan2 VoIP 172.26.99.1 255.255.255.0 manual
Vlan3 dmz-unused 192.168.99.1 255.255.255.0 manual
ASA5505A# show switch vlan
VLAN Name Status Ports
1 INTR-NET up Et0/1, Et0/2, Et0/3, Et0/4
2 VoIP down Et0/5, Et0/6, Et0/7
3 dmz-unused down Et0/0
ASA5505A#
ASA5505A# config t
ASA5505A(config)# show running-config http
http server enable
http XXX.240.0.0 255.255.0.0 INTR-NET
http 192.168.1.0 255.255.255.0 INTR-NET
http XXX.240.113.129 255.255.255.255 INTR-NET
ASA5505A(config)#
ASA5505A(config)# show running-config ssh
ssh 192.168.1.0 255.255.255.0 INTR-NET
ssh XXX.240.0.0 255.255.0.0 INTR-NET
ssh timeout 5
SECURITY LEVEL IS 100 ON Vlan1 and Vlan2, 50 on Vlan3, and traffic is restricted from Vlan3 to Vlan1 because this is the basic license.

Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!

Hi,
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
Config
ciscoasa# sh run
: Saved
ASA Version 8.0(3)
hostname ciscoasa
enable password 5QB4svsHoIHxXpF/ encrypted
names
name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
name xxx.xxx.xxx.xxx Mail_Server
name xxx.xxx.xxx.xxx IncomingIP
name xxx.xxx.xxx.xxx SAP
name xxx.xxx.xxx.xxx WebServer
name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
name 192.168.2.2 isa_server_outside
interface Ethernet0/0
nameif outside
security-level 0
ip address IncomingIP 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.253 255.255.255.0
management-only
passwd 123
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group service TCP_8081 tcp
port-object eq 8081
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
port-object eq 50000
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
port-object eq 587
port-object eq 993
port-object eq 8000
port-object eq 8443
port-object eq telnet
port-object eq 3901
group-object TCP_8081
port-object eq 1433
port-object eq 3391
port-object eq 3399
port-object eq 8080
port-object eq 3128
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
port-object eq 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
port-object eq 8181
port-object eq 7778
port-object eq 8180
port-object eq 22222
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP tcp
port-object eq 3389
object-group service 3901 tcp
description 3901
port-object eq 3901
object-group service 50000 tcp
description 50000
port-object eq 50000
object-group service Enable_Transparent_Tunneling_UDP udp
port-object eq 4500
access-list inside_access_in remark connection to SAP
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in remark VPN Outgoing - PPTP
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in remark VPN Outgoing - GRE
access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
access-list inside_access_in remark VPN - GRE
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark VPN Outgoing - IKE Client
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in remark Outoing Ports
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre any host Mail_Server
access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit ah any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
access-list VPN standard permit 192.168.2.0 255.255.255.0
access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 Mail_Server netmask 255.0.0.0
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list corp_vpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
static (inside,outside) 192.168.2.0 access-list corp_vpn
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain domain.local interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
tftp-server management 192.168.1.123 /
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
username vpdn password 123
username vpdn attributes
vpn-group-policy mypolicy
service-type remote-access
tunnel-group mypolicy type remote-access
tunnel-group mypolicy general-attributes
address-pool POOL
default-group-policy mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.

Here is the output:
ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
    static translation to 192.168.2.0
    translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
    static translation to 192.168.2.0
    translate_hits = 0, untranslate_hits = 140
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA 5510 cannot connect to Microsoft IAS

Similar Messages

Maybe you are looking for