ASA 5512-X Still no connection
I've appreciated those who have answered; I am not getting anywhere. I cannot get out to the internet from the ASA
Thanks for your help; it didn't work or I've missed something w/ modifying the ASDM. Also; can I preface that we have it going this way w/ the Network (MOdem; T1) ------ Firewall ------ Switch (unmanaged)
Just so you know; in case I missed something. below is our config after the changes. I did the NAT thru the object was that incorrect?
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname IOSASA
domain-name IOS.LOCAL
enable password LCF3phzihasrhsIb encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif Outside
security-level 0
ip address 69.61.160.* 255.255.255.248
interface GigabitEthernet0/1
speed 100
duplex full
nameif Inside
security-level 100
ip address 191.10.10.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name IOS.LOCAL
same-security-traffic permit inter-interface
object network Inside
subnet 191.10.10.0 255.255.255.0
description Inside IOS
pager lines 24
logging asdm informational
mtu management 1500
mtu Inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Inside
nat (Inside,Outside) dynamic interface
route Outside 0.0.0.0 0.0.0.0 69.61.160.* 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0fb5c0e32efb6aaaada09167008f5a47
: end
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside
nat (Inside,Outside) dynamic interface
Additional Information:
Dynamic translate 191.10.10.10/12345 to 69.61.160.154/12345
Forward Flow based lookup yields rule:
in id=0x7fff9ffba430, priority=6, domain=nat, deny=false
hits=4, user_data=0x7fff9f7b5a70, cs_id=0x0, flags=0x0, protocol=0
src ip/id=191.10.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=Outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9eba5150, priority=0, domain=nat-per-session, deny=false
hits=32540, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f9b42a0, priority=0, domain=inspect-ip-options, deny=true
hits=83, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9eba5150, priority=0, domain=nat-per-session, deny=false
hits=32542, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9f79c1f0, priority=0, domain=inspect-ip-options, deny=true
hits=21, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 25539, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Similar Messages
-
Asa-5512-x no connectivity to internet
I am going from a pix-515e to asa-5512-x. I used the wizard for the initial setup. I then set the interfaces the same, objects, nat rules, routes, ACLs the same as in the 515e (except for the outside interface ACL where you use the inside address now, rather than the outside...and you have a global deny rule for all interfaces) .
I take the cables from the inside / outside interface from the 515e, plug them into the 5512x and nada...
Computers on the inside can't get out. I see egress failures on the ASDM monitor from the inside to outside. I don't see any traffic coming in on the outside interface to the inside as I do on the ASDM of the 515e.
ASA Version 9.1(5)
hostname ASA-5512-X
domain-name mydomain.com
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 98.xxx.xxx.xxx 255.255.255.224
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.0.1.242 255.255.252.0
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa915-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.42
domain-name mydomain.com
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object webserver-inside object-group web-ports
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static webserver-inside webserver-outside unidirectional
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 2
route inside 172.20.0.0 255.255.0.0 10.0.0.1 1
route inside 172.21.0.0 255.255.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.0.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymousAt a quick glance the config looks pretty clean (please do use ssh and not telnet though)
Since you replaced one box with another, have you checked that your upstream (Outside) device is reachable from the ASA itself? (i.e can you ping your default gateway at 98.xxx.xxx.xxx 2 )
I've sometimes seen cases where we had to ask the ISP to clear their ARP cache when changing out firewalls. -
How to Configure Cisco ASA 5512 for multiple public IP interfaces
Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept. We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2. The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/helpI have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick -
i have an Cisco ASA 5512 working as Firewall
We configure one ASA interface connecting to Cisco router 1700 with leasd line internet service without any problem.
Now we have an extra internet connection ADSL 2MB connected to another ASA interface
I configure the ASA like this :
1- Enable interface 2 on ASA and connect it to ADSL router (interface ip 192.168.1.100 from the same ADSL router {192.168.1.1}range )
2- Create Access rule say source (My computer ip) destination ADSL network range action accept
3- Create Nat Rule say source interface inside source ip (my ip) destination interface ADSL ip 192.168.1.100 destination source router ip 192.168.1.1
4- Add static route say ADSL interface source ip my ip gateway ADSL router
This steps what I do but it doesn't work.
Thanks in advanceFYI for internet access I doubt this will work because if you configure two default route then ASA won't distribute traffic across two interface, first default route will be the one where ASA will send traffic. However from your description it is not very clear which IP address you are trying to ping and how exactly rules you have configured.
Either attach your config or paste the relevant config in post. -
ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)
Hey all,
I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
Thanks!Hi,
The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
AM -
I installed a new ASA 5512-X over the weekend for a client. Their backup ISP connection is DHCP based. I need to use the 'dhcp client route track' command on the interface, but it is not available. However according the all the documentation I am looking at and even the ASDM says it should be available.
This is the version of ASA and ASDM they are running:
Cisco Adaptive Security Appliance Software Version 8.6(1)1
Device Manager Version 6.6(1)
I did upgrade to the latest ASA software, so has this command been removed? If I do a '?' in the interface, there isn't a 'dchp' option.
Any help would be appreciated. I really don't want to tell them they need to get a static IP address to resolve this issue.
TIA,
DanLooks like you are hitting bugID: CSCtq78280
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq78280
Pls open a TAC case to get the fixed on version 8.6.1(x). -
ASA 5512 8.6(1) failover via Management0/0
I am configuring a brand new pair of ASA 5512s running 8.6(1). Traditionally we hae been using the Management port as the dedicated failover link, but that seems to not be possible on the 5512s.
ASA (config-if)# no management-only
ERROR: It is not allowed to make changes to this option for management interface on this platform.
I have not been able to find anything in the official documentation mentioning this restriction.
Does anybody know if this is indeed the case or if I am just missing something?
Thanks
Joerg GrauHi,
I think this is what you are looking for
Management Port Configuration ChangesThe ASA 5500-X Series introduced a shared management port for firewall and IPS services.,There are certain caveats to follow during migration from the ASA 5500 Series.• The shared management port cannot be used as a data port. All through-the-box traffic arriving at the management port will be dropped implicitly. This cannot be disabled.• The shared management port cannot be used as a part of a high availability configuration.If the ASA management port (M0/0) on the ASA 5500 Series appliance was being used as a data port, the configuration associated with that port should be moved to one of the gigabit data ports numbered above G0/3.
Source:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html
Though I guess you have to take into consideration when we compare the old ASA5500 Series and the new ASA5500-X that the new series actually has 2 more physical interfaces than all previous corresponding models had.
Though it still might feel a waste of a Gigabit interface in a sense.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
- Jouni -
Unable to load admin page asa 5512
Hi,
I have a new ASA 5512-X, out-of-the-box, which I am unable to open the admin web page on.
Laptop - Lenovo Windows 7 64 bit
Browsers - Firefox 28 & IE 11
Java is installed and correct vesrions
ASDM on the 5512 - asdm-66114.bin
ASA Ver - asa861-2-smp-k8.bin
https is enabled and I'm using IP addresses that are allowed connectivity to the 5512
When i browse to https://192.168.1.1/admin I am presented with a certificate error as expected, I accept the certificate, then the page hangs. This happens on both Firefox and IE.
Wireshark shows the TCP 3-way handshake and the TLS/SSL negotiation which is then immediately followed by the 5512 sending SSL data then a FIN,PSH,ACK packet back to my PC. then a load of TCP retransmits from both my PC and the 5512.
Now, I tried a different PC (Dell), same OS, same ver of Firefox but IE ver.9, and did not have any problems being presented with the 'Run ASDM Wizard' page.
Has anyone had a similar issue? Has anyone please got any idea what config on my PC may be at fault?
Many thanks for any suggestions and help.
CheersPlease have a look at the ssl settings on the ASA: "show run | i ssl".
You may not have strong ciphers enabled and the PC with the newer browser does not accept the default weak ciphers. I make it a habit to setup ASAs with:
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
Those are all strong ciphers. -
ASA is tearing down vpn connections aleatorily
Cisco ASA5510 running 8.0.4 is tering down vpn connections aleatorily. The user close a vpn conection with ASA by Cisco or another client, browse a server and start a file tranfer. Aleatorily the file transfer stops, the vpn still up, the user still can browse the server, but the transfer stops with a network connection error. Some times is on beginning of file, sometimes is on midle or on final of file, sometimes it works. We tried many users and many servers, with the same behavior. Without vpn the transfer works fine. The log messages are like that
Oct 25 2012 20:23:50 ciscoasa : %ASA-6-302014: Teardown TCP connection 6360702 for dmz_sp:10.120.7.56/58119 to inside:172.18.1.3/8800 duration 0:00:00 bytes 9389 TCP Reset-O (vpnbmb)
Any idea about what is the problem? Could be ipsec packets out of sequence? How do I check the ipsec sequence number?Cisco ASA5510 running 8.0.4 is tering down vpn connections aleatorily. The user close a vpn conection with ASA by Cisco or another client, browse a server and start a file tranfer. Aleatorily the file transfer stops, the vpn still up, the user still can browse the server, but the transfer stops with a network connection error. Some times is on beginning of file, sometimes is on midle or on final of file, sometimes it works. We tried many users and many servers, with the same behavior. Without vpn the transfer works fine. The log messages are like that
Oct 25 2012 20:23:50 ciscoasa : %ASA-6-302014: Teardown TCP connection 6360702 for dmz_sp:10.120.7.56/58119 to inside:172.18.1.3/8800 duration 0:00:00 bytes 9389 TCP Reset-O (vpnbmb)
Any idea about what is the problem? Could be ipsec packets out of sequence? How do I check the ipsec sequence number? -
ASA - ASDM shows Red X Connection Disconnected.
Hi everyone,
I have ASDM connection to ASA.
On the bottom i see Red X with two computers that says
ASA Syslog connection
Status is UP
ASA Monitoring Connection disconnected????????
I still have connection to ASDM need to know what does it mean by connection disconnected?
Thanks
MaheshHi Andrew,
Many thanks for useful link.
Regards
Mahesh -
Configuring "Guest Wi-Fi" VLAN on ASA 5512
I'm attempting to setup a new vlan on my Cisco ASA 5512 running version 8.6(1)2. This vlan will provide access for wireless "guest" AP's in my network. I have the guest vlan setup through to my switches, I'm able to dedicate a switch port to VLAN 40 and aquire an IP address in the 10.40.10.0/24 network. Below is excerpt of what I think is the relevent config information. I'm trying to route guest traffic out my "outside" interface.
Obvious to me I'm missing another command in here. Any help would be greatling appreciated. If more the running-config is needed please advise. Thanks in advance!
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 (public IP at X.X.X.X)
access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
mtu guestwireless 1500
access-group guestwireless_access_in in interface guestwireless
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwirelessStripped out some config pertaining to crypto and credentials
--------------Config Below-----------------------------------
: Saved
ASA Version 8.6(1)2
hostname ASA
domain-name company.local
names
interface GigabitEthernet0/0
description ISP Interface
nameif outside
security-level 100
ip address ##.##.###.### 255.255.255.248
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
interface GigabitEthernet0/2
nameif inside-tempnet
security-level 0
ip address 172.29.0.252 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit inter-interface
object network NETWORK_OBJ_10.100.10.0_24
subnet 10.100.10.0 255.255.255.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.100.10.0_24 any
access-list inside-tempnet_access_in extended permit ip 172.29.0.0 255.255.255.0 object NETWORK_OBJ_10.100.10.0_24
access-list Split_Tunnel_List standard permit 172.29.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu guestwireless 1500
mtu inside-tempnet 1500
mtu management 1500
ip local pool ClientVPN-DHCP-Pool 10.100.10.50-10.100.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
asdm history enable
arp timeout 14400
nat (inside-tempnet,outside) source static any any destination static NETWORK_OBJ_10.100.10.0_24 NETWORK_OBJ_10.100.10.0_24 no-proxy-arp route-lookup
nat (guestwireless,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside-tempnet_access_in in interface inside-tempnet
route outside 0.0.0.0 0.0.0.0 ##.##.###.### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http server enable
http 0.0.0.0 0.0.0.0 inside-tempnet
http 172.29.0.0 255.255.255.0 inside-tempnet
http redirect inside-tempnet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside-tempnet
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles VPNConnect disk0:/vpnconnect.xml
anyconnect enable
tunnel-group-list enable
group-policy "GroupPolicy_VPN Connect" internal
group-policy "GroupPolicy_VPN Connect" attributes
wins-server none
dns-server value #.#.#.#
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value company.local
webvpn
anyconnect profiles value VPNConnect type user
tunnel-group "VPN Connect" type remote-access
tunnel-group "VPN Connect" general-attributes
address-pool ClientVPN-DHCP-Pool
authentication-server-group compnay.LOCAL LOCAL
default-group-policy "GroupPolicy_VPN Connect"
tunnel-group "VPN Connect" webvpn-attributes
group-alias "VPN Connect" enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
: end -
I cannot update my ipad2 to ios5. Updating through iTunes on pc Windows Vista, Error message reads "cannot connect to iPad Software Update Server. Tried resetting network settings, still not connecting. Tried updating iTunes, still not connecting.
Look at iOS Troubleshooting Wi-Fi networks and connections http://support.apple.com/kb/TS1398
Additional things to try.
Try this first. Turn Off your iPad. Then turn Off (disconnect power cord) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
Change the channel on your wireless router. Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
How to Quickly Fix iPad 3 Wi-Fi Reception Problems
http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
If none of the above suggestions work, look at this link.
iPad Wi-Fi Problems: Comprehensive List of Fixes
http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
Cheers, Tom -
ASA 5505 configured for WebVPN connecting to Citrix Web Interface
ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay -
I can't get FaceTime or iMessage to connect, I enter valid password (tested and works for Apple account) and it won't connect. I have checked all settings, upgrades iOS to 8.3 rebooted, changed Apple acount PW still wont connect. My internet connection is fine Safari works and I can access all sites. I have an iPad 2. Any help on this will be greatly appreciate. iPad 2, iOS 8.3
This is an ongoing problem as you will see by searching the forum.
Out of curiosity, do you have 2 step verification enabled? It was recently extended to include iMessage & FaceTime & I'm wondering if it might be causing some of the issues that some users are experiencing. -
I - STILL - Cannot connect to the Itunes Store
I am unable to connect to the Itunes store, I could connect to the radio stations, I checked the SSL and TSL setting under Internet Explorer Options, Not using proxy or any Computer based firewall, and on my router firewall I tried opening up ports 53, 5353, 443 and 3689, and even tried DMZ the box, but for no use... I still cannot connect to the store, and frankly, it is getting ridiculous. Can anyone help? maybe the neededs ports or something...
Here is the check log... and thanks in advance.
Microsoft Windows XP Professional Service Pack 2 (Build 2600)
Dell Inc. Dimension XPS
iTunes 7.6.1.9
QuickTime 7.4.1
CD Driver 2.0.6.1
CD Driver DLL 2.0.6.2
Apple Mobile Device 1.1.4.7
Bonjour 1.0.4.12 (118.4)
iTunes Serial Number 3A48AA7B3CB9DD57
Current user is an administrator.
The current local date and time is 2008-03-08 21:11:11.
iTunes is not running in safe mode.
Video Display Information
NVIDIA GeForce 6800
External Plug-ins Information **
No external plug-ins installed.
Network Connectivity Tests **
Network Adapter Information
Adapter Name: {686274E4-CF42-4229-98AE-678EE8BF1331}
Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
IP Address: 10.10.0.10
Subnet Mask: 255.255.255.0
Default Gateway: 10.10.0.1
DHCP Enabled: No
DHCP Server: 255.255.255.255
Lease Obtained: Wed Dec 31 20:00:00 1969
Lease Expires: Wed Dec 31 20:00:00 1969
DNS Servers: 10.10.0.1
10.10.0.1
Adapter Name: {C7089E37-5C18-4224-812A-541BFED730B6}
Description: VMware Virtual Ethernet Adapter for VMnet1
IP Address: 192.168.181.1
Subnet Mask: 255.255.255.0
Default Gateway:
DHCP Enabled: No
DHCP Server: 255.255.255.255
Lease Obtained: Wed Dec 31 20:00:00 1969
Lease Expires: Wed Dec 31 20:00:00 1969
DNS Servers:
Adapter Name: {F5345F4B-2E32-4D97-BB78-741CFE4A155C}
Description: VMware Virtual Ethernet Adapter for VMnet8
IP Address: 192.168.92.1
Subnet Mask: 255.255.255.0
Default Gateway:
DHCP Enabled: No
DHCP Server: 255.255.255.255
Lease Obtained: Wed Dec 31 20:00:00 1969
Lease Expires: Wed Dec 31 20:00:00 1969
DNS Servers:
Active Connection: LAN Connection
Connected: Yes
Online: Yes
Using Modem: No
Using LAN: Yes
Using Proxy: No
SSL 3.0 Support: Enabled
TLS 1.0 Support: Enabled
Firewall Information
Windows Firewall is off.
Connection attempt to Apple web site was successful.
Connection attempt to iTunes Store was successful.
Secure connection attempt to iTunes Store was successful.
Secure connection attempt to iPhone activation server was successful.
iTunes has never successfully accessed iTunes store.I don't think it is a firewall issue as the connection attempts were not blocked according to the network connectivity report.
These ones have been tricky to solve.
As a first stab, one thing you could try is to create a new Windows account and see if you can connect from there.
P.S. I noticed that the date on the report is not the same as the date of your post. This may just be when your ran the report, but it is worth checking your computer's date and time are correct.
You could also check the Advanced tab in your Internet options. If "Check for server certificate revocation" is checked. If it is, try unchecking it.
Message was edited by: polydorus
Maybe you are looking for
-
Notification "Launch the app and go to the library" not working as expected
Hello, we are sending notification "Launch the app and go to the library" - but it's not working as expected, it's still just launching app with last open folio. Whats wrong there? Do we need v30 app? We have V29, but this is not mentioned in documen
-
After Effects error last loggedd messafe was 8444. GPUmanager 2 sniffer code: 3
Hello, I just got new parts for my new computer im running CPU= i-7 4790 GPU= Asus Geforce GTX 770 2gb RAM= Corsair 24Gb 1600GHz Nothing is overclocked and the gtx and ram worked last week when i was using my amd 6-core processor. I am using Af
-
FW CS3 : interface : what's this ???
Hi everybody :) I'm a old PC user, who was very sad to see that on OSX, FW is nonergonomic : - no tabs for the opened documents - no side-docking for the panel - no use of the arrow key inside the list in a panel (ex: symbols panel) - no effect panel
-
Please explain the query?
hello all, please explain below query used in solution below, thanks in advance! ELECT MAX(P1.ET) AS ST, P2.ST AS ET FROM XYZ AS P1 INNER JOIN XYZ AS P2 ON (P1.ST < P2.ST) GROUP BY P2.ST HAVING MAX(P1.ET) < P2.ST IF OBJECT_ID('XYZ') IS NOT NULL DROP
-
When I export data from the database there are old records of PCs that are no longer connected to the network included in the data. How do I clear out records more than say 3 months old. Thanks for any replies.