ASA 5520 intervlan routing at low speed

Similar Messages

• Can I format the CF in a cisco 1800 router and then use it on the ASA 5520?

  Can I format Compact Flash in a cisco 1800 router and then use it on the ASA 5520?

  You don't have to format the card in the router. You can do that on your PC. Just format the CF-card as FAT32 and plug it into the ASA.
  BUT: If you just want to "upgrade" the old card with a different one, then first attach the original card from the ASA to your PC and copy all files (including the hidden ones) to your PC and then copy them back to the new card. That way you also move your licenses to the new card which are stored in hidden files and your private data like keys.

• Inter VLAN Routing with ASA 5520 and Cat 2960

  Hi there,
  I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).
  As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other.  The attached screenshot shows the topology.
  I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs.  Any assistance would be greatly appreciated.
  ROUTER CONFIG:
  ciscoasa#
  ciscoasa# show run
  : Saved
  ASA Version 8.3(1)
  hostname ciscoasa
  domain-name null
  enable password ###### encrypted
  passwd ###### encrypted
  names
  dns-guard
  interface GigabitEthernet0/0
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1
  no nameif
  security-level 100
  ip address 10.10.1.1 255.255.255.0
  interface GigabitEthernet0/1.10
  vlan 10
  nameif vlan10
  security-level 100
  ip address 10.10.10.1 255.255.255.0
  interface GigabitEthernet0/1.20
  vlan 20
  nameif vlan20
  security-level 100
  ip address 10.10.20.1 255.255.255.0
  interface GigabitEthernet0/1.30
  vlan 30
  nameif vlan30
  security-level 100
  ip address 10.10.30.1 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa831-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name null
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list global_access extended permit icmp any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu vlan10 1500
  mtu vlan20 1500
  mtu vlan30 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  asdm image disk0:/asdm-631.bin
  no asdm history enable
  arp timeout 14400
  access-group global_access global
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.5 inside
  dhcpd enable inside
  dhcpd address 10.10.10.101-10.10.10.253 vlan10
  dhcpd enable vlan10
  dhcpd address 10.10.20.101-10.10.20.253 vlan20
  dhcpd enable vlan20
  dhcpd address 10.10.30.101-10.10.30.253 vlan30
  dhcpd enable vlan30
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD
  CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
  : end
  SWITCH CONFIG
  Switch#show run
  Building configuration...
  Current configuration : 2543 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Switch
  boot-start-marker
  boot-end-marker
  no aaa new-model
  system mtu routing 1500
  ip subnet-zero
  spanning-tree mode pvst
  spanning-tree extend system-id
  no spanning-tree vlan 1
  vlan internal allocation policy ascending
  interface GigabitEthernet0/1
  description Port Configured As Trunk
  switchport trunk allowed vlan 1,10,20,30,1002-1005
  switchport mode trunk
  interface GigabitEthernet0/2
  switchport access vlan 10
  switchport mode access
  interface GigabitEthernet0/3
  switchport access vlan 20
  switchport mode access
  interface GigabitEthernet0/4
  switchport access vlan 30
  switchport mode access
  interface GigabitEthernet0/5
  interface GigabitEthernet0/6
  interface GigabitEthernet0/7
  interface GigabitEthernet0/8
  interface GigabitEthernet0/9
  interface GigabitEthernet0/10
  interface GigabitEthernet0/11
  interface GigabitEthernet0/12
  interface GigabitEthernet0/13
  interface GigabitEthernet0/14
  interface GigabitEthernet0/15
  interface GigabitEthernet0/16
  interface GigabitEthernet0/17
  interface GigabitEthernet0/18
  interface GigabitEthernet0/19
  interface GigabitEthernet0/20
  interface GigabitEthernet0/21
  interface GigabitEthernet0/22
  interface GigabitEthernet0/23
  interface GigabitEthernet0/24
  interface GigabitEthernet0/25
  interface GigabitEthernet0/26
  interface GigabitEthernet0/27
  interface GigabitEthernet0/28
  interface GigabitEthernet0/29
  interface GigabitEthernet0/30
  interface GigabitEthernet0/31
  interface GigabitEthernet0/32
  interface GigabitEthernet0/33
  interface GigabitEthernet0/34
  interface GigabitEthernet0/35
  interface GigabitEthernet0/36
  interface GigabitEthernet0/37
  interface GigabitEthernet0/38
  interface GigabitEthernet0/39
  interface GigabitEthernet0/40
  interface GigabitEthernet0/41
  interface GigabitEthernet0/42
  interface GigabitEthernet0/43
  interface GigabitEthernet0/44
  interface GigabitEthernet0/45
  interface GigabitEthernet0/46
  interface GigabitEthernet0/47
  interface GigabitEthernet0/48
  interface Vlan1
  ip address 10.10.1.2 255.255.255.0
  no ip route-cache
  interface Vlan10
  no ip address
  no ip route-cache
  interface Vlan20
  no ip address
  no ip route-cache
  interface Vlan30
  no ip address
  no ip route-cache
  ip default-gateway 10.10.1.1
  ip http server
  ip http secure-server
  control-plane
  line con 0
  line vty 5 15
  end

  ciscoasa# capture cap10 interface vlan10
  ciscoasa# capture cap20 interface vlan20
  ciscoasa# show cap cap10
  97 packets captured
     1: 17:32:32.541262 802.1Q vlan#10 P0 10.10.10.101.2461 > 10.10.10.1.8905:  ud
  p 96
     2: 17:32:36.741294 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
     3: 17:32:36.741523 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
     4: 17:32:37.539217 802.1Q vlan#10 P0 10.10.10.101.2462 > 10.10.10.1.8905:  ud
  p 98
     5: 17:32:39.104914 802.1Q vlan#10 P0 10.10.10.101.2463 > 10.12.5.64.8906:  ud
  p 95
     6: 17:32:41.738914 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
     7: 17:32:41.739143 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
     8: 17:32:42.544023 802.1Q vlan#10 P0 10.10.10.101.2464 > 10.10.10.1.8905:  ud
  p 93
     9: 17:32:46.747352 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    10: 17:32:46.747580 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    11: 17:32:47.546633 802.1Q vlan#10 P0 10.10.10.101.2465 > 10.10.10.1.8905:  ud
  p 98
    12: 17:32:51.739921 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    13: 17:32:51.740150 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    14: 17:32:52.544100 802.1Q vlan#10 P0 10.10.10.101.2466 > 10.10.10.1.8905:  ud
  p 98
    15: 17:32:56.741859 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    16: 17:32:56.742088 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    17: 17:32:57.547396 802.1Q vlan#10 P0 10.10.10.101.2467 > 10.10.10.1.8905:  ud
  p 98
    18: 17:33:01.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    19: 17:33:01.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    20: 17:33:02.547609 802.1Q vlan#10 P0 10.10.10.101.2468 > 10.10.10.1.8905:  ud
  p 97
    21: 17:33:06.742774 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    22: 17:33:06.743018 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    23: 17:33:07.543337 802.1Q vlan#10 P0 10.10.10.101.2469 > 10.10.10.1.8905:  ud
  p 93
    24: 17:33:10.375514 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
  p 50
    25: 17:33:11.114679 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
  p 50
    26: 17:33:11.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    27: 17:33:11.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    28: 17:33:11.864731 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
  p 50
    29: 17:33:12.546266 802.1Q vlan#10 P0 10.10.10.101.2470 > 10.10.10.1.8905:  ud
  p 98
    30: 17:33:16.746497 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    31: 17:33:16.746726 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    32: 17:33:17.548403 802.1Q vlan#10 P0 10.10.10.101.2471 > 10.10.10.1.8905:  ud
  p 97
    33: 17:33:21.744880 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    34: 17:33:21.745109 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    35: 17:33:22.545351 802.1Q vlan#10 P0 10.10.10.101.2472 > 10.10.10.1.8905:  ud
  p 95
    36: 17:33:23.785558 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
  p 50
    37: 17:33:24.522464 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
  p 50
    38: 17:33:25.272568 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
  p 50
    39: 17:33:26.744926 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    40: 17:33:26.745154 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    41: 17:33:27.548708 802.1Q vlan#10 P0 10.10.10.101.2473 > 10.10.10.1.8905:  ud
  p 96
    42: 17:33:31.749625 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    43: 17:33:31.749854 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    44: 17:33:32.550096 802.1Q vlan#10 P0 10.10.10.101.2474 > 10.10.10.1.8905:  ud
  p 97
    45: 17:33:36.748343 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    46: 17:33:36.748572 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    47: 17:33:37.546251 802.1Q vlan#10 P0 10.10.10.101.2475 > 10.10.10.1.8905:  ud
  p 95
    48: 17:33:41.745566 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    49: 17:33:41.745795 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    50: 17:33:42.547975 802.1Q vlan#10 P0 10.10.10.101.2476 > 10.10.10.1.8905:  ud
  p 97
    51: 17:33:46.747855 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    52: 17:33:46.748084 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    53: 17:33:47.548403 802.1Q vlan#10 P0 10.10.10.101.2477 > 10.10.10.1.8905:  ud
  p 94
    54: 17:33:51.747718 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    55: 17:33:51.747931 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    56: 17:33:52.547670 802.1Q vlan#10 P0 10.10.10.101.2478 > 10.10.10.1.8905:  ud
  p 97
    57: 17:33:54.134239 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    58: 17:33:56.750678 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    59: 17:33:56.750891 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    60: 17:33:57.563035 802.1Q vlan#10 P0 10.10.10.101.2479 > 10.10.10.1.8905:  ud
  p 97
    61: 17:33:59.245272 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    62: 17:34:01.752188 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    63: 17:34:01.752402 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    64: 17:34:01.995737 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 49
    65: 17:34:01.995813 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 34
    66: 17:34:01.995950 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 49
    67: 17:34:01.996011 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 34
    68: 17:34:01.996118 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 49
    69: 17:34:01.996179 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 34
    70: 17:34:02.551836 802.1Q vlan#10 P0 10.10.10.101.2480 > 10.10.10.1.8905:  ud
  p 98
    71: 17:34:03.011306 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 49
    72: 17:34:03.011367 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 34
    73: 17:34:03.011443 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 49
    74: 17:34:03.011489 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 34
    75: 17:34:03.011550 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 49
    76: 17:34:03.011596 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 34
    77: 17:34:04.027037 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 49
    78: 17:34:04.027082 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 34
    79: 17:34:04.027174 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 49
    80: 17:34:04.027250 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 34
    81: 17:34:04.027311 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 49
    82: 17:34:04.027357 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 34
    83: 17:34:04.745811 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    84: 17:34:06.058514 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 49
    85: 17:34:06.058605 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
  dp 34
    86: 17:34:06.058651 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 49
    87: 17:34:06.058712 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
  dp 34
    88: 17:34:06.058758 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 49
    89: 17:34:06.058819 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
  udp 34
    90: 17:34:06.750907 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    91: 17:34:06.751151 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    92: 17:34:07.552751 802.1Q vlan#10 P0 10.10.10.101.2481 > 10.10.10.1.8905:  ud
  p 96
    93: 17:34:11.752082 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    94: 17:34:11.752326 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    95: 17:34:12.553392 802.1Q vlan#10 P0 10.10.10.101.2482 > 10.10.10.1.8905:  ud
  p 96
    96: 17:34:16.755438 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
    97: 17:34:16.755682 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
    98: 17:34:17.554811 802.1Q vlan#10 P0 10.10.10.101.2483 > 10.10.10.1.8905:  ud
  p 97
    99: 17:34:21.751303 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
  100: 17:34:21.751563 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
  101: 17:34:22.552034 802.1Q vlan#10 P0 10.10.10.101.2484 > 10.10.10.1.8905:  ud
  p 95
  102: 17:34:26.753989 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
  103: 17:34:26.754218 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
  104: 17:34:27.560334 802.1Q vlan#10 P0 10.10.10.101.2485 > 10.10.10.1.8905:  ud
  p 98
  105: 17:34:31.755499 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
  quest
  106: 17:34:31.755728 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
  ply
  107: 17:34:32.563950 802.1Q vlan#10 P0 10.10.10.101.2486 > 10.10.10.1.8905:  ud
  p 95
  107 packets shown
  ciscoasa# show cap cap20
  92 packets captured
     1: 17:26:53.653378 802.1Q vlan#20 P0 10.10.20.101.1187 > 216.49.94.13.80: S 8
  20343450:820343450(0) win 65535
     2: 17:27:12.019133 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
     3: 17:27:17.214481 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
     4: 17:27:55.593688 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
  499891746:1499891746(0) win 65535
     5: 17:27:58.555284 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
  499891746:1499891746(0) win 65535
     6: 17:28:04.564790 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
  499891746:1499891746(0) win 65535
     7: 17:29:06.504856 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
     8: 17:29:06.504917 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
  6:bb
     9: 17:29:06.505222 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
  7080594:47080594(0) win 65535
    10: 17:29:09.467032 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
  7080594:47080594(0) win 65535
    11: 17:29:15.476537 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
  7080594:47080594(0) win 65535
    12: 17:30:17.417245 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
  445997597:1445997597(0) win 65535
    13: 17:30:18.156043 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    14: 17:30:20.378688 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
  445997597:1445997597(0) win 65535
    15: 17:30:23.220356 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    16: 17:30:26.388102 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
  445997597:1445997597(0) win 65535
    17: 17:30:28.721047 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    18: 17:30:34.222507 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    19: 17:33:43.156928 802.1Q vlan#20 P0 arp who-has 10.10.20.101 tell 10.10.20.1
  01
    20: 17:33:44.187002 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
    21: 17:33:44.187047 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
  6:bb
    22: 17:33:44.187261 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
  quest
    23: 17:33:44.187520 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
  ply
    24: 17:33:44.239016 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    25: 17:33:44.327360 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
  udp 34
    26: 17:33:44.989740 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    27: 17:33:45.150611 802.1Q vlan#20 P0 10.10.20.101.6646 > 10.10.20.255.6646:
  udp 236
    28: 17:33:45.331312 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
  udp 34
    29: 17:33:45.740943 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    30: 17:33:46.331892 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
  udp 34
    31: 17:33:46.492131 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    32: 17:33:47.243502 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    33: 17:33:47.994501 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    34: 17:33:48.335050 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
  udp 34
    35: 17:33:48.335141 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
  udp 34
    36: 17:33:48.745658 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    37: 17:33:49.496861 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    38: 17:33:50.248812 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    39: 17:33:50.249300 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    40: 17:33:50.999170 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    41: 17:33:50.999246 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    42: 17:33:51.750342 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    43: 17:33:51.750418 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    44: 17:33:52.341336 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
  udp 34
    45: 17:33:52.341474 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
  udp 34
    46: 17:33:52.501576 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    47: 17:33:52.501652 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    48: 17:33:53.254183 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 174
    49: 17:33:53.254320 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 204
    50: 17:33:54.134361 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    51: 17:33:54.755118 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 174
    52: 17:33:54.823535 802.1Q vlan#20 P0 10.120.2.198.1261 > 161.69.12.13.443: R
  250934743:250934743(0) ack 2427374744 win 0
    53: 17:33:54.823901 802.1Q vlan#20 P0 10.120.2.198.1262 > 161.69.12.13.443: R
  3313764765:3313764765(0) ack 1397588942 win 0
    54: 17:33:54.824618 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
  2860571026:2860571026(0) win 65535
    55: 17:33:56.257448 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 174
    56: 17:33:57.759833 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 174
    57: 17:33:57.779729 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
  2860571026:2860571026(0) win 65535
    58: 17:33:59.245394 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    59: 17:33:59.262178 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 186
    60: 17:34:00.263780 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 186
    61: 17:34:01.265382 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 186
    62: 17:34:02.266908 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 186
    63: 17:34:03.268540 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    64: 17:34:03.789189 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
  2860571026:2860571026(0) win 65535
    65: 17:34:04.019591 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    66: 17:34:04.745933 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
  request
    67: 17:34:04.770757 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    68: 17:34:05.521991 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    69: 17:34:06.273209 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    70: 17:34:07.024367 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    71: 17:34:07.775518 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    72: 17:34:08.526706 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 68
    73: 17:34:09.277939 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 174
    74: 17:34:09.278061 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 174
    75: 17:34:09.278702 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
  p 204
    76: 17:34:15.810489 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
  udp 31
    77: 17:34:16.809726 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
  udp 31
    78: 17:34:17.811222 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
  udp 31
    79: 17:34:19.814349 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
  udp 31
    80: 17:34:19.814380 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
  udp 31
    81: 17:34:23.820682 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
  udp 31
    82: 17:34:23.820788 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
  udp 31
    83: 17:34:30.822924 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 50
    84: 17:34:31.572892 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 50
    85: 17:34:32.324079 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
  p 50
    86: 17:34:33.083079 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
  udp 44
    87: 17:34:34.077007 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
  udp 44
    88: 17:34:35.078639 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
  udp 44
    89: 17:34:37.081584 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
  udp 44
    90: 17:34:37.081706 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
  udp 44
    91: 17:34:41.087809 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
  udp 44
    92: 17:34:41.087840 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
  udp 44
  92 packets shown

• ASA 5520 - Can not change default route.

  Hi
  My asa is sitting behind a router the next hop from the ASA to the router is 10.0.0.5 I have tried to change the default route to route DMZ 0 0 10.0.0.5  to no availability right now the default route is (S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.8.20, Outside) but even if I were to do a "no route Outside 0 0 172.16.8.20" the default route does not disappear when I do a "sh route" command. ant help would be greatly appreciated.

  I apologize for not being clear hopefully this helps. Basically the  default route should be: route DMZ 0.0.0.0 0.0.0.0 10.10.10.5, I had to  add a metric of 2 because otherwise it would conflict with the Gateway  of last resort, the interesting part is if I try to remove the current  gateway of last resort then the error I get is  %No matching route to delete and I try to add the new route I get ERROR: Cannot add route entry, conflict with existing routes.
  **"show ip address" output---
  Interface                Name                   IP address      Subnet mask     Method
  GigabitEthernet0/0       Outside               172.22.8.166    255.255.252.0   CONFIG
  GigabitEthernet0/3       DMZ                   10.10.10.16     255.255.255.0   CONFIG
  Management0/0            management      192.168.100.1   255.255.255.0   CONFIG
  GigabitEthernet1/0       Inside                 172.16.0.2      255.255.252.0   CONFIG
  GigabitEthernet1/1       VPN                    X.X.X.X          255.255.255.240 CONFIG
  Current IP Addresses:
  Interface                Name                   IP address      Subnet mask     Method
  GigabitEthernet0/0       Outside               172.22.8.166    255.255.252.0   CONFIG
  GigabitEthernet0/3       DMZ                   10.10.10.16     255.255.255.0   CONFIG
  Management0/0            management      192.168.100.1   255.255.255.0   CONFIG
  GigabitEthernet1/0       Inside                 172.16.0.2      255.255.252.0   CONFIG
  GigabitEthernet1/1       VPN                    X.X.X.X          255.255.255.240 CONFIG
  **"show running-config" output---
  !The DMZ route should be the gateway of last resort
  route DMZ 0.0.0.0 0.0.0.0 10.10.10.5 2
  route Outside 10.0.1.0 255.255.255.252 172.22.8.20 1
  route Outside 10.0.2.0 255.255.255.252 172.22.8.20 1
  route Outside 10.0.4.0 255.255.255.252 172.22.8.20 1
  route Outside 10.0.5.0 255.255.255.240 172.22.8.20 1
  route Outside 10.0.6.0 255.255.255.252 172.22.8.20 1
  route Outside 10.0.25.0 255.255.255.0 172.22.8.20 1
  route Outside 10.0.52.0 255.255.255.0 172.22.8.20 1
  route Inside 172.16.0.0 255.255.252.0 172.16.0.3 1
  route Outside 172.16.6.0 255.255.255.0 172.16.6.1 1
  route Outside 172.22.0.0 255.255.0.0 172.22.8.20 10
  route Outside 192.168.0.0 255.255.255.0 172.22.8.20 255
  route DMZ 192.168.200.0 255.255.255.0 156.108.124.66 1
  **"show route" output ---
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is 172.22.8.20 to network 0.0.0.0
  S    172.16.6.0 255.255.255.0 [1/0] via 172.16.6.1, Outside
                                [1/0] via 172.22.8.20, Outside
  C    172.16.0.0 255.255.252.0 is directly connected, Inside
  C    172.22.8.0 255.255.252.0 is directly connected, Outside
  S    172.22.0.0 255.255.0.0 [10/0] via 172.22.8.20, Outside
  D    192.168.4.8 255.255.255.252 [90/2178816] via 172.16.0.3, 66:37:21, Inside
  D    192.168.4.9 255.255.255.255 [90/2178816] via 172.16.0.3, 66:37:21, Inside
  S    10.0.2.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
  D    10.0.0.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside
  C    10.10.10.0 255.255.255.0 is directly connected, DMZ
  S    10.0.1.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
  S    10.0.6.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
  S    10.0.4.0 255.255.255.252 [1/0] via 172.22.8.20, Outside
  S    10.0.5.0 255.255.255.240 [1/0] via 172.22.8.20, Outside
  S    10.0.25.0 255.255.255.0 [1/0] via 172.22.8.20, Outside
  S    10.0.52.0 255.255.255.0 [1/0] via 172.22.8.20, Outside
  S    192.168.0.0 255.255.255.0
             [255/0] via 172.22.8.20, Outside
  D    192.168.100.0 255.255.255.0 [90/3072] via 172.16.0.3, 66:37:21, Inside
  ! I have tried to remove the route below with the command "no  route Outside 0 0 172.22.8.20" but always get the error %No matching  route to delete
  S*   0.0.0.0 0.0.0.0 [1/0] via 172.22.8.20, Outside

• InterVlan Routing and an ASA5520

  Hey Guys,
  I'm having problems getting something to work. First off, let me give you the topology and the configs:
  Config R1
  Vlan Database:
  VLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/1, Fa1/2, Fa1/3, Fa1/4                                                Fa1/5, Fa1/6, Fa1/7, Fa1/8                                                Fa1/9, Fa1/1010   SERVER                           active    Fa1/1430   CLIENTS                          active    Fa1/13100  Inside                           active101  LIFESIZE                         active    Fa1/12250  Mgmt                             active    Fa1/111000 Outside                          active    Fa1/151002 fddi-default                     active1003 token-ring-default               active1004 fddinet-default                  active1005 trnet-default                    active
  Trunks:
  Port      Mode         Encapsulation  Status        Native vlanFa1/0     on           802.1q         trunking      1Port      Vlans allowed on trunkFa1/0     1-1005Port      Vlans allowed and active in management domainFa1/0     1,10,30,100-101,250,1000Port      Vlans in spanning tree forwarding state and not prunedFa1/0     1,10,30,100-101,250,1000
  Running Config:
  interface FastEthernet1/0 switchport mode trunk
  interface FastEthernet1/11 switchport access vlan 250 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/12 switchport access vlan 101 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/13 switchport access vlan 30 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/14 switchport access vlan 10 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/15 switchport access vlan 1000!interface Vlan1 no ip address!interface Vlan10 description SERVER no ip address!interface Vlan20 description DRUCKER ip address 10.11.20.254 255.255.255.0!interface Vlan30 description CLIENTS ip address 10.11.30.254 255.255.255.0!interface Vlan101 description LifeSize no ip address!interface Vlan250 description Management ip address 10.11.250.254 255.255.255.0!ip default-gateway 10.11.250.251ip forward-protocol ndip route 0.0.0.0 0.0.0.0 10.11.250.251ip route 10.0.0.0 255.0.0.0 10.11.250.251
  Config ASA:
  ASA Version 8.4(2)!hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0 nameif Outside security-level 0 ip address 186.89.54.20 255.255.255.248!interface GigabitEthernet1 description Trunk to SW no nameif no security-level no ip address!interface GigabitEthernet1.10 vlan 10 nameif Server security-level 100 ip address 10.11.10.251 255.255.255.0!interface GigabitEthernet1.30 vlan 30 nameif Clients security-level 100 ip address 10.11.30.251 255.255.255.0!interface GigabitEthernet1.101 vlan 101 nameif DMZ security-level 50 ip address 10.11.101.251 255.255.255.0!interface GigabitEthernet1.250 vlan 250 nameif Mgmt security-level 100 ip address 10.11.250.251 255.255.255.0!interface GigabitEthernet2 shutdown no nameif no security-level no ip address!interface GigabitEthernet3 shutdown no nameif no security-level no ip address!interface GigabitEthernet4 shutdown no nameif no security-level no ip address!interface GigabitEthernet5 nameif Martin security-level 100 ip address 10.11.15.254 255.255.255.0!ftp mode passivesame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list global_access extended permit ip any anyaccess-list Clients_access_in extended deny ip any 10.11.101.0 255.255.255.0 inactiveaccess-list Clients_access_in extended permit ip any 10.11.10.0 255.255.255.0 inactiveaccess-list Server_access_in extended permit ip any anyaccess-list Server_access_in extended deny ip 10.11.250.0 255.255.255.0 10.11.250.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended deny icmp any 10.11.10.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended permit ip any any inactivepager lines 24logging enablelogging buffered debuggingmtu Outside 1500mtu Server 1500mtu Clients 1500mtu DMZ 1500mtu Mgmt 1500mtu Martin 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-702.binno asdm history enablearp timeout 14400access-group Server_access_in in interface Serveraccess-group Clients_access_in in interface Clientsaccess-group Mgmt_access_in in interface Mgmtaccess-group global_access globalroute Mgmt 10.11.0.0 255.255.0.0 10.11.250.254 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 10.0.0.0 255.0.0.0 Martinhttp 10.11.250.0 255.255.255.0 Mgmtno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0management-access Mgmtthreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map global-class match default-inspection-traffic!!policy-map global-policy class global-class  inspect dns  inspect ftp  inspect http  inspect icmp  inspect icmp error  inspect rtsp  inspect sip  inspect snmp  inspect tftp!service-policy global-policy globalprompt hostname contextno call-home reporting anonymouscall-home profile CiscoTAC-1  no active  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  destination address email [email protected]  destination transport-method http  subscribe-to-alert-group diagnostic  subscribe-to-alert-group environment  subscribe-to-alert-group inventory periodic monthly  subscribe-to-alert-group configuration periodic monthly  subscribe-to-alert-group telemetry periodic dailycrashinfo save disableCryptochecksum:e5a96d671ff3b5453c8f1de5c39f1f63: end
  Problem:
  What I'm planning is, having an InterVlan routed network that is done by the switch and only certain Networks should be protected by the ASA.
  The Networks that should not be protected will have the GW of the L3 SVI
  The protected hosts will have the GW of the ASA and send their traffic there first
  The ASA has a Trunk to the Switch receiving all L2 Vlans from there (E1)
  The ASA has an Interface called Mgmt to which it can send all the traffic back (Asymmetric Routing problem?)
  The Inside (called Mgmt, sorry for the confusion) has a default route pointing to the Switch R1
  Mgmt 10.11.0.0 255.255.0.0 10.11.250.254
  I'm stuck with the basics
  What won't work:
  From R1 i can ping Mgmt and Client Network but not Server and DMZ
  Pinging from R1 (10.11.250.254) to ASA Server (10.11.10.251) Interface gives me this Teardown but i have a global permit any any?
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/20 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:03%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:03
  R2 (Server Host) has the ASA Gateway for its interface and it can ping it. But when i'm trying to ping another interface on the ASA that i can ping from R1, it's like it is not even reaching the ASA. I can see no traffic at all.
  Can somebody tell me what what i'm doing wrong and why? I'm kinda getting a little bit frustrated since i've been working on this from quite some time but i fail to get it working properly.
  Cheers

  I'm sorry very sorry i'm responding so late i've been very busy lately.
  This forum doesn't show the topology diagram i posted so let me try that again first:
  Now, as you can see, R2 has the GW of the ASA which is 10.11.10.251/24. R1 is the L3-Switch and doesn't have an Interface IP for the Server and DMZ but a default-gateway and default-network pointing to 10.11.250.251/24 which is the Mgmt Interface of the ASA. Additionally, it has has a Trunk Port to the ASA to pass all L2-Vlans.
  The ASA can ping all L3-Vlans of the Switch R1 e.g. 10.11.30.254/24 and the host 10.11.30.5/24
  The L3-Switch can only ping the Mgmt to which it is directly connected and in the same Network 10.11.250.0/24 but not all other Interfaces
  Pinging fom 10.11.250.254/24 (L3 Interface of R1) to 10.11.10.251/24 (Server Interface ASA) gives me this logging output:
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/3 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:05%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:05
  And that is the major problem for me right now. I don't know what i'm doing wrong.
  Thx

• VPN clients not able to ping Remote PCs & Servers : ASA 5520

  VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
  Remote ip section : 192.168.1.0/24
  VPN IP Pool : 192.168.5.0/24
  Running Config :
   ip address 192.168.1.2 255.255.255.0
  interface GigabitEthernet0/2
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   shutdown
   no nameif
   no security-level
   no ip address
   management-only
  passwd z40TgSyhcLKQc3n1 encrypted
  boot system disk0:/asa722-k8.bin
  ftp mode passive
  clock timezone GST 4
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 213.42.20.20
   domain-name default.domain.invalid
  access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
  access-list outtoin extended permit tcp any host 83.111.113.113 eq https
  access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
  access-list outtoin extended permit tcp any host 83.111.113.114 eq https
  access-list outtoin extended permit tcp any host 83.111.113.114 eq www
  access-list outtoin extended permit tcp any host 83.111.113.115 eq https
  access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
  access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
  access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
  92.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
  2.168.5.0 255.255.255.0
  access-list inet_in extended permit icmp any any time-exceeded
  access-list inet_in extended permit icmp any any unreachable
  access-list inet_in extended permit icmp any any echo-reply
  access-list inet_in extended permit icmp any any echo
  pager lines 24
  logging enable
  logging asdm informational
  logging from-address [email protected]
  logging recipient-address [email protected] level errors
  logging recipient-address [email protected] level emergencies
  logging recipient-address [email protected] level errors
  mtu outside 1500
  mtu inside 1500
  ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
  ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-522.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound outside
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
  static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
  access-group inet_in in interface outside
  route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  group-policy DfltGrpPolicy attributes
   banner none
   wins-server none
   dns-server none
   dhcp-network-scope none
   vpn-access-hours none
   vpn-simultaneous-logins 10
   vpn-idle-timeout 30
   vpn-session-timeout none
   vpn-filter none
   vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
   password-storage disable
   ip-comp disable
   re-xauth disable
   group-lock none
   pfs disable
   ipsec-udp disable
   ipsec-udp-port 10000
   split-tunnel-policy tunnelall
   split-tunnel-network-list none
   default-domain none
   split-dns none
   intercept-dhcp 255.255.255.255 disable
   secure-unit-authentication disable
   user-authentication disable
   user-authentication-idle-timeout 30
   ip-phone-bypass disable
   leap-bypass disable
   nem disable
   backup-servers keep-client-config
   msie-proxy server none
   msie-proxy method no-modify
   msie-proxy except-list none
   msie-proxy local-bypass disable
   nac disable
   nac-sq-period 300
   nac-reval-period 36000
   nac-default-acl none
   address-pools none
   client-firewall none
   client-access-rule none
   webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have no
   been met or due to some specific group policy, you do not have permission to u
  e any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy fualavpn internal
  group-policy fualavpn attributes
   dns-server value 192.168.1.111 192.168.1.100
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value fualavpn_splitTunnelAcl
  username test password I7ZgrgChfw4FV2AW encrypted privilege 0
  username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
  username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
  username Moghazi attributes
   password-storage enable
  username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
  username fualauaq attributes
   password-storage enable
  username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
  username Basher password Djf15nXIJXmayfjY encrypted privilege 0
  username Basher attributes
   password-storage enable
  username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
  username fualafac attributes
   password-storage enable
  username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
  username fualaab attributes
   password-storage enable
  username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
  username fualaadh2 attributes
   password-storage enable
  username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
  username fualaain2 attributes
   password-storage enable
  username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
  username fualafj2 attributes
   password-storage enable
  username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
  username fualakf2 attributes
   password-storage enable
  username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
  username fualaklb attributes
   password-storage enable
  username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
  username fualastr attributes
   password-storage enable
  username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
  username fualauaq2 attributes
   password-storage enable
  username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
  username fualastore attributes
   password-storage enable
  username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
  username fualadhd attributes
   password-storage enable
  username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
  username fualaabi attributes
   password-storage enable
  username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
  username fualaadh attributes
   password-storage enable
  username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
  username fualajuh attributes
   password-storage enable
  username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
  username fualadah attributes
   password-storage enable
  username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
  username fualarak attributes
   password-storage enable
  username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
  username fualasnk attributes
   password-storage enable
  username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
  username rais attributes
   password-storage enable
  username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
  username fualafuj attributes
   password-storage enable
  username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
  username fualamaz attributes
   password-storage enable
  username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
  username fualashj attributes
   password-storage enable
  username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
  username fualabdz attributes
   password-storage enable
  username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
  username fualamam attributes
   password-storage enable
  username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
  username fualaajm attributes
   password-storage enable
  username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
  username fualagrm attributes
   password-storage enable
  username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
  username fualakfn attributes
   password-storage enable
  username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
  username Fualaain attributes
   password-storage enable
  username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
  username John password D9xGV1o/ONPM9YNW encrypted privilege 15
  username John attributes
   password-storage disable
  username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
  username wrkshopuaq attributes
   password-storage enable
  username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
  username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
  username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
  username Faraj attributes
   password-storage enable
  username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
  username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
  username Hameed attributes
   password-storage enable
  username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
  username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
  username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
  username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
  username Riad password iB.miiOF7qMESlCL encrypted privilege 0
  username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
  username Azeem attributes
   password-storage disable
  username Osama password xu66er.7duIVaP79 encrypted privilege 0
  username Osama attributes
   password-storage enable
  username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
  username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
  username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
  username Wissam attributes
   password-storage enable
  username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
  aaa authentication telnet console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  http 192.168.1.4 255.255.255.255 inside
  http 192.168.1.100 255.255.255.255 inside
  http 192.168.1.111 255.255.255.255 inside
  http 192.168.1.200 255.255.255.255 inside
  http 83.111.113.117 255.255.255.255 outside
  http 192.168.1.17 255.255.255.255 inside
  http 192.168.1.16 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  tunnel-group fualavpn type ipsec-ra
  tunnel-group fualavpn type ipsec-ra
  tunnel-group fualavpn general-attributes
   address-pool fualapool
   address-pool VPNPool
   default-group-policy fualavpn
  tunnel-group fualavpn ipsec-attributes
   pre-shared-key *
  tunnel-group fualavpn ppp-attributes
   authentication pap
   authentication ms-chap-v2
   authentication eap-proxy
  telnet 0.0.0.0 0.0.0.0 outside
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:38e41e83465d37f69542355df734db35
  : end

  Hi,
  What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
  Regards,

• ASA 5520 Upgrade From 8.2 to 9.1

  To All Pro's Out There,
  I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
  In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
  I appreciate all the help in advance.

  Hi,
  My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
  In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
  What you can basically do is
  Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
  You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
  So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
  If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
  If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
  https://supportforums.cisco.com/docs/DOC-31116
  My personal approach when starting to convert NAT configurations for the upgrade is
  Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
  Divide NAT configurations based on type   
  Dynamic NAT/PAT
  Static NAT
  Static PAT
  NAT0
  All Policy Dynamic/Static NAT/PAT
  Learn the basic configuration format for each type of NAT configuration
  Start by converting the easiest NAT configurations   
  Dynamic NAT/PAT
  Static NAT/PAT
  Next convert the NAT0 configurations
  And finally go through the Policy NAT/PAT configurations
  Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
  The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
  One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
  For example
  static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
  Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
  So to summarize
  Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
  Learn the new NAT configuration format
  Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
  Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
  Convert the configurations manually
  Lab/test the configurations on an test ASA
  During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
  Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
  Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
  Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
  Will add more later if anything comes to mind as its getting quite late here
  Hope this helps
  - Jouni

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Multiple Public IP's on ASA 5520

  Hi,
  I have ASA 5520 with Ver 8.2.
  Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.
  There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.
  I did Static NAT 198.24.210.226 to 192.168.1.20  and 198.24.210.227 to 192.168.1.91.
  When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.
  I checked the inside traffic, it even did not get into the firewall.
  Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(198.24.210.226)?
  interface GigabitEthernet0/1
  nameif inside
  ip address 192.168.1.1 255.255.255.0
  security-level 100
  no shutdown
  interface GigabitEthernet0/0
  nameif outside
  ip address 198.24.210.226 255.255.255.248
  security-level 0
  no shutdown
  route outside 0.0.0.0 0.0.0.0  198.24.210.225
  nat (inside) 1 192.168.1.0 255.255.255.0
  global (outside) 1 198.24.210.226 255.255.255.255
  static (inside,outside) tcp 198.24.210.226 3389 192.168.1.10 3389 netmask 255.255.255.255 dns
  static (inside,outside) tcp 198.24.210.226 9070 192.168.1.10 9070 netmask 255.255.255.255 dns
  static (inside,outside) tcp 198.24.210.227 3389 192.168.1.20 3389 netmask 255.255.255.255 dns
  static (inside,outside) tcp 198.24.210.227 80   192.168.1.20 80   netmask 255.255.255.255 dns
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.226 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.226 eq 9070
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 80
  access-group OUTSIDE-IN in interface outside

  Also,
  You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.
  You can naturally check the following
  show run sysopt
  Check that you DONT have the following
  sysopt noproxyarp outside
  At the moment you are not actually configuring Static NAT but rather Static PAT.
  You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.
  Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.
  If you wanted to staticly assing public IPs to both of these servers you could do
  static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255
  static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 9070
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 80
  - Jouni

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• ASA 5520: Configuring Active/Standby High Availability

  Hi,
  I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.
  I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).
  I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
  I tried this using a crossover cable to connect the interfaces directly with the same result.
  Any ideas?
  Thanks.
  Dan

  The command Varun is right.
  Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.
  In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".
  For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.
  Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.
  You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.
  This is the configuration
  failover lan unit primary
  failover lan interface failover gig0/3
  failover link failover gig0/3
  failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
  failover lan unit secondary
  failover lan interface failover gig0/3
  failover link failover gig0/3
  failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
  Make sure that you can ping each other secondary/primary IP and then put the command
  failover first on the primary and then on the secondary.
  That would fine.
  Let me know if you have further doubts.
  Link for reference
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
  Mike

• Low speed

  Have very low speed - 0.225 mbs, download. On signing up I was told I will be receiving minimum of 8mbs, average of 15mbs and a maximum of 19mbs. Besides being passed from pillar to post as no-one understands why the broadband is so low I have just been informed that the maximum I can get is now 10mbs - quite a big difference? I have also been told I will be charged to have the phone line looked at even though it was only installed by BT two months previously so I will be paying twice. Is this right? I have been lied to, called a liar, transferred to every department within BT. Each member of staff has told me they can't help that I need to be transferred to a different department so after five hours on the phone I am still at square one! This has been going on for two months. Oh I was also told I would receive compensation for not receiving a service but apparently I'm suddenly not eligible for this. I can get faster broadband (more than 10mbs) for cheaper elsewhere. BT have broken the contract by not supplying me with the service that they promised. BT staff don't seem to know much as they can't even agree on the rate of broadband I should be receiving. This is not to mention how rude they have all been towards me. I am thankful that everything is recorded as this proves that I am not at fault and there are obviously training issues that need to be addressed within all departments in the company. Has anyone else had the same experience? Can any moderators respond? 

  Hello, thanks for your response.
  I can assure you that i have tried absolutely everything including replacement router, filters etc.
  The line was only installed on the 14th April, and BT only guarantee their work for a month! I paid £130 to have a line installed...
  They have admitted there is a fault in the line, but even after 6 hours of diagnostic tests still cant find the problem. These tests werent all carried out today but over the past 2 months yet they still didn't send another engineer round to check the line had been installed correctly. I was only offered this option once the "28 day" warranty on the line had expired hence I was expected to pay for it. If this information is incorrect, i have been lied to by the Technical team at BT once again.
  The end result after approx 6 hours on the phone today was that i demanded a full refund for the past 2 months of broadband that i was paying for but not receiving, which was granted after a struggle, and a cancellation of the contract due to BT breaching the contract on at least 2 counts. The first being that i was lied to by the initial sales advisor about the speed of the internet connection i was to expect and BT could not honour this and the second due to paying for a service that i was not receiving. I still have not resolved the problem with the line itself which needs to be looked at by BT regardless of which isp i decide to go with now.
  I think BT really need to look into the staff they have on the end of the phone as they have been nothing but helpless and i can imagine that they have lost BT 1000's of customers due to their lack of knowledge or training.

• Slowness on ASA 5520

  Hi Guys -
  I have a weird situation. I have an ASA 5520 that is our VPN end point for staff connecting remotely using the Cisco VPN client. ASA 5520 is connecting to one of the interfaces on the ASA 5510 (firewall). 5510 is connected to the inside network.
  Most staff members VPN in from home using a wireless connection on a LinkSys router (or a Netgear). Access Point has either WEP or WPA configured for encryption. When they try to open files on a network drive (mapped to a file server in the office) when connected thru the VPN, opening files is very slow. However when WEP or WPA encryption settings are removed from the access point, opening files on the same network drive is much faster. We've noticed this behavior for many people.
  Any ideas on how to resolve this? Of course, it is not practical for us to ask staff members to remove encryption settings from their home access points.
  Any help would be appreciated.

  The WEP/WPA encryption is only limited to traffic between the remote clients and their respective AP. Once the traffic leaves their AP towards the internet, there is absolutely no encryption! The only reason I think is happening is they are over-loading their access points because of the encryption overhead. CIFS by design was not meant to be used over the WAN, so its slow from the WAN irrespective of VPN,Wireless,WEP or WPA. These things just make it more 'slower'
  Also try to enable 'service reset ..' command on the firewall if its already not there.
  Regards
  Farrukh

• Redundant Transparant ASA between Redundant Routed Links

  Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
  I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all.  I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed.  From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall.  Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week.  The vendor took 3 weeks just to figure out how to aggregate routes to me!.
  So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used.  Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences.  I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around.  Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
  Any ideas appreciated!

  why you don't use this design:
  connect the vendor clustered direct to nexus with a vrf instance, then route traffic to asa and then route to nexus whith other vrf istance.
  Regards
  V.

• Connection issues and low speeds

  Hi there,
  my family have been with BT now for about 3 or so years and the connection had been rather good until about late last year. According to my family it's everytime I come back home from uni the internet starts to play up as in:
  . Low speeds
  .Drops out and loses connection
  Believing it was somehow my laptop causing the issues I backed everything up and completly wiped it because BT support thought it may be a virus on my machine even the the checks came back with nothing. So I've wiped my laptop and restarted it like it was a brand new laptop...still we're having these issues so I refuse to believe it's my laptop causing the problems. I've changed the chanel on the hub so many times it just doesn't make a difference. Tried different DSL adapters tried different cables even a wired connection causes problems. I am begining to think it's because the router has had it but I am willing to try anything at this point before asking for a new router from BT. Even BT don't seem to know what the problem is all they do is reset the routers chanel every single time I ring them.
  So any advice or help would be greatly appreaciated
  Many Thanks
  Benjamin
  PS - sorry for any grammar/spelling mistakes , I've written this in a hurry before the internet drops out again...

  Hi Welcome to the community forums
  Here is a basic guide to getting help from the community members done by CL Keith Please read through the link posted http://forumhelp.dyndns.info/speed/first_steps.html
  once you have posted the information asked for then the community members can help you more
  Thank You
  This is a customer to customer self help forum the only BT presence here are the forum moderators
  If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’