ASA 5525 firewall Trace Route.

Similar Messages

• Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

  Hello,
  I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  ip address outside xxx.xxx.xxx.94 255.255.255.224
  ip address inside 192.168.1.1 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0 0 0
  outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

  Hey Craig,
  Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
  On 8.4 for interface defining use below mentioned example :
  int eth0/0
  ip add x.x.x.x y.y.y.y
  nameif outside
  no shut
  int eth0/1
  ip add x.x.x.x y.y.y.y
  nameif inside
  no shut
  nat (inside) 1 192.168.1.0 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
  If you're still not able to reach.Paste your entire config and version that you are using on ASA.

• I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

  I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
  I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
  I need to allow the following IP addresses to have RDP access to my server:
  66.237.238.193-66.237.238.222
  69.195.249.177-69.195.249.190
  69.65.80.240-69.65.80.249
  My external WAN server info is - 99.89.69.333
  The internal IP address of my server is - 192.168.6.2
  The other server shows up as 99.89.69.334 but is working fine.
  I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
  THE FOLLOWING IS MY CONFIGURATION FILE
  Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
  Also the bolded lines are the modifications I made but that arent working.
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password DowJbZ7jrm5Nkm5B encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.6.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 99.89.69.233 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network EMRMC
  network-object 10.1.2.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.9.0 255.255.255.0
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service GMED tcp
  description GMED
  port-object eq 3390
  object-group service MarsAccess tcp
  description MarsAccess
  port-object range pcanywhere-data 5632
  object-group service MarsFTP tcp
  description MarsFTP
  port-object range ftp-data ftp
  object-group service MarsSupportAppls tcp
  description MarsSupportAppls
  port-object eq 1972
  object-group service MarsUpdatePort tcp
  description MarsUpdatePort
  port-object eq 7835
  object-group service NM1503 tcp
  description NM1503
  port-object eq 1503
  object-group service NM1720 tcp
  description NM1720
  port-object eq h323
  object-group service NM1731 tcp
  description NM1731
  port-object eq 1731
  object-group service NM389 tcp
  description NM389
  port-object eq ldap
  object-group service NM522 tcp
  description NM522
  port-object eq 522
  object-group service SSL tcp
  description SSL
  port-object eq https
  object-group service rdp tcp
  port-object eq 3389
  access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
  access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
  access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
  access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
  access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.6.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 68.156.148.5
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 1
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  tunnel-group 68.156.148.5 type ipsec-l2l
  tunnel-group 68.156.148.5 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
  : end
  ciscoasa(config-network)#

  Unclear what did not work.  In your original post you include said some commands were added but don't work:
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  and later you state you add another command that gets an error:
  static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
  You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
  The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
  Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

• VPN Problems ASA 5505 to 7206 Router MM_WAIT_MSG2

  Hi
  Since I swapped a Pix Firewall for a Cisco ASA 5505 Firewall at one of our Sites the VPN Tunnel wont come up
  I'm getting this:
  asaXXXXX# sho crypto isakmp sa
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 10.150.242.23
      Type    : user            Role    : initiator
      Rekey   : no              State   : MM_WAIT_MSG2
  asaXXXXX#
  below is the crypto relevant settings off the ASA:
  access-list outside_cryptomap_10 extended permit ip object-group Net_Inside any
  access-list outside extended permit ip object-group Network_PPCUK any log debugging
  access-list outside extended permit icmp any any
  access-list outside extended permit ip object-group Network_QSec any log debugging
  access-list inside extended permit ip object-group Net_Inside any
  access-list inside extended permit icmp any any
  access-list inside_nat0_outbound extended permit ip 10.xxx.xxx.x 255.255.255.192 any
  access-list outside_1_cryptomap extended permit ip 10.xxx.xxx.x 255.255.255.192 any
  access-list vpn extended permit ip object-group Net_Inside any
  access-list outside_cryptomap_11 extended permit ip 10.xxx.xxx.x 255.255.255.192 any
  crypto ipsec transform-set vue2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 14400
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map site-crypto-map 10 match address outside_cryptomap_11
  crypto map site-crypto-map 10 set pfs
  crypto map site-crypto-map 10 set peer 10.150.242.23
  crypto map site-crypto-map 10 set transform-set ESP-3DES-SHA
  crypto map site-crypto-map 10 set security-association lifetime seconds 14400
  crypto map site-crypto-map 10 set security-association lifetime kilobytes 209715
  crypto map site-crypto-map 10 set trustpoint ukpvca
  crypto map site-crypto-map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 14400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp am-disable
  below is the crypto map settings off the 7206 Head End Router:
  crypto isakmp policy 10
  encr 3des
  group 2
  lifetime 14400
  crypto isakmp identity hostname
  crypto isakmp keepalive 30 3
  crypto ipsec security-association lifetime kilobytes 2097152
  crypto ipsec security-association lifetime seconds 14400
  crypto ipsec transform-set xxx ah-sha-hmac esp-3des esp-sha-hmac
  crypto ipsec transform-set xxxx esp-3des esp-sha-hmac
  crypto map vue 2148 ipsec-isakmp
  set peer 10.155.248.82
  set transform-set vue2
  set pfs group2
  match address SITENAME
  This 7206 Router has 140 VPN Tunnels running on it and the rest are all ok only this one Site thats not working
  Any feedback would be much appreciated!
  Thanks
  CLIGuru

  Hi
  I've compared the configs to a known working ASA and theylook identical
  I ran a debug crypto isakmp  251 and got the following:
  Aug 16 14:29:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
  Aug 16 14:29:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:12 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:14 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  en P1 SA is complete.
  Aug 16 14:29:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:37 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Aug 16 14:29:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
  Aug 16 14:29:39 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
  Strange eh ?!

• How to Enable logging of the ASA 5525?

  I need help to enable logging of the ASA 5525 for all new rules created today from the firewall module, rules changed, deleted desabilidas and disabled rules.
  Not found in the historic level of the ID on new firewall rules.
  0 or emergencies—System is unusable.
  1 or alerts—Immediate action needed.
  2 or critical—Critical conditions.
  3 or errors—Error conditions.
  4 or warnings—Warning conditions.
  5 or notifications—Normal but significant conditions.
  6 or informational—Informational messages.
  7 or debugging—Debugging messages.
  Thank you.

  You cannot log only those changes but you can log *all* changes.
  The messages 111008 and 111010 are the ones to look for (as described in this post).

• ASA 5525, v9.1.2 - IPAA: Error freeing address ip-address, not found

  Hello everybody!
  The following problem:
  VPN-dial-in on the ASA .
  There are different VPN group policies , each with its own DHCP pool .
  Authentication is performed by the AAA AD .
  Everything works properly.
  However, 3 users of a VPN group can not dial in . On the firewall then this error always comes in the log :
  IPAA : Error freeing address 172.24.16.41 , not found
  That address is nowhere else on the firewall , but was once assigned to a user . But this Network Object is deleted now.
  The DHCP pool for this VPN Group goes from .33 to .63 .
  I don not understand why the ASA always wants to take the .41 However, even if no one else is logged in via VPN .
  No matter which one of the 3 users I take, the ASA always wants to assign the .41 .
  For all the other users that are having no problem, it assumes a different IP from the pool.
  I recreated the pool, created another pool and assigned that pool, I rebootet the ASA. No luck.
  Also did a "clear arp".
  No improvement .
  Ideas ?
  As I said, all other VPN groups and users have no problems.
  ASA 5525 , v9.1.2
  Thank You!

  Problem solved.
  The User is only allowed to be in one of the VPN-Groups in the ActiceDirectory.
  Those 2 problem-users where in two VPN-groups.
  So, problem fixed.

• Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

  Hello
  I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
  Setup:
  We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
  Configuration in regards to certificate:
  crypto key generate rsa label vpn.company.dk modulus 2048
  crypto ca trustpoint vpn.trustpoint
  keypair vpn.company.dk
  fqdn none
  subject-name CN=*.company.dk,C=DK
  !id-usage ssl-ipsec
  enrollment terminal
  crl configure
  crypto ca authenticate vpn.trustpoint
  ! <import intermediate certificate>
  crypto ca enroll vpn.trustpoint
  ! <send CSR to CA>
  crypto ca import vpn.trustpoint certificate
  ! <import SSL cert received back from CA>
  ssl trust-point vpn.trustpoint outside
  Problem:
  When I try to import the certificate I receive the following error:
  crypto ca import vpn.trustpoint certificate
  WARNING: The certificate enrollment is configured with an fqdn
  that differs from the system fqdn. If this certificate will be
  used for VPN authentication this may cause connection problems.
  Would you like to continue with this enrollment? [yes/no]: yes
  % The fully-qualified domain name will not be included in the certificate
  Enter the base 64 encoded certificate.
  End with the word "quit" on a line by itself
  -----BEGIN CERTIFICATE-----
  <certificate>
  -----END CERTIFICATE-----
  quit
  ERROR: Failed to parse or verify imported certificate
  Question:
  - Does any one of you have any pointers in regards to what is going wrong?
  - Especially in regards to fqdn and CN, I also have a question. My config
  fqdn none
  subject-name CN=*.company.dk,C=DK
  would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
  So do you have insight or pointers which might help me?
  Thank you in advance

  I also have a wildcard cert for my SSL VPN ASAs.
  When i import the cert I use ASDM instead of CLI...
  I import the wildcard as a *.pfx file and type in the password. works fine...
  Perhaps the format is incorrect?
  Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
  Not sure if this helps but give ASDM a try?

• Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

  Recently i have installed ASA 5520 firewall, Below is the detail for my network
  ASA 5520 inside ip: 10.12.10.2/24
  Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
  Cisco Call Manager 3825 IP: 10.12.110.2/24
  The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
  the Default Gateway for Data user is 10.12.10.2/24 and
  for the voice users is 10.12.110.2/24
  now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

  Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
  ASA Version 8.2(1)
  name x.x.x.x Mobily
  interface GigabitEthernet0/0
   nameif inside
   security-level 99
   ip address 10.12.10.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address x.x.x.x 255.255.255.252
  object-group service DM_INLINE_SERVICE_1
   service-object tcp-udp
   service-object ip
   service-object icmp
   service-object udp
   service-object tcp eq ftp
   service-object tcp eq www
   service-object tcp eq https
   service-object tcp eq ssh
   service-object tcp eq telnet
  access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
  access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
  access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu mgmt 1500
  ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
  ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-641.bin
  asdm history enable
  arp timeout 14400
  global (inside) 2 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 Inside-Network 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 Mobily 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Mgmt-Network 255.255.255.0 mgmt
  http Inside-Network 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  telnet Inside-Network 255.255.255.0 inside
  telnet timeout 5
  ssh Inside-Network 255.255.255.255 inside
  <--- More --->              ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RA_VPN internal
  group-policy RA_VPN attributes
   dns-server value 86.51.34.17 8.8.8.8
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value RA_VPN_splitTunnelAcl
  username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
  tunnel-group RA_VPN type remote-access
  tunnel-group RA_VPN general-attributes
   address-pool VPN-Users
   default-group-policy RA_VPN
  tunnel-group RA_VPN ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
  : end

• DNS Resolution in Cisco ASA 5525

  Hey all,
  I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.
  Current Version: Cisco ASA 5525
  ASA Version: 8.6(1)
  I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.
  What I've done.
  dns domain-lookup inside
  dns domain-lookup outside
  name-server x.x.x.x (Primary internal dns server)
  name-server x.x.x.x (Secondary internal dns server)
  name-server 8.8.8.8 (Google external dns server)
  name-server 8.8.4.4 (Google external dns server)
  domain-name example.com
  With this config I can, however, ping hostnames of internal servers.
  This is an example of me pinging an external hostname.
  ciscoasa# ping google.ca
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:803::101f
  Success rate is 0 percent (0/1)
  Any ideas?
  Thanks!

  officeasa# ping www.google.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:802::1012
  Success rate is 0 percent (0/1)
  John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?
  (I know without certain information you cannot help but I need to ensure security on my end)
  Thanks for understanding.

• Difference between Firewall and Router

  I can do VPN remote access configuration by using cisco firewall also I can do it using the cisco router by using the SDM program so what is the benefits from using the firewall or all of them are the same?
  I mean it's recommended to use the firewill? if yes, why ?

  Answer-
  1) WE can make Security-Level on Firewall,but router can't
  2) We can make firewall in multiple context(Virtual Firewall) but router can't
  3) We can create SSL VPN on Firewall,but router can't
  4) Whenever a packet inspected by Firewall and another packet comes with same contents then firewall didn't check that packet,
    but router checks all packets.(show connections)
  5) Firewall works as L2 and L3 both, but router only on L3.
  6) Firewall inspects packets on L3 to L7 but router works on L3.
  7) Firewall have Failover,router can't
  8) Whenever we take trace,then firewall cannot comes on picture,but router always shows as a Hop Count.

• HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

  Hi all!
  we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
  We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
  Best regards for all,

  You cannot make a 5520 establish failover with the mate being a 5525-X.
  1. The configuration guide (here) states:
  The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

• DMZ issues in ASA 5505 Firewall

  hi , i have asa 5505 firewall with ASA5505-UL-BUN-K9 license i have problem with DMZ. I am not able to create dmz. please suggest me what i need to do in order to be able to configure dmz. should i need to upgrade the license. please suggest.

  Hi,
  Is the currently licensed firewall something that you have had for sometime or is it a new purchase?
  Just wondering as it would seem unreasonable to just have bought something and then having to get a new license. Just wondering if you can somehow avoid spending extra money if this is a new purchase that wasnt what you were actually looking for.
  You can check this link for the differnent options the ASA5505 has
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html
  You can also check this link for all the available licensed options on the ASA5505
  http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html#wp2124788
  This link contains also information on the ASA models
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
  So essentially you would get 20 Vlan interfaces instead of 3 and also support for Trunking which would let you use a single physical link for several Vlans (if you wanted that is)
  Hope this helps
  - Jouni

• P2P blocking on ASA 5525 with Software Version 8.6(1)2

  Hello,
  We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
  Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
  We have DMZ setup & also inline IPS module.
  Thanks in advance.
  Regards,
  Sandeshc Chavan.

  Hi Chavan , 
  You can try to block this by port. 
  The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). 
  The config is
  Access-list BLOCK-P2P-TRAFFIC deny tcp any any range  6881 6889 log 
  And applies to the desire interface with the "Access-group command"
  For example:
  Access-group  BLOCK-P2P-TRAFFIC outbound interface DMZ
  However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
  Also you can execute  from the cmd on windows  the command  netstat -a and check the port Bit torrent is using .
  Hope this helps.

• ASA receiving two default routes to internet via OSPF

  I am trying to test something for a client.  If I have an ASA that receives two default routes to the internet via OSPF, will it load balance those connections?  I have a feeling the answer is 'no.'  If that is the case, would the ASA would be at least able use the second internet connection if the primary one becomes saturated?
  TIA,
  Dan

  Yes, I know that the ASA cannot have default routes on multiple interfaces.  Both of the default routes are coming into the ASA's outside interface.  There would be two routers and the ASA in area 0 for OSPF.  The routers would have the default-information originate command in their OSPF configuration to push the default route out to the ASA.

• IDS,ASA,PIX firewall monitoring and optimizing

  Dear All,
  Please let me know the products from Cisco to monitor and optimize the IDS, ASA, PIX firewall in the data centre and corporate networking environment.
  I believe that VMS 2.3 can be used.I like to know about the CS-MARS product from Cisco and its usage.
  Thanking you
  Swamy

  Hi,
  CS-MARS is a security product that mainly used to analyse, correlates and produce/recommed mitigation action based on the log analysis.
  You need to send your syslog, snmp or NetFlow to CS-MARS from all/selected network devices in the network to enable it to have visibility of the network activities. It has built-in signatures or rules that trigger incidents, and allows you can create your own rule to monitor certain segment or devices. Notification is available in the form of email, sms, pager, snmp and syslog.
  CS-MARS does not replace the function of IDS/IPS or antivirus, but as a critical security complimentary product to allow you to stop any detected malicious incidents/activities from a nearest point, e.g shutting down switch port where a PC is detected trying to launch network attack, virus or trojans. The concept more or less similar to 'Forward Defense' used by certain country today.
  http://www.cisco.com/en/US/partner/products/ps6241/products_data_sheet0900aecd80272e64.html
  CS-MARS is measured by its capabilities to handle received Event and Netflow logs per second. This include the HDD capacity. You can have single unit (Local Controller) or multiple unit that centrally managed by Global Controller.
  CS-MARS support wide range of networking and security products.
  http://www.cisco.com/en/US/partner/products/ps6241/products_device_support_tables_list.html
  Rgds,
  AK