ASA-7-710005: UDP request discarded
Hi All,
Hope you are doing good,
Continously I am getting below error log.
Dec 07 2013 11:30:02: %ASA-7-710005: UDP request discarded from 10.109.6.1/67 to WTBB:255.255.255.255/68
Dec 07 2013 11:24:00: %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to WTBB:255.255.255.255/67
Kindly let me know the rean for such errors and how rectify the same,
Attaching the configuration file for your reference.
Regards / Ramesh M
The easiest way to do this is to set the logging level for these messages to a higher level than what you are logging. For example. You are currently logging debug (which is why your are seeing this message). If you log informational messages, you will not see this message.
Another option is to create a custom logging list, But depending on what and how much you want to log, this might not be a very good option.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_syslog.html
Please remember to rate and select a correct answer
Similar Messages
-
%ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510
Hi Friends,
I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
Error in CISCO VPN Client Software:
Secure VPN Connection Terminated locally by the client.
Reason : 414 : Failed to establish a TCP connection.
Error in CISCO ASA 5510
%ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
ASA Configuration:
XYZ# sh run
: Saved
ASA Version 8.4(4)
hostname XYZ
domain-name XYZ
enable password 3uLkVc9JwRA1/OXb level 3 encrypted
enable password R/x90UjisGVJVlh2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside_rim
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/1
duplex full
nameif XYZ_DMZ
security-level 50
ip address 172.1.1.1 255.255.255.248
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
interface Ethernet0/3
speed 100
duplex full
nameif inside
security-level 100
ip address 3.3.3.3 255.255.255.224
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa844-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name XYZ
object network obj-172.17.10.3
host 172.17.10.3
object network obj-10.1.134.0
subnet 10.1.134.0 255.255.255.0
object network obj-208.75.237.0
subnet 208.75.237.0 255.255.255.0
object network obj-10.7.0.0
subnet 10.7.0.0 255.255.0.0
object network obj-172.17.2.0
subnet 172.17.2.0 255.255.255.0
object network obj-172.17.3.0
subnet 172.17.3.0 255.255.255.0
object network obj-172.19.2.0
subnet 172.19.2.0 255.255.255.0
object network obj-172.19.3.0
subnet 172.19.3.0 255.255.255.0
object network obj-172.19.7.0
subnet 172.19.7.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.2.0.0
subnet 10.2.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-10.4.0.0
subnet 10.4.0.0 255.255.0.0
object network obj-10.6.0.0
subnet 10.6.0.0 255.255.0.0
object network obj-10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network obj-10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network obj-10.12.0.0
subnet 10.12.0.0 255.255.0.0
object network obj-172.19.1.0
subnet 172.19.1.0 255.255.255.0
object network obj-172.21.2.0
subnet 172.21.2.0 255.255.255.0
object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.0
object network obj-10.19.130.201
host 10.19.130.201
object network obj-172.30.2.0
subnet 172.30.2.0 255.255.255.0
object network obj-172.30.3.0
subnet 172.30.3.0 255.255.255.0
object network obj-172.30.7.0
subnet 172.30.7.0 255.255.255.0
object network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network obj-10.19.130.0
subnet 10.19.130.0 255.255.255.0
object network obj-XXXXXXXX
host XXXXXXXX
object network obj-145.248.194.0
subnet 145.248.194.0 255.255.255.0
object network obj-10.1.134.100
host 10.1.134.100
object network obj-10.9.124.100
host 10.9.124.100
object network obj-10.1.134.101
host 10.1.134.101
object network obj-10.9.124.101
host 10.9.124.101
object network obj-10.1.134.102
host 10.1.134.102
object network obj-10.9.124.102
host 10.9.124.102
object network obj-115.111.99.133
host 115.111.99.133
object network obj-10.8.108.0
subnet 10.8.108.0 255.255.255.0
object network obj-115.111.99.129
host 115.111.99.129
object network obj-195.254.159.133
host 195.254.159.133
object network obj-195.254.158.136
host 195.254.158.136
object network obj-209.164.192.0
subnet 209.164.192.0 255.255.224.0
object network obj-209.164.208.19
host 209.164.208.19
object network obj-209.164.192.126
host 209.164.192.126
object network obj-10.8.100.128
subnet 10.8.100.128 255.255.255.128
object network obj-115.111.99.130
host 115.111.99.130
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-115.111.99.132
host 115.111.99.132
object network obj-10.10.1.45
host 10.10.1.45
object network obj-10.99.132.0
subnet 10.99.132.0 255.255.255.0
object-group network Serversubnet
network-object 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
object-group network XYZ_destinations
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 172.19.1.0 255.255.255.0
network-object 172.19.2.0 255.255.255.0
network-object 172.19.3.0 255.255.255.0
network-object 172.19.7.0 255.255.255.0
network-object 172.17.2.0 255.255.255.0
network-object 172.17.3.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object host 10.50.2.206
object-group network XYZ_us_admin
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
object-group network XYZ_blr_networkdevices
network-object 10.200.10.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
access-list acl-outside extended permit ip any host 172.17.10.3
access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
access-list acl-outside extended permit tcp any any eq 10000
access-list acl-outside extended deny ip any any log
pager lines 10
logging enable
logging buffered debugging
mtu outside_rim 1500
mtu XYZ_DMZ 1500
mtu outside 1500
mtu inside 1500
ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
nat (inside,outside) source dynamic obj-10.8.108.0 interface
nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
object network obj-172.17.10.3
nat (XYZ_DMZ,outside) static 115.111.99.134
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
crypto dynamic-map dyn1 1 set reverse-route
crypto map vpn 1 match address XYZ
crypto map vpn 1 set peer XYZ Peer IP
crypto map vpn 1 set ikev1 transform-set vpn1
crypto map vpn 1 set security-association lifetime seconds 3600
crypto map vpn 1 set security-association lifetime kilobytes 4608000
crypto map vpn 2 match address NE
crypto map vpn 2 set peer NE_Peer IP
crypto map vpn 2 set ikev1 transform-set vpn2
crypto map vpn 2 set security-association lifetime seconds 3600
crypto map vpn 2 set security-association lifetime kilobytes 4608000
crypto map vpn 4 match address ML_VPN
crypto map vpn 4 set pfs
crypto map vpn 4 set peer ML_Peer IP
crypto map vpn 4 set ikev1 transform-set vpn4
crypto map vpn 4 set security-association lifetime seconds 3600
crypto map vpn 4 set security-association lifetime kilobytes 4608000
crypto map vpn 5 match address XYZ_global
crypto map vpn 5 set peer XYZ_globa_Peer IP
crypto map vpn 5 set ikev1 transform-set vpn5
crypto map vpn 5 set security-association lifetime seconds 3600
crypto map vpn 5 set security-association lifetime kilobytes 4608000
crypto map vpn 6 match address Da_VPN
crypto map vpn 6 set peer Da_VPN_Peer IP
crypto map vpn 6 set ikev1 transform-set vpn6
crypto map vpn 6 set security-association lifetime seconds 3600
crypto map vpn 6 set security-association lifetime kilobytes 4608000
crypto map vpn 7 match address Da_Pd_VPN
crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
crypto map vpn 7 set ikev1 transform-set vpn6
crypto map vpn 7 set security-association lifetime seconds 3600
crypto map vpn 7 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside
crypto map vpn_reliance 1 match address XYZ_rim
crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
crypto map vpn_reliance 1 set security-association lifetime seconds 3600
crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
crypto map vpn_reliance interface outside_rim
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside_rim
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28000
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.8.100.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy XYZ_c2s_vpn internal
username testadmin password oFJjANE3QKoA206w encrypted
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XYZ_c2s_vpn type remote-access
tunnel-group XYZ_c2s_vpn general-attributes
address-pool XYZ_c2s_vpn_pool
tunnel-group XYZ_c2s_vpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
service-policy global_policy global
privilege show level 3 mode exec command running-config
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command crypto
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
XYZ#Thanks Javier.
But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
access-list ACL-RA-SPLIT standard permit host 10.10.1.3
access-list ACL-RA-SPLIT standard permit host 10.10.1.13
access-list ACL-RA-SPLIT standard permit host 10.91.130.201
access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key sekretk3y
username ra-user1 password passw0rd1 priv 1
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key *********
username ******* password ******** priv 1
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
group 1
lifetime 3600 -
Hi Everyone.
On My Home ASA i checked the logs it has few logs of
Apr 16 2013 21:36:39: %ASA-7-710005: UDP request discarded from 192.168.52.7/7765 to inside:255.255.255.255/7765
where 192.168.52.7 is my PC IP.
Need to know why this message is showing up in ASA logs.
Thanks
MAheshEither way this sounds like an app not behaving correctly,
why would you want to broadcast this traffic , if you know what I mean
Try to close the applications running on your PC until you check that the traffic disappears then you will be able to determine.
In fact let's make it better ( the way we should do this is next )
Use the powerful netstat
netstat -b
netstat - ano
Then look for the process ID side each connection
Finaly go to your PC Star task manager /Services and match the PID
Regards
Remember to rate all of the helpful posts -
Site to Site tunnel: ESP request discarded
Hello. I've got a site to site tunnel configured in an ASA-5540 (8.3) and at first working fine. After several hours, the tunnel is disconnected and I this log appear without stopping:
%ASA-7-710006: ESP request discarded from "tunnel IP peer" to outside_int:"my tunnel IP"
I can't figure out why the tunnel stop working and the meaning of this message. The explanation in Cisco documents does't fix to me.
Thanks.Hi,
At HQ ASA atleast the NAT0 configuration is wrong
You have configured this
nat (inside) 5 access-list inside_nat0_outbound
This isnt NAT0 however. It would be configured with ID 5 if you had a corresponding "global" commands using ID 5 also. It would be a Dynamic Policy NAT/PAT.
The NAT0 configurations should use the ID 0
If an existing NAT0 "nat" statement/configuration already exists then you would use the existing ACL to define the traffic that doesnt need NAT
So your configuration should probably be this
nat (inside) 0 access-list inside_nat0_outbound
I can't see a different in the actual L2L VPN configurations though there are some configurations that are not visible that might affect connectivity BUT the above mentioned NAT0 configurations is clearly a problem.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
ASA5505 port 3306 request discarded
ASA5505 port 3306
I have been fighting for days to open the port 3306 on my appliance, I have read carefully all the forums and no success.
I allways get the message :
7
Oct 21 2012
17:29:32
90.27.181.120
54655
212.147.49.18
3306
TCP request discarded from 90.27.181.120/54655 to outside:212.147.49.18/3306
I have attached m y configuration
thanks for any helpHello Jean,
Just checked the config, the problem is that you did not follow the object service configuration I sent you.
Mine:
object service SQL
service tcp source eq 3306
Yours:
object service SQL
service tcp destination eq 3306
Please change that and let me know,
Remember to rate all of the helpful posts, that is as important as a thanks for the community ( if you need to know how to rate a post, just let me know, I will be more than glad to let you know ) -
ASA 5510 'bounces' UDP packets. Why?
Hi. I hope to find someone who can shed a light on something that is bugging me for days now. We have an ASA (5510, running 7.2(2)) to connect our subnets to the backbone of the ISP. I received complaints about one specific connection, which I'll "draw" here:
[ remote host 192.87.x.y (A) ] -- {"Internet"} -- [ Telecity Router ] -- [ Our ASA ] -- [ switch ] -- [ fibre ] -- [ switch ] -- [ our host 82.199.c.d (B) ]
What happens is the following: I can successfully ping from A to B and back. I can also traceroute (UDP) from A to B and back. But a specific UDP packet sent by A (port 9001) to B (port 5432) is causing a problem. "Our ASA" does not route the packet to the correct interface, but sends it back to the Telecity router instead. Which in turn sends it back to "Our ASA" (since it is destined for our subnet). This goes back and forth for 60 times and then the TTL is expired.
I have no idear what is happening here. The access-lists are correctly configured (as far as I know), but even if they weren't I would expect the packets to get dropped rather than put back on the sending interface. This packet is bounced (on ethernetlevel, the IP part remains the same apart from the TTL) to the sending router.
Any pointers as to where to look for what is causing this and how to investigate this further are highly appreciated.
FrankHi Frederico. Of course I tried the packet tracer as one of the first tools :-). It showed a complete path (I used ASDM). Now I retried it (via the CLI) and something strange happens. This is a packet trace A to B with udp from port 9001 to 5431 (not 5432):
Phase: 1
Type: FLOW-LOOKUP / ALLOW / Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP / ALLOW / in my_DMZ 255.255.255.240 my_DMZ
Phase: 3
Type: ACCESS-LIST / ALLOW / access-group my_backbone_access_in in interface my_backbone
access-list my_backbone_access_in extended permit ip any my_DMZ 255.255.255.240
Phase: 4
Type: IP-OPTIONS / ALLOW
Phase: 5
Type: ACCESS-LIST / ALLOW / access-group my_DMZ_access_out out interface my_DMZ
access-list my_DMZ_access_out extended permit ip any object-group host_group
object-group network host_group
network-object host myHost
Phase: 6
Type: IP-OPTIONS / ALLOW
Phase: 7
Type: FLOW-CREATION / ALLOW / New flow created with id 7342770, packet dispatched to next module
Phase: 8
Type: ROUTE-LOOKUP / ALLOW / found next-hop myHost using egress ifc my_DMZ
adjacency Active
next-hop mac address 00bb.ccdd.eeff hits 1
Result:
input-interface: my_backbone / input-status: up / input-line-status: up
output-interface: my_DMZ / output-status: up / output-line-status: up
Action: allow
As you can see it is a complete path. But this is what happens if I try it for A/9001 to B/5432:
Phase: 1
Type: FLOW-LOOKUP / ALLOW / Found flow with id 12, using existing flow
Module information for forward flow: snp_fp_inspect_ip_options, snp_fp_adjacency, snp_fp_fragment, snp_ifc_stat
Module information for reverse flow: snp_fp_inspect_ip_options, snp_fp_adjacency, snp_fp_fragment, snp_ifc_stat
Result:
input-interface: my_backbone / input-status: up / input-line-status: up / Action: allow
Apparently the packet is send into an existing flow (is there a command to see what this flow is?) and that is where it ends. Now I need to find out why this is happening... This firewall has been reloaded a few times, but that did not solve the problem. Any pointers are highly appreciated as was this hint.
Frank -
LWAPP Discovery request - discarded ?
Greetings all,
I'm starting to grow a huge headache over a WLC-implementation (4402-12). From my point of view, the controller seems to be configured correctly and the DHCP-scope has been set up with the correct pointers as well as as the DNS-record, all pointing towards the AP-Manager i/f (tagged vlan20 on port 1, mgmt untagged) - still, no access-points will associate. The AP is pingable from the controller. A debug of lwapp events and details shows the following;
Sat Jan 7 19:36:17 2006: Received a message from AP of length 97 on inteface = 1
Sat Jan 7 19:36:17 2006: Entered spamGetLCBFromMac file spam_lrad.c line 433**
Sat Jan 7 19:36:17 2006: Received LWAPP DISCOVERY REQUEST from AP 00:0b:85:5a:bd:50 to ff:ff:ff:ff:ff:ff on port '1'
Sat Jan 7 19:36:17 2006: Discarding L3 Mode LWAPP DISCOVERY REQUEST on intf '1', vlan = '20', Management vlan = '0'.
Anyone with a clue regarding what might be causing this? I'm also a little confused regarding the destaddr (bcast) since the AP should've received the ucast address of the controller. We have to handover this system to the cust. fairly soon .. :-)
WLC Version: 3.2.78.0
TIA & Best regards,
/MYou need to use the Management Interface for LWAPP controller discovery. That's what the WLC expects. So when it sees an LWAPP Discovery Request coming in on another interface, it discards its.
In L3 LWAPP mode, the AP tries to find a WLC using IP subnet broadcast, over the air provisioning (OTAP), DHCP Option 43, DNS, and WLC IP addresses stored in memory. It will always use ALL of these techniques. That's why you're seeing the broadcast. From the LWAPP Discovery Responses it selects a controller to join.
Now, you would've seen it join in L2 mode because the AP does an Ethernet "broadcast" to find the WLC. Hence, the mgmt interface sees the LWAPP Discovery, and responds with an Ethernet frame. At L2 mode, all LWAPP is Ethernet encapsulated as opposed to IP encapsulated. When you switched back to L3 mode, the AP remembers the management IP address of the WLC from the L2 join and uses that. That's why it worked after switching L3-->L2-->L3.
Hope this helps. -
EPrint Portal Feature Request - Discarded Messages Email Address
When a user has the ePrint Center site configured to only allow printing from allowed email addresses, the site displays emails that have been discarded because they are not on the approved sender list.
Feature Request:
Please consider changing the listing of discarded messages to include the sender's email address in addition to the subject you already show. Even better, have an option to click on the email address to add it to the approved senders list.
While one might wonder how you wouldn't know the sender's address, in my case, my wife would send recipes from a recipe site and they would be blocked. To get around this (other than turning off the address list feature), we can send them first to our own email address to find the sending email but what I mentioned would simplify things. Users' technology patience can vary and while I am quite patient for the sake of technology and gadgetry my wife is less patient which, in this case, led to her abandoning the feature.Good news.
To the top right is a link that says View Job History.
Click on this link and it will show the e-mail address.
I confirmed this by logging into my eprintcenter.com account, changing to allowed senders only and then sent an e-mail from a blocked e-mail address.
The short summary did not show the e-mail address, but the full history did show the specific e-mail address.
You can then copy and paste this e-mail address into your list.
Additionally, changing from allowed to everyone and then back will re-add all recent e-mail addresses that successfully printed though it won't add anything that hasn't recently printed.
↙-----------How do I give Kudos?| How do I mark a post as Solved? ----------------↓ -
FTP Port ERROR Forwarding in Cisco ASA 8.2(5), Very Intersting.
Hi,
I have the following configuration on a Cisco ASA 8.2(5), all the traffic to the port 5000 go to an IP Camera and www 80 it's forward throught static NAT to a Web Server without problem, I have the same Configuration for a FTP SERVER Windows and FTP Server Linux and doesn't make the foward to an internal IP address. Attach is the configuration I would like to know what is causing the problems.
The FTP Server Are running locally without any problems, when I try to reach it for the Outside interface then i can't, this is in the only port i can't forward.
I really appreciate your help.
Thanks
ASA Version 8.2(5)
hostname ciscoasa
enable password dAWCvYvyr2FRISo5 encrypted
passwd dAWCvYvyr2FRISo5 encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.4.4
name-server 8.8.8.8
name-server 196.3.81.132
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TEST2 tcp
port-object eq www
port-object eq https
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit icmp any interface outside echo-reply
access-list 101 extended permit udp any any eq 5000
access-list 101 extended permit udp any any eq ntp
access-list 101 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
access-list 102 extended permit icmp any interface outside echo-reply
access-list 102 extended permit icmp any interface outside
access-list 102 extended permit ip any host 192.168.1.5
access-list 102 extended permit tcp any host 192.168.1.5 eq 5000
access-list 102 extended permit tcp any interface outside eq 5000
access-list 102 extended permit tcp any host 192.168.1.5 eq https
access-list 102 extended permit tcp any any eq 5000
access-list 102 extended permit ip any host 192.168.1.8
access-list 102 extended permit tcp any any eq telnet
access-list 102 extended permit tcp any interface outside object-group TEST2
access-list 102 extended permit ip any 192.168.1.0 255.255.255.0
access-list 102 extended permit tcp any interface outside eq www
access-list 102 extended permit tcp any interface outside eq ftp
access-list 102 extended permit tcp any interface outside eq ftp-data
access-list 102 extended permit tcp any any eq ftp
access-list 103 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5000 192.168.1.5 5000 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.15 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.15 ftp-data netmask 255.255.255.255
access-group 102 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 225.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.10-192.168.1.41 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cabelen password tJPt4MkXkeex6ITZ encrypted
class-map ftp-class
match access-list 102
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3465bc9d04198e9df80787c0c039db27
: end
ciscoasa#This is the results of the log it didn't not find the public ip address which im making FTP connection.
ciscoasa# sh logg | i 147.197.115.171
ciscoasa# sh logg
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 88 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 68 messages logged
connection 125407 for outside:111.221.74.28/443 to inside:192.168.1.24/24483 duration 0:02:01 bytes
44
%ASA-7-609002: Teardown local-host outside:111.221.74.28 duration 0:02:01
%ASA-7-710005: UDP request discarded from 192.168.1.24/138 to inside:192.168.1.255/138
%ASA-6-302016: Teardown UDP connection 125402 for outside:177.0.186.239/57036 to inside:192.168.1.24
/24483 duration 0:02:02 bytes 220
%ASA-7-609002: Teardown local-host outside:177.0.186.239 duration 0:02:02
%ASA-6-302016: Teardown UDP connection 125408 for outside:89.240.135.18/47096 to inside:192.168.1.24
/24483 duration 0:02:01 bytes 44
%ASA-7-609002: Teardown local-host outside:89.240.135.18 duration 0:02:01
%ASA-6-302016: Teardown UDP connection 125409 for outside:111.221.77.145/40037 to inside:192.168.1.2
4/24483 duration 0:02:01 bytes 486
%ASA-7-609002: Teardown local-host outside:111.221.77.145 duration 0:02:01
%ASA-6-302016: Teardown UDP connection 125410 for outside:64.4.23.148/40014 to inside:192.168.1.24/2
4483 duration 0:02:01 bytes 178
%ASA-7-609002: Teardown local-host outside:64.4.23.148 duration 0:02:01
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.24/24483 to outside:69.86.151.
109/54119 duration 0:03:00
%ide:216.146.39.70/80 to inside:192.168.1.5/3628 duration 0:00:00 bytes 303 TCP FINs
%ASA-7-609002: Teardown local-host outside:216.146.39.70 duration 0:00:00
nable_15' executed the 'configure terminal' command.
%ASA-6-302015: Built inbound UDP connection 125412 for inside:192.168.1.20/68 (192.168.1.20/68) to i
dentity:192.168.1.2/67 (192.168.1.2/67)
%ASA-6-604103: DHCP daemon interface inside: address granted 0128.987b.d28e.e7 (192.168.1.20)
%ASA-6-302016: Teardown UDP connection 125411 for inside:192.168.1.27/68 to identity:192.168.1.2/67
duration 0:02:01 bytes 623
%ASA-5-111008: User 'enable_15' executed the 'no access-list 102 extended permit ip any 192.168.1.0
255.255.255.0' command.
%ASA-6-302010: 20 in use, 234 most used
%ASA-5-111008: User 'enable_15' executed the 'no access-list 102 extended permit ip any host 192.168
.1.8' command.
%ASA-5-111005: 192.168.1.24 end configuration: OK
%ASA-6-302016: Teardown UDP connection 125412 for inside:192.168.1.20/68 to identity:192.168.1.2/67
duration 0:02:01 bytes 641
%ASA-7-609001: Built local-host outside:209.128.96.248
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.20/57764 to outside:69.86.151.109
/50424
%ASA-6-302013: Built outbound TCP connection 125413 for outside:209.128.96.248/80 (209.128.96.248/80
) to inside:192.168.1.20/57764 (69.86.151.109/50424)
%ASA-7-111009: User 'enable_15' executed cmd: show running-config
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-609001: Built local-host outside:174.35.22.69
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.24/51106 to outside:69.86.151.109
/53818
%ASA-6-302013: Built outbound TCP connection 125414 for outside:174.35.22.69/80 (174.35.22.69/80) to
inside:192.168.1.24/51106 (69.86.151.109/53818)
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.24/51107 to outside:69.86.151.109
/12433
%ASA-6-302013: Built outbound TCP connection 125415 for outside:174.35.22.69/80 (174.35.22.69/80) to
inside:192.168.1.24/51107 (69.86.151.109/12433)
%ASA-7-609001: Built local-host outside:8.8.8.8
%ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.24/51214 to outside:69.86.151.109
/42103
%ASA-6-302015: Built outbound UDP connection 125416 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:19
2.168.1.24/51214 (69.86.151.109/42103)
%ASA-6-302016: Teardown UDP connection 125416 for outside:8.8.8.8/53 to inside:192.168.1.24/51214 du
ration 0:00:00 bytes 176
%ASA-7-609002: Teardown local-host outside:8.8.8.8 duration 0:00:00
%ASA-6-302014: Teardown TCP connection 125414 for outside:174.35.22.69/80 to inside:192.168.1.24/511
06 duration 0:00:06 bytes 2075 TCP FINs
%ASA-6-302014: Teardown TCP connection 125415 for outside:174.35.22.69/80 to inside:192.168.1.24/511
07 duration 0:00:06 bytes 3016 TCP FINs
%ASA-7-609002: Teardown local-host outside:174.35.22.69 duration 0:00:06
ciscoasa# -
Anyconnect VPN users cannot reach LAN
I know this topic has been beat to death, but I've beat myself to death trying to get it to work. I had this working, but didn't save, then the FW did a reboot when the breaker flipped. I can log in with the VPN client. I can't reach any of the LAN resources. I believe I need a NAT exemption and I believe that I have that configured correctly, but it's not working. From the logs I can see the VPN IP pool going to the external IP interface, which means NAT is happening, when it shouldn't be. What am I missing?
ip local pool vpn_pool 10.0.251.10-10.0.251.254 mask 255.255.255.0
interface Ethernet0/0
description OUTSIDE INTERFACE
duplex full
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/1
description INSIDE INTERFACE
duplex full
nameif inside
security-level 100
ip address 10.0.250.1 255.255.255.0
boot system disk0:/asa914-k8.bin
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn-pool
subnet 10.0.251.0 255.255.255.0
object network VPN-POOL
subnet 10.0.251.0 255.255.255.0
object network LAN
subnet 10.0.250.0 255.255.255.0
object-group network PAT-SOURCE
network-object 10.0.250.0 255.255.255.0
network-object 10.0.251.0 255.255.255.0
access-list OUTSIDE_IN extended deny ip any4 any4 log debugging
access-list INSIDE_OUT extended permit ip object-group PAT-SOURCE any4 log debugging
ip verify reverse-path interface outside
no arp permit-nonconnected
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT in interface insidefirewall(config)# logging console 7
Jan 07 2014 14:41:49: %ASA-5-111008: User 'jshojayi' executed the 'logging console 7' command.
Jan 07 2014 14:41:49: %ASA-5-111010: User 'jshojayi', running 'CLI' from IP 0.0.0.0, executed 'logging console 7'
firewall(config)# Jan 07 2014 14:41:49: %ASA-6-302016: Teardown UDP connection 2097 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:50: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:50: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/60524 to outside:99.66.187.4/60524
Jan 07 2014 14:41:50: %ASA-6-302015: Built outbound UDP connection 2098 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
Jan 07 2014 14:41:50: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
Jan 07 2014 14:41:50: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
Jan 07 2014 14:41:50: %ASA-6-302015: Built inbound UDP connection 2100 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:51: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:51: %ASA-6-302015: Built outbound UDP connection 2101 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
Jan 07 2014 14:41:51: %ASA-6-302016: Teardown UDP connection 2100 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:51: %ASA-6-305012: Teardown dynamic TCP translation from any:10.0.250.34/16140 to outside:99.66.187.4/16140 duration 0:01:01
Jan 07 2014 14:41:51: %ASA-6-302013: Built inbound TCP connection 2102 for outside:10.0.251.10/52558 (10.0.251.10/52558)(LOCAL\jshojayi) to inside:10.0.250.15/3389 (10.0.250.15/3389) (jshojayi)
Jan 07 2014 14:41:52: %ASA-6-302015: Built inbound UDP connection 2103 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:52: %ASA-4-410001: Dropped UDP DNS request from inside:10.0.250.22/54745 to outside:157.56.106.189/3544; label length 128 bytes exceeds protocol limit of 63 bytes
Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/62857 to outside:99.66.187.4/62857 duration 0:00:31
Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/61237 to outside:99.66.187.4/61237 duration 0:00:31
Jan 07 2014 14:41:52: %ASA-6-302016: Teardown UDP connection 2103 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
Jan 07 2014 14:41:53: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/63938(LOCAL\jshojayi) to outside:99.66.187.4/63938
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2105 for outside:10.0.251.10/63938 (99.66.187.4/63938)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2060 for outside:10.0.251.10/60840(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 165 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2106 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2061 for outside:10.0.251.10/58388(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 335 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2105 for outside:10.0.251.10/63938(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 134 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/55378(LOCAL\jshojayi) to outside:99.66.187.4/55378
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2107 for outside:10.0.251.10/55378 (99.66.187.4/55378)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51560(LOCAL\jshojayi) to outside:99.66.187.4/51560
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2108 for outside:10.0.251.10/51560 (99.66.187.4/51560)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:54: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2106 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2107 for outside:10.0.251.10/55378(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 196 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2108 for outside:10.0.251.10/51560(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 160 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302015: Built inbound UDP connection 2109 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2109 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:55: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/54078 to outside:99.66.187.4/54078
Jan 07 2014 14:41:55: %ASA-6-302015: Built outbound UDP connection 2110 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
Jan 07 2014 14:41:55: %ASA-6-302015: Built inbound UDP connection 2111 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2072 for outside:10.0.251.10/58472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2080 for outside:10.0.251.10/62680(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2073 for outside:10.0.251.10/59472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2076 for outside:10.0.251.10/60425(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2096 for outside:10.0.251.10/52985(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:07 bytes 175 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2075 for outside:10.0.251.10/53507(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(59472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60425)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(53507)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2077 for outside:10.0.251.10/57569(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2078 for outside:10.0.251.10/54477(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(62680)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2079 for outside:10.0.251.10/56608(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(56608)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(54477)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(52985)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(57569)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2111 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:59: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:59: %ASA-6-302015: Built outbound UDP connection 2112 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60840)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58388)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2114 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2114 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/52140 to outside:99.66.187.4/52140 duration 0:00:31
Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64609 to outside:99.66.187.4/64609 duration 0:02:32
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2092 for outside:10.0.251.10/51932(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 198 (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/57116(LOCAL\jshojayi) to outside:99.66.187.4/57116
Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2115 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
Jan 07 2014 14:42:00: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(51932)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:00: %ASA-6-302016: Teardown UDP connection 2115 for outside:10.0.251.10/57116(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:01 bytes 99 (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2117 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/58663(LOCAL\jshojayi) to outside:99.66.187.4/58663
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2118 for outside:10.0.251.10/58663 (99.66.187.4/58663)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/49740(LOCAL\jshojayi) to outside:99.66.187.4/49740
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2119 for outside:10.0.251.10/49740 (99.66.187.4/49740)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2098 for outside:68.94.156.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 176
Jan 07 2014 14:42:04: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2118 for outside:10.0.251.10/58663(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 148 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2119 for outside:10.0.251.10/49740(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 142 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2101 for outside:68.94.157.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 220
Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
Jan 07 2014 14:42:04: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2122 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51200(LOCAL\jshojayi) to outside:99.66.187.4/51200
Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2123 for outside:10.0.251.10/51200 (99.66.187.4/51200)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2122 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2123 for outside:10.0.251.10/51200(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 182 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/53977 to outside:99.66.187.4/53977 duration 0:00:30
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64875 to outside:99.66.187.4/64875 duration 0:00:43
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/58618 to outside:99.66.187.4/58618 duration 0:00:43
Jan 07 2014 14:42:04: %ASA-6-302015: Built outbound UDP connection 2124 for outside:192.168.1.254/67 (192.168.1.254/67) to identity:99.66.187.4/68 (99.66.187.4/68)
Jan 07 2014 14:42:05: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:05: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/60404 to outside:99.66.187.4/60404 duration 0:00:43
Jan 07 2014 14:42:05: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
Jan 07 2014 14:42:05: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
Jan 07 2014 14:42:06: %ASA-6-302016: Teardown UDP connection 2110 for outside:68.94.156.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 132
Jan 07 2014 14:42:07: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:07: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:07: %ASA-6-302016: Teardown UDP connection 2112 for outside:68.94.157.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 165
+Jan 07 2014 14:42:08: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:08: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/14848 laddr 99.66.187.4/14848 -
What is the equivalent implementation of isr ios cli "ip tcp synwait-time 10" on asa cli
I would like to see an implementation of an ISR IOS cli:
ip tcp synwait-time 10
on an ASA cli. thank you much in advance.Hi Oscar,
this is supported but you need a class-map type management:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1167296
TCP and UDP connection limits and timeouts, and TCP sequence number randomization: supported for management traffic...
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq https log
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq ssh log
class-map type management CONTROL
match access-list CONTROL_ACL
policy-map global_policy
class CONTROL
set connection conn-max 1
service-policy global_policy global
In my tests, it worked for SSH but not for HTTPS:
ciscoasa(config)# sh conn all
2 in use, 2 most used
TCP outside 1.1.1.2:38670 NP Identity Ifc 1.1.1.10:22, idle 0:00:38, bytes 20, flags UfrOB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:02, bytes 0, flags UB
After other sessions:
%ASA-7-710005: TCP request discarded from 1.1.1.2/25085 to outside:1.1.1.10/22
%ASA-3-201011: Connection limit exceeded 1/1 for input packet from 1.1.1.2/25085 to 1.1.1.10/22 on interface outside
ciscoasa(config)# sh conn all
4 in use, 5 most used
TCP outside 1.1.1.2:41726 NP Identity Ifc 1.1.1.10:443, idle 0:00:43, bytes 0, flags UB
TCP outside 1.1.1.2:26087 NP Identity Ifc 1.1.1.10:443, idle 0:00:45, bytes 0, flags UB
TCP outside 1.1.1.2:33312 NP Identity Ifc 1.1.1.10:443, idle 0:00:47, bytes 0, flags UB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:04, bytes 0, flags UB
Somehow, 0 hitcount on HTTPS ACL...
ciscoasa(config)# sh access-list
access-list CONTROL_ACL line 1 extended permit tcp host 1.1.1.2 interface outside eq https log informational interval 300 (hitcnt=0) 0x59b7aa4c
access-list CONTROL_ACL line 2 extended permit tcp host 1.1.1.2 interface outside eq ssh log informational interval 300 (hitcnt=8) 0x31fe983c
ciscoasa(config)# sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop) 2
First TCP packet not SYN (tcp-not-syn) 49
Connection limit reached (conn-limit) 2
FP L2 rule drop (l2_acl) 48
Flow drop:
SSL bad record detected (ssl-bad-record-detect) 3
ciscoasa(config)# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: CONTROL
Set connection policy: conn-max 1
current conns 1, drop 2
you can also control each feature timeouts seperately via:
telnet/ssh timeout 1
http server idle-timeout/session-timeout 1
Note: I tried this in GNS (asa 8.4.2) and using telnet from a router (not using a real browser for HTTPS) so the results might not be reflect a production environnement...
Patrick -
Renewed Cert on ASA, Upgraded from AnyConnect 2.5 to 3.1
We had been running AnyConnect 2.5 against our ASA and the Cert on our ASA Expired. the 2.5 Client (and all of the iPad Clients) had a way of saying, its cool, connect anyway if the Cert is not valid.
I finially got around to renewing the cert on the ASA. We have an Internal CA that I renewed it against. So if the CA's Cert was not installed in your trusted Cert Store you would get an error. Many Clients can Connect just fine with the new 3.1 client, Auto-upgrade, etc (besides it lopping off the /vpn from the connection URL)
We have a few of the clients that cannot connect. they get an error like:
The certificate on the secured gateway is invalid. A VPN connection will not be established
They have the CA's Root Cert installed in their trusted Cert Store. The Cert on the ASA has the proper CN, and Expiration date, so that should not be the issue.
When I look in the Syslog I see:
%ASA-7-725008: SSL client outside-interface:<Client Public IP>/50088 proposes the following 8 cipher(s).
%ASA-6-725001: Starting SSL handshake with client outside-interface:<Client Public IP>/50088 for TLSv1 session.
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags FIN ACK on interface outside-interface
%ASA-7-710005: TCP request discarded from <Client Public IP>/50089 to outside-interface:<ASA Public IP>/443
%ASA-6-106015: Deny TCP (no connection) from <Client Public IP>/50089 to <ASA Public IP>/443 flags PSH ACK on interface outside-interface
%ASA-6-725007: SSL session with client outside-interface:<Client Public IP>/50089 terminated.
%ASA-4-113019: Group = SSL-VPN, Username = <userID>, IP = <Client Public IP>, Session disconnected. Session Type: SSL, Duration: 0h:00m:31s, Bytes xmt: 9787, Bytes rcv: 3991, Reason: User Requested
%ASA-6-716002: Group #%cLt#%SSLVPNGrpPolicy> User #%cLt#%<UserID>> IP #%cLt#%<Client Public IP>> WebVPN session terminated: User Requested.
%ASA-6-725002: Device completed SSL handshake with client outside-interface:<Client Public IP>/50089
The other Interesting thing is in ADSM when I monitor the VPN Connections, All of the Trouble users show up in the "Clientless SSL VPN/Clientless" Section, where as the users that work fine are all in the "SSL VPN Client/WithClient" section. Though all of the ones in the
"SSL VPN Client/WithClient" section have 'Clientless SSL-Tunnel DTLS-Tunnel' as the Protocol.
We have completely removed AnyConnect and Manually installed the Client.
We have connected to the ASA's SSLVPN URL and had it install the Client.
All the same result. It Connects, Asks for a Username/Password, Displayes the Warning Banner to accept, checks for pgrads, then on the Establishing VPN comes up with the Server's Certificate is invalid.
Is this a NAT/PAT issue on the remote end?
Any Suggestions for these guys?
Thank you,
Scott<-AnyConnect 3.1 is a significant upgrade, even over 3.0.
Over 3.0 it adds an enhanced GUI (common between Windows and Mac), NAM enhancement, crypto suite B enhancements, HostScan/Posture performance enhancements, IPv6 support, better untrusted certificate handling, plug-in component tiles, etc.
3.0+ offers IPSec VPN client as opposed to SSL VPN. -
ASDM stopped working on Cisco ASA 5510
Hi All,
We have a ASA 5510 running 8.2(1) and ASDM 6.2(1)
Since yesterday evening ASDM sunddely stopped working. When I login I get Unable to launch device manager from xx.xx.xx.xx
Firewall Uptime as of today 1 year 145 days. Firewall has 1GB ram and 76% free
I can ssh to firewall fine, but ASDM or https://xx.xx.xx.xx wont work - On internet explorer it says Page not displayed. Google Chrome chrome -
SSL connection Error - Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I can telent to Port 443 fine.
When I look at the logs:
Jun 25 2013 14:33:40: %ASA-6-725001: Starting SSL handshake with client inside:xx.xx.xx.xx/11934 for TLSv1 session.
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason:
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
Jun 25 2013 14:33:40: %ASA-6-106015: Deny TCP (no connection) from xx.xx.xx.xx/11934 to yy.yy.yy.yy/443 flags FIN ACK on interface inside
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
xx.xx.xx.xx - is the PC IP
yy.yy.yy.yy - is the IP of inside interface on firewall
Note: ASDM was left running over the weekend and was working fine until yesterday evening. No changes have been made for the last week.
*Rebooting the ASA is not an option
Can anyone help?
Thanks in advanceHi All,
We have a ASA 5510 running 8.2(1) and ASDM 6.2(1)
Since yesterday evening ASDM sunddely stopped working. When I login I get Unable to launch device manager from xx.xx.xx.xx
Firewall Uptime as of today 1 year 145 days. Firewall has 1GB ram and 76% free
I can ssh to firewall fine, but ASDM or https://xx.xx.xx.xx wont work - On internet explorer it says Page not displayed. Google Chrome chrome -
SSL connection Error - Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I can telent to Port 443 fine.
When I look at the logs:
Jun 25 2013 14:33:40: %ASA-6-725001: Starting SSL handshake with client inside:xx.xx.xx.xx/11934 for TLSv1 session.
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason:
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
Jun 25 2013 14:33:40: %ASA-6-106015: Deny TCP (no connection) from xx.xx.xx.xx/11934 to yy.yy.yy.yy/443 flags FIN ACK on interface inside
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
xx.xx.xx.xx - is the PC IP
yy.yy.yy.yy - is the IP of inside interface on firewall
Note: ASDM was left running over the weekend and was working fine until yesterday evening. No changes have been made for the last week.
*Rebooting the ASA is not an option
Can anyone help?
Thanks in advance -
How to read firewall log files
2 duration 0:03:04
<166>:%ASA-session-6-302014: Teardown TCP connection 2756946 for YOUB:184.31.212.174/80 to inside:10.10.10.1009/49945 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756947 for YOUB:184.31.212.174/80 to inside:10.10.10.1009/49946 duration 0:00:12 bytes 0 TCP FINs
<167>:%ASA-session-7-609002: Teardown local-host YOUB:184.31.212.174 duration 0:00:12
<167>:%ASA-session-7-609001: Built local-host inside:10.10.10.10
<166>:%ASA-session-6-302013: Built outbound TCP connection 2756977 for inside:10.10.10.10/21 (10.10.10.10/21) to identity:10.10.10.10/50476 (10.10.10.10/50476)
<163>:%ASA-sys-3-414001: Failed to save logging buffer to FTP server 10.10.10.10 using filename LOG-2014-02-13-190303.TXT on interface inside: [Device open error]
<166>:%ASA-session-6-302014: Teardown TCP connection 2756943 for YOUB:46.51.219.164/80 to inside:10.10.10.1009/49943 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756944 for YOUB:46.51.219.164/80 to inside:10.10.10.1009/49944 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756949 for YOUB:174.129.247.121/80 to inside:10.10.10.1009/49947 duration 0:00:12 bytes 0 TCP FINs
<166>:%ASA-session-6-302014: Teardown TCP connection 2756179 for YOUB:50.97.236.98/80 to inside:10.10.10.1009/49692 duration 0:02:23 bytes 8416 TCP FINs
<167>:%ASA-session-7-609002: Teardown local-host YOUB:50.97.236.98 duration 0:02:23
<166>:%ASA-session-6-302014: Teardown TCP connection 2756950 for YOUB:174.129.247.121/80 to inside:10.10.10.1009/49948 duration 0:00:12 bytes 0 TCP FINs
<161>:%ASA-session-1-106021: Deny UDP reverse path check from Testpdf to 10.10.10.10 on interface YOUB
<167>:%ASA-session-7-710005: UDP request discarded from Testpdf/137 to inside:10.10.10.10/137
<161>:%ASA-session-1-106021: Deny UDP reverse path check from Testpdf to 10.10.10.10 on interface YOUB
<167>:%ASA-session-7-710005: UDP request discarded from Testpdf/138 to inside:10.10.10.10/138
<166>:%ASA-session-6-302014: Teardown TCP connection 2756977 for inside:10.10.10.10/21 to identity:10.10.10.10/50476 duration 0:00:00 bytes 0 TCP Reset-O
<167>:%ASA-session-7-609002: Teardown local-host inside:10.10.10.10 duration 0:00:00
<166>:%ASA-session-6-302014: Teardown TCP connection 2754536 for YOUB:74.125.236.65/443 to inside:10.10.10.1046/49751 duration 0:10:05 bytes 187079 TCP FINs
<166>:%ASA-session-6-302013: Built inbound TCP connection 2756978 for inside:FinalPdf/3893 (FinalPdf/3893) to identity:10.10.10.10/443 (10.10.10.10/443)
<166>:%ASA-ssl-6-725001: Starting SSL handshake with client inside:FinalPdf/3893 for TLSv1 session.
<166>:%ASA-ssl-6-725003: SSL client inside:FinalPdf/3893 request to resume previous session.
<166>:%ASA-ssl-6-725002: Device completed SSL handshake with client inside:FinalPdf/3893
<165>:%ASA-config-5-111007: Begin configuration: FinalPdf reading from http [POST]
<165>:%ASA-config-5-111008: User 'cisco' executed the 'logging ftp-server 10.10.10.10 firwall/ vml vml' command.
<166>:%ASA-session-6-302014: Teardown TCP connection 2756978 for inside:FinalPdf/3893 to identity:10.10.10.10/443 duration 0:00:00 bytes 255 TCP Reset-O
<166>:%ASA-session-6-106015: Deny TCP (no connection) from FinalPdf/3893 to 10.10.10.10/443 flags FIN ACK on interface inside
<167>:%ASA-session-7-710005: TCP request discarded from FinalPdf/3893 to inside:10.10.10.10/443
<166>:%ASA-ssl-6-725007: SSL session with client inside:FinalPdf/3893 terminated.
<166>:%ASA-session-6-305011: Built dynamic TCP translation from inside:10.10.10.1010/50758 to YOUB:10.10.10.10/38671
<166>:%ASA-session-6-302013: Built outbound TCP connection 2756979 for YOUB:65.182.162.190/80 (65.182.162.190/80) to inside:10.10.10.1010/50758 (10.10.10.10/38671)
<166>:%ASA-session-6-305012: Teardown dynamic TCP translation from inside:192.168.2.37/52012 to YOUB:10.10.10.10/52872 duration 0:02:00
<166>:%ASA-session-6-305011: Built dynamic TCP translation from inside:10.10.10.1010/50759 to YOUB:10.10.10.10/49081Thanks lcfc,
While I did try googling the subjects, I didn't find those articles, so thanks.
I seem to be finding a lot of information, just not the right information : )
I'm still unsure about the way the .local subnet works, or if IRC introduces new vulnerabilities...although I'm not running any scripts of any kind. For instance, if I'm connected to an IRC server, will that "MyComputer.local" server be vulnerable?
This may seem trivial, but I'm just not sure how it works.
Power Mac G5/PPC Mac OS X (10.3.9) -
Getting AnyConnect to work on demand on the iPhone
I've got certificate based authentication working on the iPhone with AnyConnect and my ASA. Now I need to get the on demand function to work. AnyConnect is configured to use certificates, the certificate is selected and connect on demand is turned on. I have my internal domain added to always connect. As a test I'm trying to access one of the web servers in the domain via Safari on the iPhone. It appears to recognize that the VPN is needed, but I get the message "The VPN connection requires an application to start up." My only option is to tap OK and then I get the Safari can't open page message. Using a ping tool, it never tries to initiate the VPN.
Hi,
In the authentication in the ASA CA server I using Manual certificate Retrieval,
I Atacched the logs of "debug crypto ca 255"
thank for you help
%ASA-6-725001: Starting SSL handshake with client outside:189.253.X:X/2219 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:189.253.X.X/2219 proposes the following 6 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-MD5
%ASA-7-725011: Cipher[2] : RC4-SHA
%ASA-7-725011: Cipher[3] : DES-CBC-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : AES128-SHA
%ASA-7-725011: Cipher[6] : AES256-SHA
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:189.253.X.X/2219
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: sslv3 alert certificate unknown
%ASA-6-725006: Device failed SSL handshake with client outside:189.253.X.X/2219
%ASA-7-710005: TCP request discarded from 189.253.X.X/2219 to outside:200.57.X.X/443
%ASA-6-725001: Starting SSL handshake with client outside:189.253.X.X/50445 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:189.253.X.X/50445 proposes the following 6 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-MD5
%ASA-7-725011: Cipher[2] : RC4-SHA
%ASA-7-725011: Cipher[3] : DES-CBC-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : AES128-SHA
%ASA-7-725011: Cipher[6] : AES256-SHA
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:189.253.X.X/50445
%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 0F, subject name: cn=acruz.
%ASA-7-717030: Found a suitable trustpoint LOCAL-CA-SERVER to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 0F, subject name: cn=acruz.
%ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
CERT API thread wakes up!
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
%ASA-6-725002: Device completed SSL handshake with client outside:189.253.X.X/50445
CRYPTO_PKI: looking for cert in handle=3d4a45b8, digest=
94 e1 e9 61 b2 59 1c 72 74 22 96 ed d6 65 82 8e | ...a
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Found a suitable authenticated trustpoint LOCAL-CA-SERVER.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary
CRYPTO_PKI:Certificate validated. serial number: 0F, subject name: cn=acruz.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate validated without revocation checkCERT API thread sleeps!
%ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.
%ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.
CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.
CRYPTO_PKI: No Tunnel Group Match for peer certificate.
%ASA-6-725007: SSL session with client outside:189.253.X.X/50445 terminated.
%ASA-6-725001: Starting SSL handshake with client outside:189.253.X.X/1381 for TLSv1 session.
%ASA-7-725010: Device supports the following 4 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725011: Cipher[3] : AES256-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:189.253.X.X/1381 proposes the following 6 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-MD5
%ASA-7-725011: Cipher[2] : RC4-SHA
%ASA-7-725011: Cipher[3] : DES-CBC-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : AES128-SHA
%ASA-7-725011: Cipher[6] : AES256-SHA
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:189.253.X.X/1381
CERT API thread wakes up!
%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 0F, subject name: cn=acruz.
%ASA-7-717030: Found a suitable trustpoint LOCAL-CA-SERVER to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 0F, subject name: cn=acruz.
%ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
%ASA-6-725002: Device completed SSL handshake with client outside:189.253.X.X/1381
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
%ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.
%ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.
CRYPTO_PKI: looking for cert in handle=3d4a45b8, digest=
94 e1 e9 61 b2 59 1c 72 74 22 96 ed d6 65 82 8e | ...a
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Found a suitable authenticated trustpoint LOCAL-CA-SERVER.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary
CRYPTO_PKI:Certificate validated. serial number: 0F, subject name: cn=acruz.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate validated without revocation checkCERT API thread sleeps!
CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.
CRYPTO_PKI: No Tunnel Group Match for peer certificate.
%ASA-6-725007: SSL session with client outside:189.253.X.X/1381 terminated.
Maybe you are looking for
-
Every time I try to open a project, I get the error that the file is corrupt
Every time I open a file, even an empty file everything workseat, but when I decide to save it and open it, Premiere Pro shows the following message: "File could not be opened because the file is corrupt" It does not matter what type of file I create
-
Trying to do a clean install on iBook G4 - Freezing
I received a G4 iBook and want to do a clean install to erase the previous owner's hard drive and add all my own applications. When I put the disk in it asks me to use a password, which I have and the computer restarts. But just as the grey apple ico
-
Item Text in RFQ/ Quotation.
Hi Experts, when i am creating a RFQ/ Quotation to vendor through ME41 i would like to enter the ITEM TEXT for the material. but i am trying through . me47 - ITEM - texts - Text overview. i entered there but its not appearing in print p
-
Problem Scanning Duplex Printed Document
I would appreciate help with the problem described below. Problem: Scanning duplex printed document scans first page Perfectly but second page comes out solid black. OS: Windows 7 Printer: Canon PIXMA MX860 Software App: Canon MP Navigator EX - mx860
-
Core confusion on MacBook Pro retina
hi guys im just wondering something, i just got my new shiny late 2012 13"inch macbookpro retina i5 2.5gz last week and was a bit baffled by everywhere seems to say this processor is a dual core, however my activity monitor shows 4 cores on the cpu t