ASA ACL Problems

I have several new ASA-5520 boxes. All are configured with version 7.06 (Cisco recomendation) and in active/standby configuration.
The problem is that the ACLs seem to disapear. For example; I have an outside access list that have about 20 lines. Every once in a while the ACL will start blocking traffic that is permitted by the ACL. When I do a 'sh access-list outside' it says that there are only two elements. They are there when I look at the running config. If I wait a while they start to work again and show up as 'active elements' again. I can force a failover and failback to fix it or restart the firewall. I will open a TAC case on Monday. I was hoping that maybe someone has seen this and has a quick solution.
Thanks,
Patrick

could you provide the show running-config?

Similar Messages

ASA 5505 Problem ACL

Dear All,
I have a problem with the configuration of the ACL of my ASA 5505 router.
However, the syntax seems okay
access-list 121 extended deny icmp 192.168.0.0 255.255.255.0 any
Thanks for your help

Hi,
Its hard to say when I cant see your whole configuration.
Have you attached the ACL to an interface on the ASA?
access-group 102 in interface
Only then the ACL will have some effect on the traffic. Though remember to allow other traffic in the SAME ACL. Otherwise you will block all traffic from behind the interface to which you attach this ACL.
However this ACL wont block ICMP between the hosts on the same network naturally.
- Jouni

ASA Migration Problems

Hi,
I'm trying to migrate a configuration of an ASA 5520(Version: ASA 8.0(5)) to an ASA 5585 (Version: 8.4(2)). I keep getting some errors which are included below. I've been struggling with these for some copule of weeks and read the documentation on cisco.com (
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html) and also some pages on this forum. Some lines are written in bold of which I wasn't able to find any information about. Any help is appreciated. Thanks.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203062349.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1291, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1292, "access-group inside_acce..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1293, "access-group DMZ_access_..."
WARNING: MIGRATION: During migration of access-list <XXXXXXX> expanded
this object-group ACE
permit object-group DM_INLINE_SERVICE_5 XXX 255.255.255.0 DMZnet 255.255.255.0
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1298, "access-group XXXXX..."
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 2
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 3
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 4
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 5
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 6
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 7
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 8
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 9
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 10
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 11
*** Output from config line 1797, "service-policy global-po..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 access-list inside_nat_outbound
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
global (outside) 10 interface
nat (inside) 0 logserver 255.255.255.255
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
nat (inside) 0 logserver 255.255.255.255
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 icnetwork 255.255.0.0
ERROR: MIGRATION: No memory to create migrated service-policy element
The following 'nat' command didn't have a matching 'global' rule on interface 'TAV' and was not migrated.
nat (dmz) 1 access-list dmz_nat_outbound
INFO: NAT migration completed.
ERROR: an object-group with the same name (egitim) exist.
WARNING: Failed to create an object for name 'egitim' in the following ACL:
access-list DMZ_access_in extended permit tcp host 9.1.1.90 object-group egitim any

Ummm,
Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system.

ASA Routing problems?

Hi there,
i have a problem with Routing on ASA 5505.
Here is a brief explanation of the topology:
DC Upstream IP: 77.246.165.141/30
ASA 5505 Upstream to DC IP: 77.246.165.142/30
Interface outside.
There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.
ASA 5505 Public VLAN interface ip: 31.24.36.1/26
Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.
From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.
Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.
I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.
On the ASA 5505 i added the route to this Public2 VLAN:
#route public 31.24.36.192 255.255.255.192 31.24.36.62 1
Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.
But I can't access the Internet from the Switch with Source IP: 31.24.36.193.

Thanks for the replies.
I am running:
Cisco Adaptive Security Appliance Software Version 8.2(2)
As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:
global (outside) 1 interface
nat (inside) 1 192.168.X.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:
nat (inside) 0 access-list inside_nat0_outbound1
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0
I don't have any ACL configured on the Public interface in any direction.
Here is the configuration on the Switch regarding this scenario:
interface FastEthernet2/0/X
description Access Port for Public Subnet(31.24.32.0/26) to ASA
switchport access vlan 500
switchport mode access
interface Vlan500
description Public VLAN 1
ip address 31.24.36.62 255.255.255.192
interface Vlan510
description Public VLAN 2
ip address 31.24.36.193 255.255.255.192
ip route 0.0.0.0 0.0.0.0 31.24.36.1
Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)
SWITCH#ping 31.24.36.1 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
And here is when I try to ping some Internet host:
SWITCH#ping 8.8.8.8 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 0 percent (0/5)

Cisco ASA 5505 - problem with negotiating IP address from PPPoE

Hi all,
I have problem with negotiating IP address from PPPoE. There is following design: ISP providing vDSL ending on VDSL modem in bridge mode. Behind brigde modem is ASA 5505 terminting PPPoE on OUTSIDE. Everything works fine except negotiating IP address from PPPoE server.
I have configured ASA 5505 with (ASA Version 9.2(2)4) for PPPoE like this [1.]. But If i try to "show" IP address on OUTSIDE interface a get this [2.], ok strange but let's continue. If list "show vpdn pppinterface id 1" i get this [3.]. Seems that I got public IP addres what was right, but this IP address was not associated with interface OUTSIDE?
Well, if I set IP address manually like this [4.] and also set a default route everything works fine but what will happen when ISP change reservation for my IP address or default gateway.
I have tried different version of ASA OS like 8.4, 9.1 but without luck.
Can anybody help me. Thanks a lot.
Regards
Karel
[1.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address pppoe setroute
vpdn group O2 request dialout pppoe
vpdn group O2 localname O2
vpdn group O2 ppp authentication chap
vpdn username O2 password *****
interface Ethernet0/0
description >>uplink O2 vDSL<<
switchport access vlan 100
[2.]
ciscoasa(config-if)# show ip address vlan 100 pppoe
ciscoasa(config-if)# 0.0.0.0 255.255.255.255 on Interface: OUTSIDE
ciscoasa(config-if)# show interface vlan 100 detail
Interface Vlan2 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: >>VLAN pro pripojeni do internetu<<
        MAC address f44e.05d0.6c17, MTU 1492
        IP address unassigned
Traffic Statistics for "OUTSIDE":
        28 packets input, 1307 bytes
        31 packets output, 721 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec, 3 bytes/sec
      1 minute output rate 0 pkts/sec, 1 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Control Point Interface States:
        Interface number is 15
        Interface config status is active
        Interface state is active
[3.]
ciscoasa(config-if)# show vpdn pppinterface id 1
PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is 88.103.200.41
Our ip address is 85.71.188.158
Transmitted Pkts: 20, Received Pkts: 16, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
ciscoasa(config-if)# show vpdn session state
%No active L2TP tunnels
%No active PPTP tunnels
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf     State       Last Chg
22298      2 OUTSIDE SESSION_UP 561 secs
[4.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address 85.71.188.158 255.255.255.255 pppoe setroute
route OUTSIDE 0.0.0.0 0.0.0.0 88.103.200.41 1

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface

Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDE

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

ASA upgrade problems

I am having this problem upgrading my standby ASA. It never gives an error it just boots over and over again. Anyone have any suggestions? Without even an error it's hard to figure out what's up.. Thanks!
Cisco Systems ROMMON Version (1.0(11)4) #0: Fri Mar 21 17:35:35 PDT 2008
Platform ASA5550
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa911-k8.bin... Booting...
Platform ASA5550
Loading...
IO memory blocks requested from bigphys 32bit: 66624
Booting system, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0(11)4 03/21/08 17:09:54.41
Low Memory: 631 KB
High Memory: 3968 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 00 00   8086   2578 Host Bridge
00 01 00   8086   2579 PCI-to-PCI Bridge
00 03 00   8086   257B PCI-to-PCI Bridge
00 1C 00   8086   25AE PCI-to-PCI Bridge
00 1D 00   8086   25A9 Serial Bus         11
00 1D 01   8086   25AA Serial Bus         10
00 1D 04   8086   25AB System
00 1D 05   8086   25AC IRQ Controller
00 1D 07   8086   25AD Serial Bus         9
00 1E 00   8086   244E PCI-to-PCI Bridge
00 1F 00   8086   25A1 ISA Bridge
00 1F 02   8086   25A3 IDE Controller     11
00 1F 03   8086   25A4 Serial Bus         5
00 1F 05   8086   25A6 Audio              5
02 01 00   8086   1075 Ethernet           11
03 01 00   177D   0003 Encrypt/Decrypt    9
03 02 00   8086   1079 Ethernet           9
03 02 01   8086   1079 Ethernet           9
03 03 00   8086   1079 Ethernet           9
03 03 01   8086   1079 Ethernet           9
04 02 00   8086   1209 Ethernet           11
04 03 00   8086   1209 Ethernet           5
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)4) #0: Fri Mar 21 17:35:35 PDT 2008
Platform ASA5550
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa911-k8.bin... Booting...
Platform ASA5550
Loading...
IO memory blocks requested from bigphys 32bit: 66624
Booting system, please wait...

Did you ever find a solution? I have several 5505's that are doing this. They seem to run 8.4.3 fine, but not 8.4.6 or 8.4.7. I have two boot commands in the config, the first for 8.4.6-5 and the second for 8.4.6. plugging in the asa, it tries to boot 8.4.6, but boot loops. If I esc to rommon and manually boot 8.4.3 it will load fine. I have several ASA 5505's doing this that have been upgraded using the ASDM tool. This particular output is for one with 8.4.6, but I have others with 8.4.7 that do the exact same thing, again upgraded from the ASDM tool.
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 2 entries.
Loading disk0:/asa846-5-k8.bin... Booting...
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9672
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 2 entries.
Loading disk0:/asa846-5-k8.bin... Booting...
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9672
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 2 entries.
Loading disk0:/asa846-5-k8.bin...

AT&T DSL & Cisco ASA 5505 Problems

Okay I have been working with a 5505 for two days and finally got it configured and working on an AT&T DSL Modem then when I took the 5505 to the clients office and connected/configured it to their AT&T DSL with their IPs the whole thing quite working. I noticed walk through the Tech discussions that there are lots of problems with AT&T DSL deployments and I also discovered that one working configuration was attached to a DSL in AT&Ts standard deployment as a DHCP router using dynamic IPs while the second is in bridge mode using static IPs.
So here's the question why won't the DSL Modem in bridge mode not work as a typical Internet connection like a Cable Modem? I have a Cisco Wireless VPN 4400 to it in bridge mode using static IPs and it works great and on the 4400 there are no special PPPoe settings that have to be set just standard IPs, DNSs, Gateways, Masks...
I see in the Cisco Tech Notes that it is recommended/mandatory to configure Vpdn groups and the Vlan2 to take into account the PPPoe configuration of the AT&T DSL Modem but if the DSL modem is already set in bridge mode and is handling the PPPoe authentication why does the 5505 have do it again this see,s redundant. Will try to use the example configuration additions above and post here with the results.
BTW the configuration with the DSL set as DHCP Router works without any special PPPoe configs.
Very puzzling this DSL configuration conundrum... Last point for businesses if you can use Cable or nonDSL ISP you should do so this AT&T stuff is for the birds... Angry Birds...
Thanks for the assistance in advance!!!
If static ip address:
vpdn group INTERNET request dialout pppoe
vpdn group INTERNET ppp authentication {chap|mschap|pap}
vpdn group INTERNET localname setroute
pppoe client vpdn group INTERNET
mtu outside 1492
Sent from Cisco Technical Support iPad App

Hi Ferdinand. I don't know what a Smartnet contract is. How do I know if we have one? This ASA basically hasn't been touched for 5 years. Almost the entire staff has rotated through this company since then and nobody knowns anything. I found the invoice for it this morning after accounts searched for it, but it appears to have been purchased from a non services retailer. I contacted them and while they confirm they sold it to us they know nothing about it. They don't offer service.
What are my options?

ASA boot problem

Hello,
I have problem with ASA 5505. One of our customers brought me ASA 5505 with deleted flash. They want me to fix the problem. I tried to load image from rommon mode, but failed many many times. I used 4 different software files. I tried many many times and most often I get :
Cisco Security Appliance admin loader (3.0) #0: Thu Aug 7 20:59:50 MDT 2008
sumval(0x12b7) chksum(0x0   )md5(0x42c85cfa 0xf6dcadb9 0x72f7072f 0xb799f56b)
md5(0xb28e4ed2 0x301e63f0 0xc2fe8317 0xd320bbe2)
Checksum verification on install image failed.
with asa722-k8.bin file.
In one ocasion, when I booted asa804-k8.bin, ASA attempted to boot but stucked immediately and became idle. Noting happened, I leave it 24 hours and noting happened.
Please if someone knows what to do, let me know !!!
Here is the detail output from ASA:
rommon #0>
rommon #0> ADDRESS=192.168.0.26
rommon #1> SERVER=192.168.0.212
rommon #2> IMAGE=asa804-k8.bin
rommon #3> PORT=Ethernet0/0
Ethernet0/0
MAC Address: 0025.840d.52d8
Link is UP
rommon #4> tftp
ROMMON Variable Settings:
ADDRESS=192.168.0.26
SERVER=192.168.0.212
GATEWAY=0.0.0.0
PORT=Ethernet0/0
VLAN=untagged
IMAGE=asa804-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp [email protected]
Received 14137344 bytes
Launching TFTP Image...
Cisco Security Appliance admin loader (3.0) #0: Thu Aug 7 20:59:50 MDT 2008
sumval(0x12b7) chksum(0x0   )md5(0x42c85cfa 0xf6dcadb9 0x72f7072f 0xb799f56b)
md5(0xb28e4ed2 0x301e63f0 0xc2fe8317 0xd320bbe2)
Checksum verification on install image failed.
Rebooting....
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image

HI,
I just reloaded a image to my asa 5505 and did the following.
Saved the image file : asa831-k8.bin and installed a tftp server app (pumpkin)
added the following :
rommon #0> ADDRESS=192.168.0.? (Where this is the address you want to give the asa)
rommon #1> SERVER=192.168.0.? (Where this is the address of the laptop you have pumpkin installed on
rommon #2> IMAGE=asa831-k8.bin
rommon #3> PORT=Ethernet0/1 (As I had the laptop connected to the ASA into this port)
press Enter, should display the following:
Ethernet0/1
MAC Address: 0025.840d.52d8
Link is UP
type :
rommon #4> tftp
when it finished doing its thing I then rebooted the ASA and it loaded the new image.

ASA 5505 Problem with outbound PPTP-connection on non-native vlan

Hi, why am I not being able to make a PPTP connection on vlan80 (trunked to AP Cisco 1142N) compared to vlan10? And yes, I've configured the "
inspect pptp"
ASA 5505 with sec plus license

Hi mate,
I don't know how to solve your problem but I strongly reccommend you to remove your password from the first post and to update it on your ASA device

Security update fixes ACL problems, almost

So far when running disk permissions, I've had one iMac C2D have no problems reported and the other iMac C2D only have ACL issues on /Library

Open the Terminal application and type:
man chmod
Look under the heading ACL MANIPULATION OPTIONS. The argument that you would use is:
"everyone deny delete"
If you can't understand the manual then leave your handy work alone. It's not a large security breach. chmod, chown, and chflags should only be used when you understand what you are doing.

ACL problem in 6 and 5.1 sp9? Bug?!

Hi all gurus:
I got this problem for several days, and still cannot solve it. Can
anyone help me?
My design is to put all my beans and connection pool under one "kbf"
acl. And "guest" servlet/jsp accesses these beans by using this "kbf"
account. And it works in 5.1 sp8.
Then i tried to use sp9. The very first time when jsp is compiling
by WLS, all the jsps work correctly! After that, immediately click the
link again, it throws jndi exception. Saying "guest" no permission to
access "kbf" jndi. But my "guest" actually is a servlet/jsp running
inside the server.
So then we tried to use 6 sp2, to see whether we can solve the
problem. And the funny things come out as follows.
I just click my URL link in browser, first time everything is fine,
my data is shown correctly. second time it throws ACL exception ,saying
guest no right to look up my JDBC pool. Click again, the data comes out
again. Clieck again throws same exception. It is a "toggle".
And, for another jsp page/link, (it gets data from two tables),
first time both two tables data are shown. Click some other link, then
come back to click this link, only one table data is shown, then click
this link again, both are shown. It is also a "toggle", slightly
different.
Something really funny going on for this ACL!
Can anyone in BEA tell me more about this ACL issue? Why always
nobody cares to answer these ACL questions? Both in ejb group and
security group?
Or simply nobody is using ACL in their project?
Or i missed out something important? or i am abusing ACL?
Or is it a bug?
Since we are going to production very soon, i need the solution
ASAP. Right now i only have two solutions:
1. stick to 5.1 sp8.
2. grant "guest" permission to all my beans, connection pool, which
means no use for the ACL at all.
Hope someone at least give me an hint. And sorry for the crossing
post.
Thanks.
minjiang

Thanks a lot!
The problem is that i cached the ejb homes and connection pool. So now i use
your first solution, create context everytime, although the performance may be
slow down.
But strange, it works in 5.1 sp6-8.
Thanks again, Dimitri!
minjiang
Dimitri Rakitine wrote:
The security context is associated with thread so, for example:
in a servlet, you create InitialContext as "user" and save it.
Next request which will be "guest" anyway.
So, if you want authentication, you can either
- create InitialContext everytime
- use j2ee security so container will do this automatically:
http://e-docs.bea.com/wls/docs61/webapp/security.html
Dimitri
On Fri, 13 Jul 2001, minjiang wrote:
Hi Dimitri:
Sorry to mail you directly.
I have this question for quite some time. And not receive any
response for my posting, cross posting.
Do you have any idea why my deployment works on 5.1 sp8, but not on
sp9 and 6 sp2?
I noticed bea changed the weblogic.ejb.interal.StatefulEJBObejct,
and StatefulEJBCache in sp9, and this is part of why my application
cannot work. (for one facade session bean looking up other beans in
another acl)
Another part is i described in the forward posting, for my "guest"
jsp/servelt cannot access other acl?
For my understanding, since my facade bean and jsp/servlet only run
inside the WLS server, so as long as the correct credential is supplied
while constructing the jndi context, they should be allowed, right? It
shoud not be only one credential in one thread, which seems WLS is doing
now.
Thanks for help, and any hint or document is appreciated.
minjiang

ASA NAT Problem - I think?

Hi Guys,
I have an ASA5520 with an interface to the internet on a /28 public network and an interface to a /24 public network - I will connect other interfaces to other networks in time, but I just want to get the thing working for now.
Anyway, I have set it up from the ASDM using the wizard and some extra config my self. I don't want NAT - i.e I want hosts on the /24 network to be reachable to their original IP from the internet. I can ping anything from the firewall. I can ping the local interface from my test pc (on the /24 network) but I cannot ping, web, telnet etc anything on the internet. However the syslog shows the packets going through the firewall and I have opened the rules up completely for testing.
Can anyone see why the test box cannot reach the internet and vice versa?
Is it NAT?
Config is below (* = omitted text.
Thanks,
Niall.
: Saved
ASA Version 7.0(6)
hostname cr01-sh
domain-name *.net
enable password B6R1dZUX1mTgE6pC encrypted
names
name 213.*.*.2 Aurix01-s01
dns-guard
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 217.*.*.34 255.255.255.240
interface GigabitEthernet0/1
nameif Customer
security-level 10
ip address 213.*.*.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Customer_access_in extended permit ip any any log
access-list Customer_access_in extended permit icmp any any log
access-list Customer_access_in extended permit udp any any log
access-list Customer_access_in extended permit tcp any any log
access-list WAN_access_out extended permit tcp any any log
access-list WAN_access_out extended permit udp any any log
access-list WAN_access_out extended permit icmp any any log
access-list WAN_access_out extended permit ip any any log
access-list WAN_access_in extended permit ip any host Aurix01-s01
access-list WAN_access_in extended permit icmp any host Aurix01-s01
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu Customer 1500
mtu management 1500
no failover
monitor-interface WAN
monitor-interface Customer
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group Customer_access_in in interface Customer
route WAN 0.0.0.0 0.0.0.0 217.*.*.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 WAN
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Cryptochecksum:74609abf4a90bd20175922f0ae6b0e52
: end

Thanks for the help again.
OK - I have re-run the setup wizard, tested, played around with changing the security levels so the wan was lower then the customer interface and still nothing. removed and readded acls etc. still nothing.
I have a theory:
I wonder if my isp have loaded in the routes to the customer network?
I ran a tracert from my home to the wan router (gateway for the ASA) and it resolved in 10 hops. I then ran a tracert to the aurix-s01 IP (on the customer network) and it partially resolved to 5 hops and then timed out - it timed out once it made it to my ISP's core router! would this be because they have not loaded the route for the customer network we have ordered?
Would this be why I cannot get internet access through the ASA because the default gateway doesn't know of the network it is coming from and it is not coming from the interface for its default route?
Also would this be why the ASA shows the ping build and tear down in the syslog and no dropped packets but nothing gets out?
Thanks again for your help.
Niall.

WLC ACL Problem

Hi all,
I'm having problems when trying to apply an ACL to my WLC dynamic interfaces. I have three WLANs that I wish to keep separated and am using ACLs that I have configured on the controller, the only problem is they don't seem to work!
Ping test from 10.201.32.11 on WLAN1 to 10.201.27.41 on WLAN2 works and the current ACL is below:
     1 Out     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     2 In     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     3 Out     10.201.32.0/255.255.252.0       10.201.28.0/255.255.255.0    Any     0-65535     0-65535 Any   Deny           0
     4 In     10.201.28.0/255.255.255.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     5 Out     10.201.32.0/255.255.252.0     192.168.200.0/255.255.255.224 Any     0-65535     0-65535 Any   Deny           0
     6 In   192.168.200.0/255.255.255.224     10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535 Any Permit          69
DenyCounter : 0
Each WLAN is sat on its own separate dynamic interface and own unique subnet.
Any suggestions would be most appreciated.
Thanks.

Hi,
Keep in mind the direction of the ACL.
In means from client destined to WLC
Out means from WLC destined to client.
It should look like this:
Index Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP Action      Counter
     1 In     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     2 Out     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
Don't forget to apply the ACL on interface or on WLAN.
Regards,
Christos.

Leopard Server / Windows / ACL Problem

We have this problem that came up sense we upgraded our servers to Leopard. When Windows users are accessing files (over SMB), the POSIX permissions seem to override the ACLs. This is a problem because applications like Excel will change the permissions.
This worked perfectly in Tiger. The windows user would modify the POSIX permissions all they want, but it wouldn't matter because the ACLs were what mattered.
Does anyone know of a solution. This is a real problem.

Since your issue is caused by OS X Server, you may want to post your question over in the OS X Server forums:
http://discussions.apple.com/category.jspa?categoryID=96

ASA ACL Problems

Similar Messages

Maybe you are looking for