ASA and plusnet fibre

Similar Messages

• EA4500 and PlusNet Fibre?

  One of my work colleagues is getting rid of his EA4500 cheap, and I have a PlusNet FTTC installation happening on 27th July. I've read lots of forum posts about this router not working properly with PlusNet and/or Fibre. The issues pointed towards a firmware issue, I've looked at the firmware release notes for this router and nothing immediately leaps out as being a fix to the problems that have been reported. Is anybody successfully using an EA4500 with a PlusNet FTTC installation? Any hints and tips? ThanksW

  Hi,
  Not really enough information to go on.
  I guess one question would be does the ISP provide the IP addresses with DHCP or do you staticly configure your devices WAN interface?
  Is there a need for the Zyxel infront of the ASA? Could you simply attach the fibre to the ASA (with the device the fibre is connected to). I am not sure what kind of device it is that your fibre is connected to. If it was possible to only use the ASA as a device doing routing/NAT/ACL then I would imagine the setup could be really simple. Now the problems might be more related to having 2-3 devices behind the fibre and having configuration error somewhere there that prevents normal traffic flow.
  We would really need to know how the devices are configured to be able to help at all.
  - Jouni

• BT vs Plusnet Fibre Query re Support

  Hi
  I'm with Sky LLU and BT line at the moment and just about to move both to a fibre product.
  Have narrowed my choice to BT and Plusnet. I like the look of the HH5 compared to the PN TG582n, the cheaper calls to mobiles on anytime, and the inclusion of BT Sport.PN are estimating 51Mb download and BT estimate 47-65Mb.
  BUT my main concern is response of support in the event of problems.
  I notice that on here the advice for, say a DLM, banding or upload speed issue is to wait for the system sort itself out, which could take a few days. On the PN forums they seem much more pro-active and just go in and sort the issue straight away if they can. Do they have access which BT support don't have?
  I would like to think BT would offer a higher quality service at their higher prices, but I'm concerned I may be paying more for inferior support. After all, isn't the connection supplied by Openreach identical anyway.
  Any thoughts welcome before I press the appropriate button!
  Thanks.

  The support, if you need it,  from BT could in some instances be better. Going by this forum you would think it is the worst but keep in mind people generally only come onto a forum if they have a problem or want to moan about something. They seldom come on to praise.
  Having had a quick look through the Plusnet forum the same moans and complaints are there.
  As regards DLM, this is controlled by Openreach and if a manual reset is required the ISP, whether it is BT or Plusnet have to request this. Again on the Plusnet forum it would appear that it is no better or worse for resets to be carried out and the same complaints about it are there as well.
  Hopefully you won't need the support service but if you do, they on most occassions can help without problem however I suspect others will have a different opinion.

• Routing issue with ASA and UC540 phone system - at ASA???

  Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
  Here are some facts:
  1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
  2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
  3. The ASA is the default gateway for the PC.
  4. I have a route inserted at the asa that is:
                 route 10.1.10.1 255.255.255.0 10.19.250.254 1
  5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.
  6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
  7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
                 route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
       Is is only with this route that I am able to get to the web GUI on the phone system.
  8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1
  9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.
  Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
  Here are the routing tables:
  ASA:
  Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
  C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
  S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
  S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
  C    10.19.250.0 255.255.254.0 is directly connected, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
  The UC540 phone system's router side:
  Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx
        10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
  C        10.1.1.0/24 is directly connected, BVI100
  L        10.1.1.1/32 is directly connected, BVI100
  C        10.1.10.0/30 is directly connected, Loopback0
  S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
  L        10.1.10.2/32 is directly connected, Loopback0
  C        10.19.250.0/23 is directly connected, BVI1
  L        10.19.250.254/32 is directly connected, BVI1
        XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
  L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
        172.16.0.0/24 is subnetted, 1 subnets
  S        172.16.100.0 [1/0] via 10.19.250.1
  The UC540's internal CUE server:
  Main Routing Table:
             DEST            GATE            MASK                     IFACE
        10.1.10.0            0.0.0.0           255.255.255.252       eth0
          0.0.0.0             10.1.10.2         0.0.0.0                    eth0
  Any help appreciated!!!
  Thanks!

  Hello,
  Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
  I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
  Here is a info page on the TCP State Bypass:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
  Please let me know how it works out.

• Site-to-site vpn with 2 asa and home router

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

• ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate

        I am facing strange issue on my asa and client Fortigate fw.
  We have site to site tunnel with 3des and sha and DH-5 on asa
  3des  sha1 and dh-5 on Fortigate.
  Tunnel came up when configured after some time it went down and it is throwing below errors. Please
  some one help me here.
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating:  flags 0x01000002, refcnt 0, tuncnt 0
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
  Mum-PRI-ASA#

  Hey All,
  I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
  Eror Before Reload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
  Aug 06 21:17:33 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 06 21:17:33 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
  Isakmp phase completion After reload
  Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
  Aug 25 10:40:35 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 25 10:40:35 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
  SENDING PACKET to xx.xx.xx.xx

• MS NLB with ASA and Static NAT from PUP to NLB IP

  Hi all,
  I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.
  ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
  I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.
  192.168.0.50 is the 1st VM
  192.168.0.51 is the 2nd VM
  192.168.0.52 is the cluster IP for heartbeat
  192.168.0.53 is the cluster IP for NLB traffic.
  0100.5e7f.0035 is the cluster MAC.
  The NLB cluster is using MULTICAST
  I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 
  For the ASA I found
  http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
  ASDM
  Configuration > Device Management > Advanced > ARP > ARP Static Table
  I was able to add my stic ARP just fine.
  However, the next step was to enable ARP inspection.
  Configuration > Device Management > Advanced > ARP > ARP Inspection
  My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
  For the CAT Switch I found
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
  I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
  On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.
  At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 
  So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.
  Result of the command: "show run"
  : Saved
  ASA Version 8.4(4)9
  hostname MP-ASA-1
  enable password ac3wyUYtitklff6l encrypted
  passwd ac3wyUYtitklff6l encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 198.XX.XX.82 255.255.255.240
  interface Ethernet0/1
  description Root Inside Interface No Vlan
  speed 1000
  duplex full
  nameif Port-1-GI-Inside-Native
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  interface Ethernet0/1.2
  description Managment LAN 1 for Inside Networks
  vlan 2
  nameif MGMT-1
  security-level 100
  ip address 192.168.180.1 255.255.255.0
  interface Ethernet0/1.3
  description Managment LAN 2 for Inside Networks
  vlan 3
  nameif MGMT-2
  security-level 100
  ip address 192.168.181.1 255.255.255.0
  interface Ethernet0/1.100
  description Development Pubilc Network 1
  vlan 100
  nameif DEV-PUB-1
  security-level 50
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/1.101
  description Development Pubilc Network 2
  vlan 101
  nameif DEV-PUB-2
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  interface Ethernet0/1.102
  description Suncor Pubilc Network 1
  vlan 102
  nameif SUNCOR-PUB-1
  security-level 49
  ip address 192.168.3.1 255.255.255.0
  interface Ethernet0/1.103
  description Suncor Pubilc Network 2
  vlan 103
  nameif SUNCOR-PUB-2
  security-level 49
  ip address 192.168.4.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa844-9-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network Inside-Native-Network-PNAT
  subnet 10.1.1.0 255.255.255.0
  description Root Inisde Native Interface Network with PNAT
  object network ASA-Outside-IP
  host 198.XX.XX.82
  description The primary IP of the ASA
  object network Inside-Native-Network
  subnet 10.1.1.0 255.255.255.0
  description Root Inisde Native Interface Network
  object network VPN-POOL-PNAT
  subnet 192.168.100.0 255.255.255.0
  description VPN Pool NAT for Inside
  object network DEV-PUP-1-Network
  subnet 192.168.0.0 255.255.255.0
  description DEV-PUP-1 Network
  object network DEV-PUP-2-Network
  subnet 192.168.2.0 255.255.255.0
  description DEV-PUP-2 Network
  object network MGMT-1-Network
  subnet 192.168.180.0 255.255.255.0
  description MGMT-1 Network
  object network MGMT-2-Network
  subnet 192.168.181.0 255.255.255.0
  description MGMT-2 Network
  object network SUNCOR-PUP-1-Network
  subnet 192.168.3.0 255.255.255.0
  description SUNCOR-PUP-1 Network
  object network SUNCOR-PUP-2-Network
  subnet 192.168.4.0 255.255.255.0
  description SUNCOR-PUP-2 Network
  object network DEV-PUB-1-Network-PNAT
  subnet 192.168.0.0 255.255.255.0
  description DEV-PUB-1-Network with PNAT
  object network DEV-PUB-2-Network-PNAT
  subnet 192.168.2.0 255.255.255.0
  description DEV-PUB-2-Network with PNAT
  object network MGMT-1-Network-PNAT
  subnet 192.168.180.0 255.255.255.0
  description MGMT-1-Network with PNAT
  object network MGMT-2-Network-PNAT
  subnet 192.168.181.0 255.255.255.0
  description MGMT-2-Network with PNAT
  object network SUNCOR-PUB-1-Network-PNAT
  subnet 192.168.3.0 255.255.255.0
  description SUNCOR-PUB-1-Network with PNAT
  object network SUNCOR-PUB-2-Network-PNAT
  subnet 192.168.4.0 255.255.255.0
  description SUNCOR-PUB-2-Network with PNAT
  object network DEV-APP-1-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network DEV-APP-2-SNAT
  host 192.168.2.120
  description DEV-APP-2 Server with SNAT
  object network DEV-APP-2-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network DEV-SQL-1
  host 192.168.0.110
  description DEV-SQL-1 Inside Server IP
  object network DEV-SQL-2
  host 192.168.2.110
  description DEV-SQL-2 Inside Server IP
  object network SUCNOR-APP-1-PUB
  host 198.XX.XX.XX
  description SUNCOR-APP-1 Public Server IP
  object network SUNCOR-APP-2-SNAT
  host 192.168.4.120
  description SUNCOR-APP-2 Server with SNAT
  object network SUNCOR-APP-2-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network SUNCOR-SQL-1
  host 192.168.3.110
  description SUNCOR-SQL-1 Inside Server IP
  object network SUNCOR-SQL-2
  host 192.168.4.110
  description SUNCOR-SQL-2 Inside Server IP
  object network DEV-APP-1-SNAT
  host 192.168.0.120
  description DEV-APP-1 Network with SNAT
  object network SUNCOR-APP-1-SNAT
  host 192.168.3.120
  description SUNCOR-APP-1 Network with SNAT
  object network PDX-LAN
  subnet 192.168.1.0 255.255.255.0
  description PDX-LAN for S2S VPN
  object network PDX-Sonicwall
  host XX.XX.XX.XX
  object network LOGI-NLB--SNAT
  host 192.168.0.53
  description Logi NLB with SNAT
  object network LOGI-PUP-IP
  host 198.XX.XX.87
  description Public IP of LOGI server for NLB
  object network LOGI-NLB-IP
  host 192.168.0.53
  description LOGI NLB IP
  object network LOGI-PUP-SNAT-NLB
  host 198.XX.XX.87
  description LOGI Pup with SNAT to NLB
  object-group network vpn-inside
  description All inside accessible networks
  object-group network VPN-Inside-Networks
  description All Inside Nets for Remote VPN Access
  network-object object Inside-Native-Network
  network-object object DEV-PUP-1-Network
  network-object object DEV-PUP-2-Network
  network-object object MGMT-1-Network
  network-object object MGMT-2-Network
  network-object object SUNCOR-PUP-1-Network
  network-object object SUNCOR-PUP-2-Network
  access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
  access-list outside_access_out remark Block ping to out networks
  access-list outside_access_out extended deny icmp any any inactive
  access-list outside_access_out remark Allow all traffic from inside to outside networks
  access-list outside_access_out extended permit ip any any
  access-list outside_access extended permit ip any object LOGI-NLB--SNAT
  access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
  access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
  access-list outside_access extended permit ip any object DEV-APP-2-SNAT
  access-list outside_access extended permit ip any object DEV-APP-1-SNAT
  access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu Port-1-GI-Inside-Native 1500
  mtu MGMT-1 1500
  mtu MGMT-2 1500
  mtu DEV-PUB-1 1500
  mtu DEV-PUB-2 1500
  mtu SUNCOR-PUB-1 1500
  mtu SUNCOR-PUB-2 1500
  mtu management 1500
  ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any Port-1-GI-Inside-Native
  icmp permit any MGMT-1
  icmp permit any MGMT-2
  icmp permit any DEV-PUB-1
  icmp permit any DEV-PUB-2
  icmp permit any SUNCOR-PUB-1
  icmp permit any SUNCOR-PUB-2
  asdm image disk0:/asdm-649-103.bin
  no asdm history enable
  arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
  arp timeout 14400
  no arp permit-nonconnected
  nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  object network Inside-Native-Network-PNAT
  nat (Port-1-GI-Inside-Native,outside) dynamic interface
  object network VPN-POOL-PNAT
  nat (Port-1-GI-Inside-Native,outside) dynamic interface
  object network DEV-PUB-1-Network-PNAT
  nat (DEV-PUB-1,outside) dynamic interface
  object network DEV-PUB-2-Network-PNAT
  nat (DEV-PUB-2,outside) dynamic interface
  object network MGMT-1-Network-PNAT
  nat (MGMT-1,outside) dynamic interface
  object network MGMT-2-Network-PNAT
  nat (MGMT-2,outside) dynamic interface
  object network SUNCOR-PUB-1-Network-PNAT
  nat (SUNCOR-PUB-1,outside) dynamic interface
  object network SUNCOR-PUB-2-Network-PNAT
  nat (SUNCOR-PUB-2,outside) dynamic interface
  object network DEV-APP-2-SNAT
  nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
  object network SUNCOR-APP-2-SNAT
  nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
  object network DEV-APP-1-SNAT
  nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
  object network SUNCOR-APP-1-SNAT
  nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
  object network LOGI-NLB--SNAT
  nat (DEV-PUB-1,outside) static LOGI-PUP-IP
  object network LOGI-PUP-SNAT-NLB
  nat (outside,DEV-PUB-1) static LOGI-NLB-IP
  access-group outside_access in interface outside
  access-group outside_access_out out interface outside
  route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 outside
  http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
  http 192.168.180.0 255.255.255.0 MGMT-1
  http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
  : end
  Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 
  Thanks,
  Chris

  Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.
  Chris

• Packet Loss between ASA and 871

  We are running a Cisco ASA 5505 and remote clients are 871's. We currently use a EasyVPN configuration between the single ASA and our 13 871's.
  Today (1) out of the (13) tunnels is experiencing packet loss. I have power cycles the broadband router on the 871 end and the 871 and the situation still exists.
  Does anyone know what would cause this and how to troubleshoot it?
  Thanks,
  Jason

  Have you contact broadband provider on the 871 side to rule out any issues on the link? what broadband ADSLAM pppoa? start first rulling out physical issues WAN interface, LAN interface stats and work your way up, is this is something that suddenly developped? from what you post indicates it seems this tunnel have been fine, it could be broadband link issues but fist investigate with provider to go the next step.
  what do you see in 871 router logs in terms of links, turn on logging informational before staring debugg proceedures.
  HTH
  Jorge

• Best practices for using Normalizer in ASA and in AIP-SSM

  Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
  The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
  Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
  "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
  To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
  So, those who're using ASA with SSM, please share your experience.
  Thx.

  Yes, this is almost correct ;)
  TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
  The testing of 7.2(1) shows the following:
  When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
  There are at least two problems however.
  The first problem is the performance impact.
  ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
  The second problem is THE SECURITY HOLE.
  By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
  Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
  The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
  I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
  Regards,
  Oleg Tipisov,
  REDCENTER,
  Moscow

• Connecting routers. ASA and 2921

  Here is a link to the previous post to explain where we were. https://supportforums.cisco.com/message/4133793#4133793
  OK..
  I have an ASA 5510 and a 2921.
  The ASA is used and vpn/firewall and and internet,
  The 2921 is used for inter-vlan routing..
  My  primary scenario, take a look at the image . https://supportforums.cisco.com/servlet/JiveServlet/download/4096848-15371310/router_net.gif
  My data network  is 10.20.60.0
  My Voice network is 192.168.2.0
  The problem; with this setup, I cannot get the 192.168.2.0 network to browse the web. And I cannot get to access my VOICE mail server unless I use a 192 address.
  The solution:
  Roger
  so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...
  1) shutdown the 2921 interface on the ASA and remove the address from the config.
  2) remove the cable from the inside interface of the ASA that i think still connects to a switch.
  3) take the cable that is in the 2921 interface on the ASA and connect it to the inside interface of the ASA.
  Now the 2921 router physical connection runs from gi0/2 on the router to the inside interface of the ASA.
  4) remove the 10.20.60.2 address from the inside interface on the ASA and add the 10.10.10.2 address that was previously on the 2921 ASA interface.
  5) these routes on the ASA need changing  -
  a) remove these -
  no route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1
  no route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1
  b) add these
  route inside 10.20.30.0 255.255.254.0 10.10.10.1 1
  route inside 192.168.2.0 255.255.255.0 10.10.10.1 1
  6) add this route to the 2921
  ip route 0.0.0.0 0.0.0.0 10.10.10.2
  That should do it. As i say you will need downtime but once done all internal vlans should route via the 2921 and the ASA should only be used for internet. The ASA NAT statements reference the inside interface so it should just work.
  And Still no connection.. If you follow the thread post on top you will get a better Idea..
  Basically I want to be able to get the 10.20.60.0 network  and use the asa for vpn and internet while use the 2921 for routing.

  Roger
  Okay, i though it might be an issue with the cable ie. straight thru vs cross over.
  When you tried to browse the web did you check that the interfaces on the 2921 and the ASA were both up ?
  As long as the routes were adding ie, the default route on the 2921 to the ASA inside interface and routes on the ASA pointing back to the 2921 then it should have worked.
  If it is not the cable then the only other things i can think of are -
  1) the default gateway on the PCs is not set correctly but then the PC in different vlans would not be able to talk to each other.
  In your diagram you say the gateway for the internet is now 10.10.10.2. But that is only on the router ie. the default route. The PCs should have their default gateways set to the respective subinterface IP on the 2921 - is this how you did it ?
  2) some misconfiguration on your ASA.
  In addition you say you cannot get to the voice server unless you use a 192.168.x.x address. What subnet is the voice server on ?
  Did you manage to save the configs when you did the upgrade or are you back to where you were before without the configs ?
  Jon

• ASA and MARS

  Hello. Can I use a couple of ASAs and MARS to log visited URLs with the Active Directory username that visited the specific URL?

  No, you'll need a proxy server for that. Take a look at Ironport (owned by Cisco) for web security.
  http://www.ironport.com/products/web_security_appliances.html
  Hope it helps.

• Web-auth using ASA and ACS 5.1

  In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use?  The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store.  Is this even possible with TACACS? 

  Hello,
  You might want to look for "Cut through proxy" on Cisco.com. That feature would allow you to accomplish the described scenario! Also, you might want to use RADIUS instead of TACACS+.
  Regards.

• ASA and VTI configuration

  Good morning experts,
  My experience with ASAs over the last few years has been limited so I am not up on all of the newer features that they offer. I know in the past that ASAs did not support any type of tunnel interfaces and thus did not support a VTI configuration like you can do on an IOS router.
  My problem is that I need to build a VPN tunnel between a few ASAs and a Juniper netscreen which many networks on each side that can not easily be summarized. Being able to build a route based VPN on the ASA would be very helpful as the crypto map could essentially be all zeros. Without this configuration, crypto IDs on both sides are going to get very complication very quickly.
  I can't seem to find any info on VTI configuration for the ASA which leads me to believe it doesn't exist. However a guy I work with that uses ASAs daily firmly believes that after version 8.4 this configuration is supported.
  Can anyone confirm please?
  Elton

  Dear Karthik ,
  I do not think the posted link contain what is elton looking for , actually I have few juniper firewalls and looking to replace them with ASA's but the problem is ASA did not support tow of our main requirements which is Route Based VPN through VTI , and GRE tunneling 
  I do not why Cisco did not support those features on ASA till now (as per my knowledge) most of firewall vendors support that 

• SCEP Proxy vs. Legacy SCEP (ASA and AnyConnect)

  Hello,
  We currently have a Legacy SCEP deployment using ASAs and Windows Server 2008 R2 PKI environment for AnyConnect client certificate enrollment.  I'd like to switch from Legacy SCEP to SCEP Proxy, but it isn't clear that SCEP Proxy supports the "Prompt for Challenge Password" feature we use in Legacy SCEP.  The "Prompt for Challenge Password" variable seems to be part of the XML tag used for the "CA URL" which is only used in Legacy SCEP.
  If "Prompt For Challenge Password" isn't supported with SCEP Proxy, it seems like Cisco took one step forward and one step backward with the newer feature.  Sure, you don't expose your PKI RA to remote users, but you eliminate the only element of user authorization for new certificates if you allow remote users to generate a VPN certificate with nothing more than their username and password.
  Thanks,
  Jim

  Hello Doug,
  Did you get this to work eventionally? not to many replies unfortunately to your question...
  Cheers

• Can't get L2L VPN up between ASA and Fortinet (IKEv2)

  Hi,
  I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
  The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
  Configuration from the ASA:
  crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
   protocol esp encryption 3des
   protocol esp integrity sha-1
  crypto map VPN 100 match address ABC
  crypto map VPN 100 set pfs group5
  crypto map VPN 100 set peer x.x.x.x
  crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
  crypto map VPN 100 set security-association lifetime seconds 28800
  crypto map VPN interface outside
  crypto ikev2 policy 10
   encryption aes-256 3des
   integrity sha256 sha
   group 5
   prf sha256
   lifetime seconds 86400
  crypto ikev2 enable outside
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
   ikev2 remote-authentication pre-shared-key blablabla
   ikev2 local-authentication pre-shared-key blablabla
  Debugs say that there is no matching policy:
  IKEv2-PROTO-3: (97): Get peer authentication method
  IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
  IKEv2-PROTO-3: (97): Verify authentication data
  IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
  IKEv2-PROTO-2: (97): Processing auth message
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Received Policies:
  ESP: Proposal 1:  3DES SHA96
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Expected Policies:
  IKEv2-PROTO-5: (97): Failed to verify the proposed policies
  IKEv2-PROTO-1: (97): Failed to find a matching policy

  Dear Robert,
  The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
  1. sh crypto ipsec sa
  2. sh crypto isakmp sa
  3. debug crypto isa 255
  4. debug crypto ipsec 255