ASA asdm not working
hi,
when i am trying to access the webpage for asdm then the internet explorer is showing "internet explorer can not display the webpage" from the inside interface. following is the show version and show runing config. i checked with asdm 6.2.1 and 6.4.9.kindly suggest what could be the reason..
CBAH# sh version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.4(9)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
CBAH up 15 hours 1 min
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is c84c.7599.4810, irq 9
1: Ext: GigabitEthernet0/1 : address is c84c.7599.4811, irq 9
2: Ext: GigabitEthernet0/2 : address is c84c.7599.4812, irq 9
3: Ext: GigabitEthernet0/3 : address is c84c.7599.4813, irq 9
4: Ext: Management0/0 : address is c84c.7599.480f, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1432L0JM
Running Activation Key: 0x042cd360 0x4c819429 0xf4927584 0x8ea0082c 0x8f3d07bf
Configuration register is 0x1
Configuration last modified by enable_15 at 03:19:58.868 UTC Tue Jul 3 2012
show run
ASA Version 8.2(1)
hostname CBAH
domain-name corinthia.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.216 255.255.255.0
interface GigabitEthernet0/1
nameif testing
security-level 100
ip address 192.168.2.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
<--- More --->
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 62.240.63.45 255.255.255.248
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 62.240.32.5
name-server 62.68.42.2
name-server 4.2.2.2
name-server 4.2.2.3
domain-name corinthia.local
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list INTERNET extended permit ip 192.168.1.0 255.255.255.0 any
<--- More --->
access-list INTERNET extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu testing 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list INTERNET
nat (inside) 1 192.168.1.0 255.255.255.0
nat (testing) 1 192.168.2.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.240.63.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
<--- More --->
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e8c7560ce2dc8a100cc77f09a2b80393
: end
CBAH# sh flash:
--#-- --length-- -----date/time------ path
124 16275456 Aug 03 2010 10:09:54 asa821-k8.bin
125 11348300 Aug 03 2010 12:17:30 asdm-621.bin
3 4096 Jan 01 2003 00:03:50 log
10 4096 Jan 01 2003 00:03:58 crypto_archive
11 4096 Jan 01 2003 00:04:30 coredumpinfo
12 43 Jul 03 2012 03:18:45 coredumpinfo/coredump.cfg
127 12105313 Aug 03 2010 12:14:58 csd_3.5.841-k9.pkg
128 4096 Aug 03 2010 12:15:02 sdesktop
135 1462 Aug 03 2010 12:15:02 sdesktop/data.xml
129 2857568 Aug 03 2010 12:15:02 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
130 3203909 Aug 03 2010 12:15:04 anyconnect-win-2.4.1012-k9.pkg
131 4832344 Aug 03 2010 12:15:06 anyconnect-macosx-i386-2.4.1012-k9.pkg
132 5209423 Aug 03 2010 12:15:08 anyconnect-linux-2.4.1012-k9.pkg
133 18927088 Jun 28 2012 08:09:30 asdm-649.bin
The luink shoudl be working, I tried that again:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
To enter the license you need to do;
activation-key <5 tuple license key>
If the link does not work, send an e-mail to [email protected] and they would send you the license file.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Similar Messages
-
Hi Everyone,
I am setting up new ASA for testing purposes.
So far it has single interface Active which is management.
I can ssh to ASA fine but ASDM is not working.
sh run http shows
sh run http
http server enable
http 172.31.20.0 255.255.255.0 management
sh run ssh
ssh 172.31.20.0 255.255.255.0 management.
Regards
MAheshHi Julio,
sh run ssl foed not sjow any output
show flash | include asdm
111 16280544 Jun 29 2011 12:10:58 asdm-645.bin
sh run asdm
no asdm history enable
sh ver shows
up 2 days 2 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is e8b7.483d.0d68, irq 9
1: Ext: GigabitEthernet0/1 : address is e8b7.483d.0d69, irq 9
2: Ext: GigabitEthernet0/2 : address is e8b7.483d.0d6a, irq 9
3: Ext: GigabitEthernet0/3 : address is e8b7.483d.0d6b, irq 9
4: Ext: Management0/0 : address is e8b7.483d.0d6c, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Regards
MAhesh -
ASA-5505 Site-to-Site Not Working
I am somewhat new to Cisco but to do have some experience. I am trying to connect two ASA 5505's together via site-to-site VPN. They are configured with public IPs and all other services are working. I have used the VPN wizard on both boxes successfully but the tunnels are not working. The two devices are on the Comcast network. Any help would be appreacited.
Site A: ASA 5505 w/50 User license
Site B: ASA 5505 w/10 User license
Site A Config:
ASA Version 8.2(5)
hostname *********************
enable password 6.De4e7UzES9wBPg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.10 Web_Server
name 10.0.6.0 Ghost_Flower_Inside
name 10.0.5.0 San_Mateo_Inside
name 10.0.5.100 Any_Connect_100
name 10.0.5.101 Any_Connect_101
name 10.0.5.102 Any_Connect_102
name 10.0.5.103 Any_Connect_103
name 10.0.5.104 Any_Connect_104
name 10.0.5.105 Any_Connect_105
name 10.0.5.106 Any_Connect_106
name 10.0.5.107 Any_Connect_107
name 10.0.5.108 Any_Connect_108
name 10.0.5.109 Any_Connect_109
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.5.201 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 173.10.XXX.XXX 255.255.255.252
interface Vlan12
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Any_Connect_DHCP
network-object host Any_Connect_100
network-object host Any_Connect_101
network-object host Any_Connect_102
network-object host Any_Connect_103
network-object host Any_Connect_104
network-object host Any_Connect_105
network-object host Any_Connect_106
network-object host Any_Connect_107
network-object host Any_Connect_108
network-object host Any_Connect_109
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.100.2 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.10.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 outside
http San_Mateo_Inside 255.255.255.255 inside
http San_Mateo_Inside 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 173.12.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-webvpn-session-limit 10
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 inside
ssh San_Mateo_Inside 255.255.255.0 inside
ssh 10.1.10.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.0.5.10-10.0.5.30 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
svc profiles CATS disk0:/cats.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 75.75.75.75
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc profiles value CATS
username user1 password tTq7bIZ.C4x0j.qv encrypted privilege 15
username ********* password sPxon1E6hTszm7Ko encrypted privilege 15
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
: end
Site B:
ASA Version 8.2(5)
hostname ***************
enable password 6.De4e7UzES9wBPg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.10 Web_Server
name 10.0.6.0 Ghost_Flower_Inside
name 10.0.5.0 San_Mateo_Inside
name 10.0.5.100 Any_Connect_100
name 10.0.5.101 Any_Connect_101
name 10.0.5.102 Any_Connect_102
name 10.0.5.103 Any_Connect_103
name 10.0.5.104 Any_Connect_104
name 10.0.5.105 Any_Connect_105
name 10.0.5.106 Any_Connect_106
name 10.0.5.107 Any_Connect_107
name 10.0.5.108 Any_Connect_108
name 10.0.5.109 Any_Connect_109
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.5.201 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 173.10.XXX.XXX 255.255.255.252
interface Vlan12
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Any_Connect_DHCP
network-object host Any_Connect_100
network-object host Any_Connect_101
network-object host Any_Connect_102
network-object host Any_Connect_103
network-object host Any_Connect_104
network-object host Any_Connect_105
network-object host Any_Connect_106
network-object host Any_Connect_107
network-object host Any_Connect_108
network-object host Any_Connect_109
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.100.2 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.10.242.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 outside
http San_Mateo_Inside 255.255.255.255 inside
http San_Mateo_Inside 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 173.12.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-webvpn-session-limit 10
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 inside
ssh San_Mateo_Inside 255.255.255.0 inside
ssh 10.1.10.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.0.5.10-10.0.5.30 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
svc profiles CATS disk0:/cats.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 75.75.75.75
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc profiles value CATS
username ************** password sPxon1E6hTszm7Ko encrypted privilege 15
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
: endHi Kevin,
Both the sides have IP address of 173.10.XXX.XXX on the respective Outside interfaces and you have configured the peers for 173.12.X.X.
Please ensure the correct IP addresses for VPN peers are configured , via the following command:
crypto map outside_map 1 set peer X.X.X.X
e.g. If you have 173.10.X.X on Site X and 173.12.X.X on Site Y , then
On Site X, peer would be
crypto map outside_map 1 set peer 173.12.X.X
and the tunnel-group will be
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
On Site Y, peer would be
crypto map outside_map 1 set peer 173.10.X.X
and the tunnel-group will be
tunnel-group 173.10.XXX.XXX type ipsec-l2l
tunnel-group 173.10.XXX.XXX ipsec-attributes
pre-shared-key *****
Also , the nat exempt would be complimentary on each other i.e.
On Site X,
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
On Site Y,
access-list inside_nat0_outbound extended permit ip Ghost_Flower_Inside 255.255.255.0 San_Mateo_Inside 255.255.255.0
Hope that helps.
Regards,
Dinesh Moudgil -
ASDM is not working in outside interface
Hi,
I am new to ASA. I have got ASA 5510 and was trying to enable ASDM access through outside interface. but its not working for me.. . I have configured a public ip in outside interface and enabled ssh and asdm. SSH is working but asdm is not working. It is a test enviorment so i havent configured any ACL yet.
VPN-TEST# show version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
VPN-TEST up 4 hours 33 mins
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is d0d0.fd1d.8758, irq 9
1: Ext: Ethernet0/1 : address is d0d0.fd1d.8759, irq 9
2: Ext: Ethernet0/2 : address is d0d0.fd1d.875a, irq 9
3: Ext: Ethernet0/3 : address is d0d0.fd1d.875b, irq 9
4: Ext: Management0/0 : address is d0d0.fd1d.8757, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
VPN-TEST# show run http
http server enable
http 0.0.0.0 0.0.0.0 outside
VPN-TEST# show run asdm
asdm image disk0:/asdm-621.bin
asdm history enable
Could anyone please help me to find out what i am missing?
Kind Regards,
PraveenHi Marvin,
Thanks for your reply.
** Is asdm-621.bin present on disk0? **
VPN-TEST# show flash:
--#-- --length-- -----date/time------ path
92 16275456 Apr 25 2010 02:44:00 asa821-k8.bin
93 11348300 Apr 25 2010 04:56:04 asdm-621.bin
**Can you reach your test workstation from the outside interface? Is that where you successfully ssh from?**
I was trying to reach it from my home and i can ping my home station from outside interface.
** Is there any firewall or router ACL in the path between your workstation and the ASA? **
There is no firewall configured.
**Does the ASA log show anything when you try without success to launch ASDM? **
I cant see any logs... IS there any specail command to enable login ?
** What error specifically do you see? **
It shows the webpage is not available. -
VPN not working after adding subinterface - ASA 5510
Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
ASA Version 8.2(5)
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
access-list INCOMING remark *** Wartung BMD ***
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: endHi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
ASDM stopped working on Cisco ASA 5510
Hi All,
We have a ASA 5510 running 8.2(1) and ASDM 6.2(1)
Since yesterday evening ASDM sunddely stopped working. When I login I get Unable to launch device manager from xx.xx.xx.xx
Firewall Uptime as of today 1 year 145 days. Firewall has 1GB ram and 76% free
I can ssh to firewall fine, but ASDM or https://xx.xx.xx.xx wont work - On internet explorer it says Page not displayed. Google Chrome chrome -
SSL connection Error - Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I can telent to Port 443 fine.
When I look at the logs:
Jun 25 2013 14:33:40: %ASA-6-725001: Starting SSL handshake with client inside:xx.xx.xx.xx/11934 for TLSv1 session.
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason:
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
Jun 25 2013 14:33:40: %ASA-6-106015: Deny TCP (no connection) from xx.xx.xx.xx/11934 to yy.yy.yy.yy/443 flags FIN ACK on interface inside
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
xx.xx.xx.xx - is the PC IP
yy.yy.yy.yy - is the IP of inside interface on firewall
Note: ASDM was left running over the weekend and was working fine until yesterday evening. No changes have been made for the last week.
*Rebooting the ASA is not an option
Can anyone help?
Thanks in advanceHi All,
We have a ASA 5510 running 8.2(1) and ASDM 6.2(1)
Since yesterday evening ASDM sunddely stopped working. When I login I get Unable to launch device manager from xx.xx.xx.xx
Firewall Uptime as of today 1 year 145 days. Firewall has 1GB ram and 76% free
I can ssh to firewall fine, but ASDM or https://xx.xx.xx.xx wont work - On internet explorer it says Page not displayed. Google Chrome chrome -
SSL connection Error - Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I can telent to Port 443 fine.
When I look at the logs:
Jun 25 2013 14:33:40: %ASA-6-725001: Starting SSL handshake with client inside:xx.xx.xx.xx/11934 for TLSv1 session.
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure
Jun 25 2013 14:33:40: %ASA-7-725014: SSL lib error. Function: SSL23_GET_CLIENT_HELLO Reason:
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
Jun 25 2013 14:33:40: %ASA-6-106015: Deny TCP (no connection) from xx.xx.xx.xx/11934 to yy.yy.yy.yy/443 flags FIN ACK on interface inside
Jun 25 2013 14:33:40: %ASA-7-710005: TCP request discarded from xx.xx.xx.xx/11934 to inside:yy.yy.yy.yy/443
xx.xx.xx.xx - is the PC IP
yy.yy.yy.yy - is the IP of inside interface on firewall
Note: ASDM was left running over the weekend and was working fine until yesterday evening. No changes have been made for the last week.
*Rebooting the ASA is not an option
Can anyone help?
Thanks in advance -
Cisco ASA 5520 ASDM Not loading
Hi,
Any one can help me out in ASAP i have a issue am unable to login my Cisco ASDM from morning till yesterday am able to access successfully.
Please find the attached screen shot.
Regards
Prabhakaran E
+91-9500203494Hello Prabhakaran,
If you are unable to connect to the ASDM, you can go ahead and try to run it from the web page:
- Open Firefox or Google Chrome and type the URL --> https://XXXXXXXX/admin
XXXXXX--> the IP address of the ASA from where you should have access (inside or outside IP address)
- Click on "Run ASDM"
- if this does not work, go ahead and open the Java Console by going to this path:
Control Panel\Programs
- Then click on the Security tab and add on the Exception site List the -->https://XXXXXXXX/admin
- Then try to open the ASDM.
Let me know how it works out!
Please don't forget to rate and mark as correct the helpful Post!
Regards,
David Castro, -
Hi there.
I just trying to do PAT with gns3. but not working and i don't have any idea.
(Cisco Adaptive Security Appliance Software Version 8.4(2))
and also i figure out that there are some changes in nat configuration. i did but didn't work.
I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8
i turn debug in R1 and i can see the icmp.
R1#
*Mar 1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
*Mar 1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
And also can see xlate on ASA
ASA-1# sh xlate
1 in use, 9 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
ASA-1#
This is my topology.
[ASA1]
ASA-1# sh run ip
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
ASA-1# sh run object network
object network obj-192.168.100.0
subnet 0.0.0.0 0.0.0.0
ASA-1# conf t
ASA-1(config)# ob
ASA-1(config)# object net
ASA-1(config)# object network obj-192.168.100.0
ASA-1(config-network-object)# nat (in
ASA-1(config-network-object)# nat (inside,ou
ASA-1(config-network-object)# nat (inside,outside) dy
ASA-1(config-network-object)# nat (inside,outside) dynamic inter
ASA-1(config-network-object)# nat (inside,outside) dynamic interface
ASA-1(config-network-object)# end
[R4]
interface FastEthernet0/0
ip address 10.10.20.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.100.254 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.20.1
[HOST]
ip address 192.168.100.116/24
[R1]
interface FastEthernet0/0
ip address 10.10.10.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 1.1.12.1 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
what am i mssing ?
please corret me.
Thank you in advance.just reload... .. i'm still stuck in the ping.
changed topology more simple. but still not working.
Here is all what i did.
[ASA]
access-list ICMP extended permit icmp any any echo-reply
access-list ICMP extended permit icmp any any time-exceeded
access-group ICMP in interface outside
interface GigabitEthernet0
description To_UP
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet1
description To_DOWN
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
[R1]
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
[R4]
interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
[outout tracer]
ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP <---??????????????????????????
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
[ASA]
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 2 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
ciscoasa#
I created acl and permit it
Thank you. -
Dynamic NAT ASA 8.4 Packet Tracer not working
Hi guys,
I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.
Thanks!
ASA Version 8.4(2)
hostname ciscoasa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.2 255.0.0.0
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network inside-subnet
nat (inside,outside) dynamic interface
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd auto_config outsideThanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working.
Does anyone have a suggestion? My updated config is below.
Thanks!
ASA Version 8.4(2)
hostname ciscoasa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.1 255.0.0.0
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network outside-subnet
subnet 10.0.0.0 255.0.0.0
access-list TEST extended permit icmp any any echo-reply
access-list TEST extended permit tcp any any eq www
access-list http extended permit tcp any any eq www
access-list http2 extended permit udp any any eq www
access-group TEST in interface outside
object network inside-subnet
nat (inside,outside) dynamic interface
telnet timeout 5
ssh timeout 5
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd enable inside -
NEW ASA 5510 8.4 -- internet is not working
Hi Experts,
I implemented a ASA5510 with latest software version.
I configured outside interface, default route, PAT to the outside interface. I am able to ping and telnet to the inside interface of the ASA.
But internet is not working.
Did i miss any configuration?
i enabled icmp to outside,. i did a ping to the next hop from ASA. but it is not working.
Please advice.
Thanks
VipinYes thats correct, but if it is not working then we might need to take a look at the complete configuration and also take captures to verify where the packets are being dropped.
Thanks,
Varun -
ACL not working in ASA 8.4
An ACL has been applied on the inside interface to of the ASA 8.4 but it is not working. The aim of this list to allow only a few host for outside access and deny rest of the hosts for outside access. The syntex of the access list is
access-list ACL-Inside extended permit ip host 192.168.100.101 any
access-list ACL-Inside extended permit ip host 192.168.100.108 any
access-list ACL-Inside extended permit ip host 192.168.100.109 any
access-list ACL-Inside extended permit ip host 192.168.100.243 any
access-list ACL-Inside extended permit ip host 192.168.100.241 any
access-group ACL-Inside in interface insideDid you configure the NAT statement for the inside hosts to be mapped to a public IP? The below config will NAT 192.168.100.0 -100.254 to outside interface and the access-list you defined only allow those hosts to go out.
object network Inside_Net
subnet 192.168.100.0 255.255.255.0
nat (inside, outside) dynamic interface
If you alread did the above config please send us the packet capture as Mike requested. -
WCCP does not work between WSA and ASA
I have configured WCCPv2 between WSA S160 ( 6.3.1-025) and ASA5540 (8.2(1)109).
Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.
It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.
I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.
Does anybody have any idea what the problem is and how I can resolve it ?IronPort Support team helped me to find the trouble:
If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy
("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")
The WSA guide doesn't clearly say about it.
So the Discussion can be closed ... -
Certificate Revocation List not working on ASA 8.3(1)
I've configured my SSL VPN to certificate authentication, in wich the authentication with certificates is working fine. However the ASA is not able to store (cache) the CRL.
Based on debug bellow the asa downloads the CRL file but is not able to open it.
Does anyone know this sitation?
Here is te debug output:
fwlpasa01/pri/act# crypto ca crl request SSL-VPN
CRYPTO_PKI: CRL is being polled from CDP http://10.151.1.9/certlist/certcrl.crl.
crypto_pki_req(7ae32bf0, 24, ...)
CRYPTO_PKI: Crypto CA req queue size = 1.
Crypto CA thread wakes up!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: content dump count 75----------
CRYPTO_PKI: For function crypto_http_send
GET /certlist/certcrl.crl HTTP/1.0
Host: 10.151.1.9
CRYPTO_PKI: For function crypto_http_send
CRYPTO_PKI: content dump-------------------
CRYPTO_PKI: HTTP response header:
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1482
Content-Type: application/pkix-crl
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDACBQATBA=IEGHHGMBOHNIGEJIEPJKCFCE; path=/
Date: Mon, 26 Nov 2012 15:47:38 GMT
Connection: close
CRYPTO_PKI: CRL data2d 2d 2d 2d 2d 42 45 47 49 4e 20 58 35 30 39 20 | -----BEGIN X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a 4d 49 49 45 44 44 | CRL-----..MIIEDD
43 43 41 76 51 43 41 51 45 77 44 51 59 4a 4b 6f | CCAvQCAQEwDQYJKo
5a 49 68 76 63 4e 41 51 45 46 42 51 41 77 57 54 | ZIhvcNAQEFBQAwWT
45 53 4d 42 41 47 43 67 6d 53 4a 6f 6d 54 38 69 | ESMBAGCgmSJomT8i
78 6b 41 52 6b 57 41 6e 70 73 0d 0a 4d 52 4d 77 | xkARkWAnps..MRMw
45 51 59 4b 43 5a 49 6d 69 5a 50 79 4c 47 51 42 | EQYKCZImiZPyLGQB
47 52 59 44 61 57 35 30 4d 52 67 77 46 67 59 4b | GRYDaW50MRgwFgYK
43 5a 49 6d 69 5a 50 79 4c 47 51 42 47 52 59 49 | CZImiZPyLGQBGRYI
65 6d 6c 73 62 47 39 79 5a 57 34 78 0d 0a 46 44 | emlsbG9yZW4x..FD
41 53 42 67 4e 56 42 41 4d 54 43 31 70 4a 54 45 | ASBgNVBAMTC1pJTE
78 50 55 6b 56 4f 4c 55 4e 42 46 77 30 78 4d 6a | xPUkVOLUNBFw0xMj
45 78 4d 54 6b 78 4e 6a 4d 7a 4d 44 68 61 46 77 | ExMTkxNjMzMDhaFw
30 78 4d 6a 45 78 4d 6a 63 77 4e 44 55 7a 0d 0a | 0xMjExMjcwNDUz..
4d 44 68 61 4d 46 63 77 47 77 49 4b 52 66 65 4b | MDhaMFcwGwIKRfeK
6b 67 41 41 41 41 41 42 67 52 63 4e 4d 54 49 78 | kgAAAAABgRcNMTIx
4d 44 49 35 4d 54 4d 79 4d 7a 41 77 57 6a 41 62 | MDI5MTMyMzAwWjAb
41 67 70 46 31 4f 55 76 41 41 41 41 41 41 47 41 | AgpF1OUvAAAAAAGA
0d 0a 46 77 30 78 4d 6a 45 77 4d 6a 6b 78 4d 7a | ..Fw0xMjEwMjkxMz
49 7a 4d 44 42 61 4d 42 73 43 43 6a 75 71 30 79 | IzMDBaMBsCCjuq0y
41 41 41 41 41 41 41 58 6f 58 44 54 45 79 4d 54 | AAAAAAAXoXDTEyMT
41 79 4f 54 45 7a 4d 6a 49 77 4d 46 71 67 67 67 | AyOTEzMjIwMFqggg
49 4d 0d 0a 4d 49 49 43 43 44 41 66 42 67 4e 56 | IM..MIICCDAfBgNV
48 53 4d 45 47 44 41 57 67 42 52 73 73 75 79 64 | HSMEGDAWgBRssuyd
63 2b 6c 54 32 66 6a 75 62 39 66 70 7a 67 42 38 | c+lT2fjub9fpzgB8
76 45 36 59 78 54 41 51 42 67 6b 72 42 67 45 45 | vE6YxTAQBgkrBgEE
41 59 49 33 0d 0a 46 51 45 45 41 77 49 42 41 44 | AYI3..FQEEAwIBAD
41 4c 42 67 4e 56 48 52 51 45 42 41 49 43 41 31 | ALBgNVHRQEBAICA1
55 77 48 41 59 4a 4b 77 59 42 42 41 47 43 4e 78 | UwHAYJKwYBBAGCNx
55 45 42 41 38 58 44 54 45 79 4d 54 45 79 4e 6a | UEBA8XDTEyMTEyNj
45 32 4e 44 4d 77 0d 0a 4f 46 6f 77 67 63 77 47 | E2NDMw..OFowgcwG
41 31 55 64 4c 67 53 42 78 44 43 42 77 54 43 42 | A1UdLgSBxDCBwTCB
76 71 43 42 75 36 43 42 75 49 61 42 74 57 78 6b | vqCBu6CBuIaBtWxk
59 58 41 36 4c 79 38 76 51 30 34 39 57 6b 6c 4d | YXA6Ly8vQ049WklM
54 45 39 53 52 55 34 74 0d 0a 51 30 45 73 51 30 | TE9SRU4t..Q0EsQ0
34 39 63 33 5a 73 63 47 46 6b 62 54 4d 78 4c 45 | 49c3ZscGFkbTMxLE
4e 4f 50 55 4e 45 55 43 78 44 54 6a 31 51 64 57 | NOPUNEUCxDTj1QdW
4a 73 61 57 4d 6c 4d 6a 42 4c 5a 58 6b 6c 4d 6a | JsaWMlMjBLZXklMj
42 54 5a 58 4a 32 61 57 4e 6c 0d 0a 63 79 78 44 | BTZXJ2aWNl..cyxD
54 6a 31 54 5a 58 4a 32 61 57 4e 6c 63 79 78 44 | Tj1TZXJ2aWNlcyxD
54 6a 31 44 62 32 35 6d 61 57 64 31 63 6d 46 30 | Tj1Db25maWd1cmF0
61 57 39 75 4c 45 52 44 50 58 70 70 62 47 78 76 | aW9uLERDPXppbGxv
63 6d 56 75 4c 45 52 44 50 57 6c 75 0d 0a 64 43 | cmVuLERDPWlu..dC
78 45 51 7a 31 36 62 44 39 6b 5a 57 78 30 59 56 | xEQz16bD9kZWx0YV
4a 6c 64 6d 39 6a 59 58 52 70 62 32 35 4d 61 58 | Jldm9jYXRpb25MaX
4e 30 50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57 | N0P2Jhc2U/b2JqZW
4e 30 51 32 78 68 63 33 4d 39 59 31 4a 4d 0d 0a | N0Q2xhc3M9Y1JM..
52 47 6c 7a 64 48 4a 70 59 6e 56 30 61 57 39 75 | RGlzdHJpYnV0aW9u
55 47 39 70 62 6e 51 77 67 64 67 47 43 53 73 47 | UG9pbnQwgdgGCSsG
41 51 51 42 67 6a 63 56 44 67 53 42 79 6a 43 42 | AQQBgjcVDgSByjCB
78 7a 43 42 78 4b 43 42 77 61 43 42 76 6f 61 42 | xzCBxKCBwaCBvoaB
0d 0a 75 32 78 6b 59 58 41 36 4c 79 38 76 51 30 | ..u2xkYXA6Ly8vQ0
34 39 57 6b 6c 4d 54 45 39 53 52 55 34 74 51 30 | 49WklMTE9SRU4tQ0
45 73 51 30 34 39 63 33 5a 73 63 47 46 6b 62 54 | EsQ049c3ZscGFkbT
4d 78 4c 45 4e 4f 50 55 4e 45 55 43 78 44 54 6a | MxLENOPUNEUCxDTj
31 51 0d 0a 64 57 4a 73 61 57 4d 6c 4d 6a 42 4c | 1Q..dWJsaWMlMjBL
5a 58 6b 6c 4d 6a 42 54 5a 58 4a 32 61 57 4e 6c | ZXklMjBTZXJ2aWNl
63 79 78 44 54 6a 31 54 5a 58 4a 32 61 57 4e 6c | cyxDTj1TZXJ2aWNl
63 79 78 44 54 6a 31 44 62 32 35 6d 61 57 64 31 | cyxDTj1Db25maWd1
63 6d 46 30 0d 0a 61 57 39 75 4c 45 52 44 50 58 | cmF0..aW9uLERDPX
70 70 62 47 78 76 63 6d 56 75 4c 45 52 44 50 57 | ppbGxvcmVuLERDPW
6c 75 64 43 78 45 51 7a 31 36 62 44 39 6a 5a 58 | ludCxEQz16bD9jZX
4a 30 61 57 5a 70 59 32 46 30 5a 56 4a 6c 64 6d | J0aWZpY2F0ZVJldm
39 6a 59 58 52 70 0d 0a 62 32 35 4d 61 58 4e 30 | 9jYXRp..b25MaXN0
50 32 4a 68 63 32 55 2f 62 32 4a 71 5a 57 4e 30 | P2Jhc2U/b2JqZWN0
51 32 78 68 63 33 4d 39 59 31 4a 4d 52 47 6c 7a | Q2xhc3M9Y1JMRGlz
64 48 4a 70 59 6e 56 30 61 57 39 75 55 47 39 70 | dHJpYnV0aW9uUG9p
62 6e 51 77 44 51 59 4a 0d 0a 4b 6f 5a 49 68 76 | bnQwDQYJ..KoZIhv
63 4e 41 51 45 46 42 51 41 44 67 67 45 42 41 4a | cNAQEFBQADggEBAJ
51 6f 2f 78 73 4e 79 34 67 34 31 66 69 45 2b 67 | Qo/xsNy4g41fiE+g
46 4d 31 39 62 65 59 2b 52 77 36 74 4c 61 42 52 | FM19beY+Rw6tLaBR
34 33 58 64 45 7a 46 4d 63 61 0d 0a 72 55 74 2f | 43XdEzFMca..rUt/
70 39 33 73 63 4c 38 63 45 4a 54 48 6d 42 54 33 | p93scL8cEJTHmBT3
73 33 79 30 50 42 55 59 6d 35 52 58 36 6f 4c 42 | s3y0PBUYm5RX6oLB
41 41 74 4f 42 63 5a 4b 62 33 76 77 58 47 33 2f | AAtOBcZKb3vwXG3/
34 72 65 71 72 6a 39 47 42 61 49 42 0d 0a 30 2b | 4reqrj9GBaIB..0+
4f 34 66 37 43 67 4f 78 42 38 47 6d 44 32 69 42 | O4f7CgOxB8GmD2iB
31 70 79 56 55 7a 76 52 72 44 37 65 30 69 6a 31 | 1pyVUzvRrD7e0ij1
35 63 76 6e 58 46 63 6f 75 31 34 50 45 53 6c 6f | 5cvnXFcou14PESlo
30 2b 34 75 6b 4e 6d 42 4a 44 57 74 67 6c 0d 0a | 0+4ukNmBJDWtgl..
45 47 46 65 6f 4e 30 78 37 2f 63 52 59 53 70 71 | EGFeoN0x7/cRYSpq
52 44 48 71 56 59 39 75 34 69 63 44 49 7a 31 4c | RDHqVY9u4icDIz1L
75 78 5a 72 69 35 76 69 63 41 59 4b 62 44 69 4b | uxZri5vicAYKbDiK
30 4b 77 69 64 39 59 71 4b 43 63 76 2f 73 4c 37 | 0Kwid9YqKCcv/sL7
0d 0a 32 77 2b 53 7a 46 46 75 72 73 54 6c 70 2f | ..2w+SzFFursTlp/
36 74 4c 4d 41 72 6c 30 37 49 4f 65 52 63 51 38 | 6tLMArl07IOeRcQ8
4c 2b 6a 71 69 6e 44 30 6f 6f 62 53 5a 78 49 30 | L+jqinD0oobSZxI0
6b 42 64 54 47 6a 6c 38 68 44 42 77 6d 6a 74 63 | kBdTGjl8hDBwmjtc
33 63 0d 0a 6b 39 68 53 58 78 42 65 65 4d 74 74 | 3c..k9hSXxBeeMtt
53 72 33 48 6f 4c 42 63 6c 76 4d 75 78 64 77 72 | Sr3HoLBclvMuxdwr
41 6f 52 49 48 61 64 4f 4b 52 35 54 70 52 34 3d | AoRIHadOKR5TpR4=
0d 0a 2d 2d 2d 2d 2d 45 4e 44 20 58 35 30 39 20 | ..-----END X509
43 52 4c 2d 2d 2d 2d 2d 0d 0a | CRL-----..
CRYPTO_PKI: transaction HTTPGetCRL completedCrypto CA thread sleeps!
CRYPTO_PKI: Failed to retrieve CRL for trustpoint: SSL-VPN.
Retrying with next CRL DP...Hello everyone!
I've got the issue solved. The issue ware in CA CDP. I published the new http CDP, and it's working fine.
Windows CA
- At Server Manager -> Right click on Certificate Athotity object name -> click properties then extentions
- Create an extention to genearate the following URL
http://winca.pmmagalhaes.com.br/CertEnroll/WINCA.crl
- Then apply -> ok
- Under Windows PKI right click Certificate Athotity object name then Refresh
ASA
Under retrieval policy set for static a then put the url above.
It's done -
Unable to capture packets on ASA(ASDM)
Hi all,
We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?
local 20.0.0.0/24 -->this will get natted to --->12.0.6.0/24 when going in for tunnel
we have created
static(outside,inside) 12.0.6.10 20.0.0.10 255.255.255.255 working
static(outside,inside) 12.0.6.11 20.0.0.11 255.255.255.255 not working, we need to check whether its hitting 12.0.6.11
Kindly advise...
Regards,
BalaWhere are you trying to initiate the connection from?
If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.
Please share what you have configured to capture the traffic?
To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.
To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.
Maybe you are looking for
-
When I try to access my Voicemail, I get an "invalid number" message. How do I fix this?
-
How can I write to an SD card with my iPad 3?
How can I write to an SD card/thumb drive with my iPad 3?
-
Changing Document Titles in Templates
Hi all I know this must be something I am missing that is easy - but I cannot figure out how to change my Document Titles in files that are using a single Template. They cannot be edited in the file, as they are locked in the Template. How do I unloc
-
Does Streaming Delete Synched Items?
When I first set up my ATV, I experimented with synching and streaming. As I recall changing back and forth would erase synched items, but maybe I am wrong. Now that I have synched a large number of photos, I would not want to erase what I have alrea
-
Wired Dot1x and forcing machine auth on windows
I've got wired dot1x authentication working ok. the ACS server backs off to a windows domain so machine level authentication works fine. However I can't see a way of forcing windows to only ever do machine authentication. Has anyone else looked at th