ASA ICMP Packets

Similar Messages

• Icmp packet utility

  While researching socket programming in C, I stumbled upon a piece of code designed to repetitively send icmp packets to a given target. The concept peaked my interest as a viable stress test for a home router, so i copied and compiled the code to see if and how it worked.... well, it DIDN'T work... The code didn't even compile, let alone run.  Still interested and not wanting to let this go, I re-wrote the code.  Made it better and made it work.  I believe this is an interesting utility to say the least and I encourage anyone reading this to test it (ON YOUR OWN SYSTEMS/NETWORK) and/or give input on how to improve upon it.  Depending on the feedback i get on here I might try to make a package build out of it.
  Disclaimer!!:  The following source code is intended specifically for educational purposes and systems testing only.  I take no responsibility, and hold no liability for the misuse of this code.
  My source code is listed below.
  packetsoup.h
  * Packetsoup.h
  * Prototype Functions for icmp_pingV2 project
  * Written By DeadDingo
  * All Rights Reserved 12.21.2013
  #ifndef PACK_SOUP_H_
  #define PACK_SOUP_H_
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <sys/time.h>
  #include <netinet/ip.h>
  #include <netinet/ip_icmp.h>
  #include <netinet/in.h>
  #include <sys/socket.h>
  #include <unistd.h>
  #include <arpa/inet.h>
  typedef unsigned char u8;
  typedef unsigned short int u16;
  * Description:
  * Calculates the checksum on a packet to packet basis
  unsigned short in_cksum(unsigned short *ptr, int nbytes);
  * Description:
  * Displays Usage Dialog
  void Usage( void );
  #endif
  packetsoup.c
  * Packsoup.c
  * Written by DeadDingo
  * All Rights Reserved 12.21.2013
  * Note:
  * in_cksum() function written by Silver Moon
  #include "packetsoup.h"
  unsigned short in_cksum(unsigned short *ptr, int nbytes) {
  register long sum;
  u_short oddbyte;
  register u_short answer;
  sum = 0;
  while(nbytes > 1) {
  sum += *ptr++;
  nbytes -= 2;
  if(nbytes == 1) {
  oddbyte = 0;
  *((u_char *) & oddbyte ) = *(u_char *) ptr;
  sum += oddbyte;
  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return answer;
  void Usage( void ) {
  puts("Usage: ");
  puts(" -s <source address>");
  puts(" -d <destination address>");
  puts(" -p <payload size>");
  printf("a.out -s <source address> -d <destination address> -p <payload size>\n");
  exit(8);
  main.c
  * icmp_pingV2 project
  * ICMP packet utility
  * Orriginally Written By Silver Moon
  * Version 2 Written By DeadDingo
  * Copyright 12.21.2013
  * This file is part of the icmp_ping package
  * The icmp_pingV2 package is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public Licence as published by
  * the Free Software Foundation, either version 3 of the Licence, or
  * (at your option) any later version.
  * The icmp_pingV2 package is distrubuted in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABLILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  * GNU General Public Licence for more details.
  * You should have received a copy of the GNU General Public Licence
  * along with the DoS package. If not, see <http://www.gnu.org/licences/>.
  * ================================================
  * Version 2 Channel Log:
  * - Better Argument Parsing
  * - Better Error Checking
  * - Fixed Bad Structure Types (Now runs on BSD, Linux, and OSX)
  * - Fixed Bad Member Variables
  * - Added Usage Dialog
  #include "packetsoup.h"
  int main ( int argc, char *argv[ ] ) {
  unsigned long daddr;
  unsigned long saddr;
  int payload_size = 0, sent, sent_size, on, i;
  * Argument Parsing...*/
  if(argc < 3) {
  Usage();
  for( i = 1; i < argc; i ++ ) {
  if(strncmp(argv[i], "-s", 2) == 0) {
  saddr = inet_addr(argv[i+1]);
  if(strncmp(argv[i], "-d", 2) == 0) {
  daddr = inet_addr(argv[i+1]);
  if(strncmp(argv[i], "-p", 2) == 0) {
  payload_size = atoi(argv[i+1]);
  } //end for loop
  //end arg parsing
  //Get Raw Socket
  int sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if(sockfd < 0) {
  perror("Could not create socket:");
  return 0;
  puts("Socket Is Live!");
  //provide packet headers
  if( setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, (const char *)&on, sizeof(on)) == -1 ) {
  perror("setsockopt:");
  return 0;
  //allow socket to send datagrams to broadcast addresses
  if( setsockopt(sockfd, SOL_SOCKET, SO_BROADCAST, (const char *)&on, sizeof(on)) == -1 ) {
  perror("setsockopt");
  return 0;
  //calc packet size
  int packet_size = sizeof(struct ip) + sizeof(struct icmp) + payload_size;
  char *packet = (char *)malloc(packet_size);
  if(!packet) {
  perror("Memory Error");
  close(sockfd);
  return 0;
  //ip header
  struct ip *iphdr = (struct ip *)packet;
  struct icmp *icmphdr = (struct icmp *) (packet + sizeof(struct ip));
  //zero the packet buffer
  memset(packet, 0, packet_size);
  //set member variables and whatnot
  iphdr->ip_v = 4;
  iphdr->ip_hl = 5;
  iphdr->ip_tos = 0;
  iphdr->ip_len = htons(packet_size);
  iphdr->ip_id = rand();
  iphdr->ip_off = 0;
  iphdr->ip_ttl = 255;
  iphdr->ip_p = IPPROTO_ICMP;
  iphdr->ip_src.s_addr = saddr;
  iphdr->ip_dst.s_addr = daddr;
  icmphdr->icmp_type = ICMP_ECHO;
  icmphdr->icmp_code = 0;
  icmphdr->icmp_seq = rand();
  icmphdr->icmp_id = rand();
  icmphdr->icmp_cksum = 0;
  struct sockaddr_in servaddr;
  servaddr.sin_family = AF_INET;
  servaddr.sin_addr.s_addr = daddr;
  memset(&servaddr.sin_zero, 0, sizeof(servaddr.sin_zero));
  puts("sending to target...");
  while(1) {
  memset(packet + sizeof(struct ip) + sizeof(struct icmp), rand() % 255, payload_size);
  //calculate icmp header checksum
  icmphdr->icmp_cksum = 0;
  icmphdr->icmp_cksum = in_cksum( (unsigned short *)icmphdr, sizeof(struct icmp) + payload_size );
  if( ( sent_size = sendto( sockfd, packet, packet_size, 0, (struct sockaddr *) &servaddr, sizeof(servaddr) ) ) < 1 ) {
  perror("Packet Send Failed");
  break;
  ++sent;
  printf("%d packets sent\r", sent);
  fflush(stdout);
  usleep(10000);
  free(packet);
  close(sockfd);
  return 0;
  Last edited by DeadDingo (2013-12-27 04:07:24)

  Ok sounds good, like I said, it is meant to be a learning tool as some of the demo code available online does not accurately portray the proper ip structures needed for socket communication.  I actually had to read through a bunch of C libraries to find the correct structs and member variables.

• Regarding ICMP "Packet Too Big" message in 6PE RFC 4798

  Dear All,
  The penultimate para in Section 3, Page 6 of 6PE RFC 4798 states the following:
  "Otherwise, routers in the IPv4 MPLS network have the option to generate an ICMP "Packet Too Big" message using mechanisms as described in Section 2.3.2 .... of [RFC3032]"
  As per RFC3032, the routers in the IPv4 MPLS network can generate ICMP "Time Exceeded" message or "Destination Unreachable because fragmentation needed and DF set" message.
  Can someone please explain, how a IPv4 MPLS router will generate an ICMP "Packet Too Big"? This requires that the router in IPv4 MPLS network be a dual stack router to understand the IPv6 header under the label stack. Is my understanding correct?
  If the router is an intermediate LSR, how will it know the path to the IPv6 destination even if it is dual stack router?
  Thanks in advance.
  Cheers,
  Sriram

  Sriram,
  The IPv4 core router does need to have code to understand IPv6 and create the "Packet too big" message and so on. It does not need to be configured for IPv6 though (dual stack).
  The forwarding will be done based on the incoming label stack for that IPv6 packet, which means that the ICMPv6 message will be constructed with the source of the original packet as the destination IPv6 address, the top label for the incoming IPv6 packet will be swapped, prepended to the ICMPv6 message and forwarded through the egress interface. The egress PE will received this ICMPv6 message and forwarding appropriately.
  The same mechanism is used when performing traceroutes in an L3VPN context, as the core routers have no knowledge of the address space being used by the L3VPN customers and couldn't otherwise forward ICMP messages to the proper source.
  Regards

• ASA - ICMP works on a L2L tunnel but TCP fails.

  All,
  I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.
  Problem-1:
  Below  is the topology and currently the only config on these ASA's is what is  required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.
  LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2
  Below is what is working
  - Tunnel is established between the ASA's.
  - I can ping from LAN A to LAN B and viceversa.
  Below is not what is working
  - I cannot RDP from a device in LAN A to LAN B and vice versa.
  What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.
  - The packet capture on  ASA - A shows that the SYN leaves the ingress(LAN interface).
  -  The packet capture on ASA - B shows that the SYN is leaving the LAN interface.
  -  Dont see a SYN-ACK on ASA-B. First we thought there might be a  different reason(detailed below as problem-2) but we dont see the  syn-ack on ASA-A either.
  - Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message
  Drop-reason: (tcp-not-syn) First TCP packet not SYN
  Any ideas on why ASA-B doesnt treat this is as a established tcp session?
  Problem -2
  On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
  For example - Ping from a server on LAN A to LAN B
  - On ASA01
  The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B
  - On ASA02
  The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.
  I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.
  Thanks,
  Vishnu

  Hello Vishnu,
  Any ideas on why ASA-B doesnt treat this is as a established tcp session?
  This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.
  On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
  That's exactly the reason of why this problem is happening, Good job correlating the facts,
  Resolution of the issues:
  I would say the problem is on the Routing device between ASA-2 and the LAN-2...
  Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,
  Remember to rate all of the helpful posts. That's as important as a Thanks.
  Julio Carvajal Segura

• ASA: capture packets travelling vom EasyVPN client to EasyVPN client

  Hey everyone,
  I have a central ASA running as a EasyVPN Server and several ISR 800 routers configured as clients.
  When a connection is initiated from Client1 to Client2 over the ASA I cant see the decrypted packets in packet capture.
  Is there any way to make them visible?
  Thanks
  Michael

  I think this was actually related to the fact that the bad PIX had a restricted license and couldn't comply with the 3DES transform set.
  I ended up bypassing by creating a site-to-site tunnel with a single DES transform set and it worked fine. I might go back later and see if I can set multiple transform sets to the dynamic map or if I can have multiple dynamic maps for legacy devices.

• ASA ESP Packet discard messages

  Dear All,
  we have a L2L tunnel between ASA 8.2.5 to Cisco Router. Recently we see tunnel is going down and shows messages in ASA about ESP packet discard. Below is the message.
  %ASA-7-710006: ESP request discarded from x.x.x.x to outside_int:x.x.x
  At the same time from router the tunnel shows up but ASA not. We see CSCso50226 which matches exactly with our issue.
  As a workaround we were resetting tunnel from router. It comes up and runs for a week.
  Please someone look into this and help.
  Regards,
  Ravi

  Hi Ravi,
  8.4 is great, dont let the NAT change scare you off two much and 8.2 was really buggy.
  I guess this raises further questions, if your tunnel goes down once a week is it the same length of time ? and does this relate to the timings set on either end in teh configuration ?
  When the tunnel goes down is it at a quiet time ? and have you tried using a test ping/rtr/sla to keep the tunnel up ?
  The site below identifies the syslog messages and yours makes me think somethings not right. Do you have the sysoptions enabled or are you using ACL's to limit who can connect to the appliance as a vpn peer ? If you have ACL's have you included IP 50 ?
  http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html
  710006
  Error Message    %ASA-7-710006: protocol request discarded from source_address to
  interface_name:dest_address
  Explanation This message appears when the adaptive security appliance does not have an IP server that services the IP protocol request; for example, the adaptive security appliance receives IP packets that are not TCP or UDP, and the adaptive security appliance cannot service the request.
  Recommended Action In networks that use broadcasting services such as DHCP, RIP or NetBIOS extensively, the frequency of this message can be high. If this message appears in excessive numbers, it may indicate an attack.
  Best Regards
  Ju
  http://helpamunky.wordpress.com/

• Windows Firewall indound icmp packets drop

  Hi, we have enabled icmpv4 traffic with a local firewall inbound rule in a gpo and we still having ping drops.  Is there another value somewhere that we could disable in our setup.  It seems like a protection coming from the windows
  server 2008 and for no specific reason it blocks the traffic.
  The ping comes from a load balancer linux base machine.  We have created another test rule that is opening all ports and all protocol coming from that ip address and we get the same behaviour. 
  We know if we restart the server it will let the ping go through again with no problem but for a relatively short period of time.
  Carl R.
  Thanks

  Hi Carl,
  >>we have enabled icmpv4 traffic with a local firewall inbound rule in a gpo and we still having ping drops.
  Before going further, we can cmd command gpresult/h gpreport.html with admin privileges to collect group policy result to check if the policy setting was applied successfully.
  Regarding how to allow inbound Internet Control Message Protocol (ICMP) network traffic, the following article can be referred for more information.
  Create an Inbound ICMP Rule on Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2
  http://technet.microsoft.com/en-us/library/cc972926(v=ws.10).aspx
  Besides, for this is related to network, in order to get more and better help, we can also ask for suggestions in the following network forum.
  Network Access Protection
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
  Best regards,
  Frank Shen 

• ASA 5520 packets Flood TCP/ASA

  I 'm flood from random adresse IP in TCP/61137
  what can i do with the asa5520 my appliance security ?

  You must use the shun command

• ASA 8.4(2) doesn't respond to ICMP echo on ip address with port forwarding only

  Hello,
  In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:
  %ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)
  Previously we have been using Cisco router to achieve the same objective and it worked well.
  I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.
  As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.
  Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?
  I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.
  Kind Regards,
  Paul Preston

  Hi Julio,
  Interesting. I have tried to map two external IP addresses with using 1 to 1 nat to a single internal IP, but when I tried to configure a second one I remember a message "mapping exists"...
  I think that it might be easier if I paste relevent config:
  access-list From_Internet extended permit icmp any any
  access-list From_Internet extended permit tcp any gt 1023 host 172.17.0.103 eq www
  access-list From_Internet extended deny ip any any log warnings
  object network www-91-17.103
  host 172.17.0.103
  object network www-92-17.103
  host 172.17.0.103
  icmp permit any outside
  object network www-91-17.103
  nat (DMZ,outside) static x.x.x.91 service tcp www www
  object network www-92-17.103
  nat (DMZ,outside) static x.x.x.92 service tcp www www
  With a config above NAT works for both IP addresses, but unfortunately neither IP address respond to icmp echo requests.
  Kind Regards,
  Paul Preston

• Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts

  I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
  Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
  I suspect it may be an issue with my firewall, but I am not really sure where to begin.
  Here is a copy of my config, any pointers or tips are aprpeciated:
  hostname mcfw
  enable password Pt8fQ27yMZplioYq encrypted
  passwd 2qaO2Gd6IBRkrRFm encrypted
  names
  interface Ethernet0/0
  switchport access vlan 400
  interface Ethernet0/1
  switchport access vlan 400
  interface Ethernet0/2
  switchport access vlan 420
  interface Ethernet0/3
  switchport access vlan 420
  interface Ethernet0/4
  switchport access vlan 450
  interface Ethernet0/5
  switchport access vlan 450
  interface Ethernet0/6
  switchport access vlan 500
  interface Ethernet0/7
  switchport access vlan 500
  interface Vlan400
  nameif outside
  security-level 0
  ip address 58.13.254.10 255.255.255.248
  interface Vlan420
  nameif public
  security-level 20
  ip address 192.168.20.1 255.255.255.0
  interface Vlan450
  nameif dmz
  security-level 50
  ip address 192.168.10.1 255.255.255.0
  interface Vlan500
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  ftp mode passive
  clock timezone JST 9
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network DM_INLINE_NETWORK_1
  network-object host 58.13.254.11
  network-object host 58.13.254.13
  object-group service ssh_2220 tcp
  port-object eq 2220
  object-group service ssh_2251 tcp
  port-object eq 2251
  object-group service ssh_2229 tcp
  port-object eq 2229
  object-group service ssh_2210 tcp
  port-object eq 2210
  object-group service DM_INLINE_TCP_1 tcp
  group-object ssh_2210
  group-object ssh_2220
  object-group service zabbix tcp
  port-object range 10050 10051
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  group-object zabbix
  port-object eq 9000
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service http_8029 tcp
  port-object eq 8029
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.20.10
  network-object host 192.168.20.30
  network-object host 192.168.20.60
  object-group service imaps_993 tcp
  description Secure IMAP
  port-object eq 993
  object-group service public_wifi_group
  description Service allowed on the Public Wifi Group. Allows Web and Email.
  service-object tcp-udp eq domain
  service-object tcp-udp eq www
  service-object tcp eq https
  service-object tcp-udp eq 993
  service-object tcp eq imap4
  service-object tcp eq 587
  service-object tcp eq pop3
  service-object tcp eq smtp
  access-list outside_access_in remark http traffic from outside
  access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
  access-list outside_access_in remark ssh from outside to web1
  access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
  access-list outside_access_in remark ssh from outside to penguin
  access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
  access-list outside_access_in remark http from outside to penguin
  access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
  access-list outside_access_in remark ssh from outside to hub & studio
  access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
  access-list outside_access_in remark dns service to hub
  access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
  access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
  access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
  access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
  access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
  access-list public_access_in remark General web access. (HTTP, DNS & ICMP and  Email)
  access-list public_access_in extended permit object-group public_wifi_group any any
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
  pager lines 24
  logging enable
  logging timestamp
  logging buffered notifications
  logging trap notifications
  logging asdm debugging
  logging from-address [email protected]
  logging recipient-address [email protected] level warnings
  logging host dmz 192.168.10.90 format emblem
  logging permit-hostdown
  mtu outside 1500
  mtu public 1500
  mtu dmz 1500
  mtu inside 1500
  ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
  ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 60
  global (outside) 1 interface
  global (dmz) 2 interface
  nat (public) 1 0.0.0.0 0.0.0.0
  nat (dmz) 1 0.0.0.0 0.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
  static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
  static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
  static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
  static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
  static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
  static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group public_access_in in interface public
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  http 59.159.40.188 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp dmz
  sysopt noproxyarp inside
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map public_map interface public
  crypto isakmp enable outside
  crypto isakmp enable public
  crypto isakmp enable inside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 59.159.40.188 255.255.255.255 outside
  ssh 192.168.0.0 255.255.255.0 inside
  ssh timeout 20
  console timeout 0
  dhcpd dns 61.122.112.97 61.122.112.1
  dhcpd auto_config outside
  dhcpd address 192.168.20.200-192.168.20.254 public
  dhcpd enable public
  dhcpd address 192.168.10.190-192.168.10.195 dmz
  dhcpd enable dmz
  dhcpd address 192.168.0.200-192.168.0.254 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics host number-of-rate 2
  no threat-detection statistics tcp-intercept
  ntp server 130.54.208.201 source public
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 61.122.112.97 61.122.112.1
  vpn-tunnel-protocol l2tp-ipsec
  group-policy CiscoASA internal
  group-policy CiscoASA attributes
  dns-server value 61.122.112.97 61.122.112.1
  vpn-tunnel-protocol IPSec
  username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN_Pool
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group ocmc type remote-access
  tunnel-group ocmc general-attributes
  address-pool OfficePool
  tunnel-group ocmc ipsec-attributes
  pre-shared-key *****
  tunnel-group CiscoASA type remote-access
  tunnel-group CiscoASA general-attributes
  address-pool VPN_Pool
  default-group-policy CiscoASA
  tunnel-group CiscoASA ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  smtp-server 192.168.10.10
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
  : end
  asdm location 192.168.10.10 255.255.255.255 inside
  asdm location 192.168.0.29 255.255.255.255 inside
  asdm location 58.13.254.10 255.255.255.255 inside
  no asdm history enable

  Hi Conor,
  What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
  Regards,
  Umair

• How to allow a subnet for a number of hosts to surf internet and ping from inside and outside in ASA in GNS3?

  after tried to setup access list, it return drop in packet tracer and can not ping outside router too
  is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?
  assume all works in GNS3, expect initial network setup too
                                              inside                                                                 outside
  router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3
  ASA version: 8.42 
  when i try the following command,
  ASA
  conf t
  interface GigabitEthernet 0
  description INSIDE
  nameif inside
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  no shut
  end
  conf t
  interface GigabitEthernet 1
  description OUTSIDE
  no shutdown
  nameif outside
  security-level 100
  ip address 192.168.1.4 255.255.255.0
  no shut
  end
  conf t
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (inside,outside) dynamic interface
  end
  conf t
  access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
  access-group USERSLIST in interface inside
  end
  Router A
  conf t
  int fastEthernet 0/0
  ip address 192.168.1.2 255.255.255.0
  no shut
  end
  Router B
  conf t
  int fastEthernet 0/0
  ip address 192.168.1.3 255.255.255.0
  no shut
  end
  ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.0     255.255.255.0   inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  <--- More --->

  current config can not ping, one of packet tracer allow all, another packet tracer drop
  can not ping between Router A and Router B
  ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.3.0     255.255.255.0   outside
  Phase: 2
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  object network DYNAMIC-PAT
   nat (inside,outside) dynamic interface
  Additional Information:
  Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
  <--- More --->
  <--- More --->
  Phase: 4
  <--- More --->
  Type: IP-OPTIONS
  <--- More --->
  Subtype: 
  <--- More --->
  Result: ALLOW
  <--- More --->
  Config:
  <--- More --->
  Additional Information:
  <--- More --->
  <--- More --->
  Phase: 5
  <--- More --->
  Type: FLOW-CREATION
  <--- More --->
  Subtype: 
  <--- More --->
  Result: ALLOW
  <--- More --->
  Config:
  <--- More --->
  Additional Information:
  <--- More --->
  New flow created with id 14, packet dispatched to next module
  <--- More --->
  <--- More --->
  Result:
  <--- More --->
  input-interface: inside
  <--- More --->
  input-status: up
  <--- More --->
  input-line-status: up
  <--- More --->
  output-interface: outside
  <--- More --->
  output-status: up
  <--- More --->
  output-line-status: up
  <--- More --->
  Action: allow
  <--- More --->
  ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.0     255.255.255.0   inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  <--- More --->
  Drop-reason: (acl-drop) Flow is denied by configured rule
  <--- More --->
  ASA-1# 
  ASA-1# sh run |
  : Saved
  ASA Version 8.4(2) 
  hostname ASA-1
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0
   description INSIDE
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0 
  interface GigabitEthernet1
   description OUTSIDE
   nameif outside
   security-level 0
   ip address 192.168.3.4 255.255.255.0 
  interface GigabitEthernet2
   shutdown
   no nameif
   no security-level
  <--- More --->
   no ip address
  <--- More --->
  <--- More --->
  ftp mode passive
  <--- More --->
  object network DYNAMIC-PAT
  <--- More --->
   subnet 192.168.1.0 255.255.255.0
  <--- More --->
  access-list 101 extended permit icmp any any echo-reply 
  <--- More --->
  access-list 101 extended permit icmp any any source-quench 
  <--- More --->
  access-list 101 extended permit icmp any any unreachable 
  <--- More --->
  access-list 101 extended permit icmp any any time-exceeded 
  <--- More --->
  access-list ACL-OUTSIDE extended permit icmp any any 
  <--- More --->
  pager lines 24
  <--- More --->
  mtu inside 1500
  <--- More --->
  mtu outside 1500
  <--- More --->
  icmp unreachable rate-limit 1 burst-size 1
  <--- More --->
  no asdm history enable
  <--- More --->
  arp timeout 14400
  <--- More --->
  <--- More --->
  object network DYNAMIC-PAT
  <--- More --->
   nat (inside,outside) dynamic interface
  <--- More --->
  access-group ACL-OUTSIDE in interface outside
  <--- More --->
  timeout xlate 3:00:00
  <--- More --->
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  <--- More --->
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  <--- More --->
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  <--- More --->
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  <--- More --->
  timeout tcp-proxy-reassembly 0:01:00
  <--- More --->
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  <--- More --->
  user-identity default-domain LOCAL
  <--- More --->
  no snmp-server location
  <--- More --->
  no snmp-server contact
  <--- More --->
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  <--- More --->
  telnet timeout 5
  <--- More --->
  ssh timeout 5
  <--- More --->
  console timeout 0
  <--- More --->
  threat-detection basic-threat
  <--- More --->
  threat-detection statistics access-list
  <--- More --->
  no threat-detection statistics tcp-intercept
  <--- More --->
  <--- More --->
  <--- More --->
  prompt hostname context 
  <--- More --->
  no call-home reporting anonymous
  <--- More --->
  call-home
  <--- More --->
   profile CiscoTAC-1
  <--- More --->
    no active
  <--- More --->
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  <--- More --->
    destination address email [email protected]
  <--- More --->
    destination transport-method http
  <--- More --->
    subscribe-to-alert-group diagnostic
  <--- More --->
    subscribe-to-alert-group environment
  <--- More --->
    subscribe-to-alert-group inventory periodic monthly
  <--- More --->
    subscribe-to-alert-group configuration periodic monthly
  <--- More --->
    subscribe-to-alert-group telemetry periodic daily
  <--- More --->
  crashinfo save disable
  <--- More --->
  Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
  <--- More --->
  : end
  ASA-1# 

• ASA 5510 traffic from inside to outside

  Hello,
  I'm working on a basic configuration of a 5510 ASA.
  inside network of 192.168.23.0 /24
  outside network 141.0.x.0 /24
  config is as follows:
  interface Ethernet0/0
   nameif OUTSIDE
   security-level 0
   ip address 141.0.x.0 255.255.255.0
  interface Ethernet0/1
   nameif INSIDE
   security-level 50
   ip address 192.168.23.1 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list OUTSIDE_access_in extended permit icmp any any
  access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
  access-list INSIDE_access_in extended permit icmp any any
  global (OUTSIDE) 1 interface
  nat (INSIDE) 1 192.168.23.0 255.255.255.0
  access-group OUTSIDE_access_in in interface OUTSIDE
  access-group INSIDE_access_in in interface INSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
  In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
  I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
  So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
  Any ideas please?

  Version of FW:
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.3(1)
  Output of Packet-Trace Command is:
  SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   141.0.x.0      255.255.255.0   OUTSIDE
  Phase: 4
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group INSIDE_access_in in interface INSIDE
  access-list INSIDE_access_in extended permit icmp any any
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  class-map inspection_default
   match default-inspection-traffic
  policy-map global_policy
   class inspection_default
    inspect icmp
  service-policy global_policy global
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 104, untranslate_hits = 0
  Additional Information:
  Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 107, untranslate_hits = 0
  Additional Information:
  Phase: 10
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 141, packet dispatched to next module
  Result:
  input-interface: INSIDE
  input-status: up
  input-line-status: up
  output-interface: OUTSIDE
  output-status: up
  output-line-status: up
  Action: allow

• ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

  Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard.  I am currently unable to access services on the outside of the ASA. 
  The error: 'Failed to locate egress interface for UDP from inside'....  appears when ever my DNS server attempts a lookup. 
  I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config. 
  If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration. 
  Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet.  I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access. 
  Full config follows, screen shots attached, any help would be very gratefully received. 
  Result of the command: "sh run"
  : Saved
  ASA Version 9.0(1)
  hostname firewall
  enable password (REMOVED) encrypted
  passwd (REMOVED) encrypted
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.254 255.255.255.0
  interface Vlan5
   no nameif
   security-level 50
   ip address dhcp
  ftp mode passive
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network Server1
   host 192.168.10.10
  object network GoogleDNS1
   host 8.8.8.8
   description Google DNS Server
  object network GoogleDNS2
   host 8.8.4.4
   description Google DNS Server
  object network 192.168.10.x
   subnet 192.168.10.0 255.255.255.0
  object network InternetRouter
   host 192.168.1.1
  object-group network DM_INLINE_NETWORK_1
   network-object object GoogleDNS1
   network-object object GoogleDNS2
  object-group service DM_INLINE_TCP_1 tcp
   port-object eq www
   port-object eq https
  access-list inside_access_in remark External DNS Lookups
  access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
  access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  object network obj_any
   nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:(REMOVED)
  : end

  Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet. 
  Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
  I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

• ASA 5525X - Multiple Outside Interface

  Hello,
  Question:
  I have a pair of ASA 5252X for VPN Traffic, the interfaces are:
  - Inside
  - DMZ
  - Outside - ISP1 - IP 1.1.1.1
  I can have two "outside" interfaces, multiple ISP's for VPN traffic(Site to Site)?
  - Inside
  - DMZ
  - Outside - ISP1 - IP 1.1.1.1
  - Outside2 - ISP2 - IP 2.2.2.2
  I need this because i have problems with only one ISP, so i need to install more one and in the remote peer add a second peer IP(for ISP2), so if the remote peer cannot establish the connection over the ISP1, he going to ISP2, it's possible?
  Tks.
  Rafael

  Yes Rafael, it possible.
  you need to configure SLA monitoring on ASA for the ISP failover.
  And for the VPN add the second ISP ip as a back up peer on the remote device.
  on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.
  In case if you need any assistance regarding the configuration let me know.
  Configuration should look something like this:
  interface Ethernet0
  nameif outside
  security-level 0
  ip address 10.200.159.2 255.255.255.248
  interface Ethernet2
  nameif inside
  security-level 100
  ip address 172.22.1.163 255.255.255.0
  interface Ethernet1
  nameif backup
  security-level 0
  ip address 10.250.250.2 255.255.255.248
  access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
  access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  crypto map outside_map 20 match address outside_crypto_1
  crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)
  crypto map outside_map 20 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto map outside_map interface backup
  crypto isakmp enable backup
  crypto isakmp enable outside
  global (outside) 1 interface
  global (backup) 1 interface
  nat (inside) 1 172.22.1.0 255.255.255.0
  nat (inside) 0 access-list nonat
  tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
  pre-shared-key cisco123
  route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
  route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
  sla monitor 123
  type echo protocol ipIcmpEcho 10.0.0.1 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability
  Important Information:
  ===============================================
  ** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.
  ** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.
  ** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.
  ** I hope this will answer your query.
  Thanks
  Jeet

• ASA vpn nat question

  i have an ASA 5520 ver 8.4 with the following config
  WAN
  207.211.25.34
  Production
  10.11.12.1 255.255.255.0
  Mgmt
  10.11.11.1 255.255.255.0
  i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
  what would my nat statement look like ?
  currently i have the following but can only ping from Mgmt not Prod  (ASP17 is an network object group that contain the Prod and Mgmt subnets )
  nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
  nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

  Hello Tejas,
  After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
  Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
  I will need the output of the following commands:
  1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
  2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
  Please rate helpful posts,
  Julio!!