ASA IPSEC Source Interface
Hi...
There is a way to configure an IPSEC VPN with a source-interface like in a router,? This is for a site to site VPN. I want to use a loopback interface.
When I configured one VPN, the only option is the IP from the interface where the traffic is going out.
Thanks.
Whatever interface you enable ipsec on is the source interface.
crypto map MyMap interface [interface name]
ASA's don't support loopbacks so that is not possible.
Similar Messages
-
ASA 5505: Outside Interface Becomes Inaccessible
Greetings --
I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side. AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA. Internally, I can ping the IP address and I can ssh into the ASA.
The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM. To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.
Any ideas why the lockouts are occuring? Is it possible my ISP is shutting down the IP?
Below is the configs to the ASA:
hostname psa-asa
enable password IqUJj3NwPkd63BO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Net-10
name 192.168.1.20 dbserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.43 255.255.255.0
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list outside_access_in extended permit ip host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 162.134.70.20
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PSA-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
username user1 password ks88YmM0AaUUmhfU encrypted privilege 0
username user1 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user2 password 1w1.F5oqiDOWdcll encrypted privilege 0
username user2 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user3 password lQ8frBN8p.5fQvth encrypted privilege 15
username user4 password w4USQXpU8Wj/RFt8 encrypted privilege 15
username user4 attributes
vpn-group-policy SSLClientPolicy
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
service-type admin
username user5 password PElMTjYTU7c1sXWr encrypted privilege 0
username user5 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user6 password /zt/9z7XUifQbEsA encrypted privilege 0
username user6 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user7 password aEGh.k89043.2NUa encrypted privilege 0
username user7 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PSA-SSL-VPN type remote-access
tunnel-group PSA-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PSA-SSL-VPN webvpn-attributes
group-alias PSA_VPN enable
group-url https://xxx.xxx.xxx.43/PSA_VPN enable
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2298b0ae64f8ff7a5e25d97fe3f02841Hi,
I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.
I sometime use it personally when testing different stuff on my home ASA.
It naturally isnt a real option if you actuall setup a separate Syslog server.
You wouldnt really need to add much to your logging configuration
logging device-id hostname
logging trap informational
logging host
Where is the name of the interface behind which the server is and the is naturally the IP address of the server.
Though the above would generate a lot of logging.
I am not even 100% sure it would log anything when you are facing the problem.
Best would be to also troubleshoot while the problem is there.
Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?
If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.
- Jouni -
i have an Cisco ASA 5512 working as Firewall
We configure one ASA interface connecting to Cisco router 1700 with leasd line internet service without any problem.
Now we have an extra internet connection ADSL 2MB connected to another ASA interface
I configure the ASA like this :
1- Enable interface 2 on ASA and connect it to ADSL router (interface ip 192.168.1.100 from the same ADSL router {192.168.1.1}range )
2- Create Access rule say source (My computer ip) destination ADSL network range action accept
3- Create Nat Rule say source interface inside source ip (my ip) destination interface ADSL ip 192.168.1.100 destination source router ip 192.168.1.1
4- Add static route say ADSL interface source ip my ip gateway ADSL router
This steps what I do but it doesn't work.
Thanks in advanceFYI for internet access I doubt this will work because if you configure two default route then ASA won't distribute traffic across two interface, first default route will be the one where ASA will send traffic. However from your description it is not very clear which IP address you are trying to ping and how exactly rules you have configured.
Either attach your config or paste the relevant config in post. -
Setting the source-interface in a tcl script for email.
So once again I am trying to figure this out and failing miserably. The only thin I can think of at the moment is that I need to tell it to source from a specific vrf interface. I've tried looking through possible enviornment variables. Hoping I could set it that way but have yet to find one. I have read varios settings for source-interface and attempted them. But fail every time with:
vpn_failure.tcl: smtp_send_email: error connecting to mail server:
EEM Version:
sho event manager version
Embedded Event Manager Version 4.00
Component Versions:
eem: (rel4)1.0.4
eem-gold: (rel1)1.0.2
eem-call-home: (rel2)1.0.0
Below is the stock format for sending the email from the script. If someone could guide me in the correct way to set this up to source the interface that would be awesome.
# create mail form
action_syslog msg "Creating mail header for vpn_failure.tcl script..."
set body [format "Mailservername: %s" "$_email_server"]
set body [format "%s\nFrom: %s" "$body" "$_email_from"]
set body [format "%s\nTo: %s" "$body" "$_email_to"]
set _email_cc ""
set body [format "%s\nCc: %s" "$body" ""]
set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
set body [format "%s\n%s" "$body" "Report Summary:"]
set body [format "%s\n%s" "$body" " - syslog message"]
set body [format "%s\n%s" "$body" " - summary of interface(s) in an up/down state"]
set body [format "%s\n%s" "$body" " - show ip route $remote_peer"]
set body [format "%s\n%s" "$body" " - show crypto isakmp sa"]
set body [format "%s\n%s" "$body" " - show crypto session detail"]
set body [format "%s\n%s" "$body" " - show crypto engine connection active"]
set body [format "%s\n%s" "$body" " - show ip nhrp detail (DMVPN only)"]
set body [format "%s\n%s" "$body" " - show log"]
set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
set body [format "%s\n%s" "$body" "$syslog_msg"]
set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_route"]
set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
set body [format "%s\n\n%s" "$body" "$show_log"]
if [catch {smtp_send_email $body} result] {
action_syslog msg "smtp_send_email: $result"I got this far, saw the MAXRUN error, bumped that out and then turned on debugging. I am still not connecting to the mail server. So I don't think I am reaching the mail server yet. I don't think it is using the sourceinterface. In debugging everyting in the script works except for the mail portion.
Jul 29 16:01:00.334: %HA_EM-6-LOG: vpn_failure.tcl: Creating mail header for vpn_failure.tcl script...
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: while executing
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "action_syslog msg "smtp_send_email: $result""
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: (procedure "eval_script" line 7)
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} { #untrusted script
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: interp create -safe slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: interp share {} stdin slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: interp share {} stdout slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: ..."
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: (file "tmpsys:/lib/tcl/base.tcl" line 50)
Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:
Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
Debugging On:
Jul 29 16:28:51.471: [fh_smtp_debug_cmd]
Jul 29 16:28:51.472: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 2
Jul 29 16:29:24.473: [fh_smtp_debug_cmd]
Jul 29 16:29:24.473: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 3
Jul 29 16:29:57.475: [fh_smtp_debug_cmd]
Jul 29 16:29:57.475: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 4
Jul 29 16:30:30.478: [fh_smtp_debug_cmd]
Jul 29 16:30:30.479: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 5
Jul 29 16:31:00.482: %HA_EM-6-LOG: vpn_failure.tcl: smtp_send_email: error connecting to mail server:
cannot connect to all the candidate mail servers
Jul 29 16:31:00.483: %HA_EM-6-LOG: vpn_failure.tcl: vpn_failure.tcl script completed
event manager environment _email_server 10.79.1.126
event manager environment _email_from [email protected]
event manager environment _email_to [email protected]
interface Port-channel1.101
description MGMT-1
encapsulation dot1Q 101
vrf forwarding MGMT-1
ip address 10.79.1.252 255.255.255.0
ip nat inside
ip virtual-reassembly
redundancy rii 101
redundancy group 2 ip 10.79.1.254 exclusive decrement 10
end
#----------------------- send mail ----------------------
# create mail form
action_syslog msg "Creating mail header for vpn_failure.tcl script..."
set body [format "Mailservername: %s" "$_email_server"]
set body [format "%s\nFrom: %s" "$body" "$_email_from"]
set body [format "%s\nTo: %s" "$body" "$_email_to"]
set _email_cc ""
set body [format "%s\nCc: %s" "$body" "[email protected]"]
set body [format "%s\nSourceintf: %s" "$body" "port-channel1.101"]
set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
set body [format "%s\n%s" "$body" "Report Summary:"]
set body [format "%s\n%s" "$body" " - syslog message"]
set body [format "%s\n%s" "$body" " - summary of interface(s) in an up/down state"]
set body [format "%s\n%s" "$body" " - show ip route $remote_peer"]
set body [format "%s\n%s" "$body" " - show crypto isakmp sa"]
set body [format "%s\n%s" "$body" " - show crypto session detail"]
set body [format "%s\n%s" "$body" " - show crypto engine connection active"]
set body [format "%s\n%s" "$body" " - show ip nhrp detail (DMVPN only)"]
set body [format "%s\n%s" "$body" " - show log"]
set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
set body [format "%s\n%s" "$body" "$syslog_msg"]
set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_route"]
set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
set body [format "%s\n\n%s" "$body" "$show_log"]
if [catch {smtp_send_email $body} result] {
action_syslog msg "smtp_send_email: $result"
action_syslog msg "vpn_failure.tcl script completed"
#------------------ end of send mail -------------------- -
Baseline template - look for specific loopback interface when specifying "ip tftp source-interface"
Hello all
I'm new to regex and I'm trying to make a baseline template, that will check our network devices for our required basic configuration.
What I'm trying to do is to make a template that will look for either a loopback0 or loopback1 interface.
If eíther one is found (the loopback interfaces will not be there at the same time) it must apply the following command:
ip tftp source-interface loopback0 (or loopback1)
Is it even possible to make an if-then statement using regex?
Thank you in advance.
Best regards
Jesper Ross Petersen
Message was edited by: Jesper Ross PetersenYes, this can be done
#Go to the tcl shell of the device.
C1811#tclsh
C1811(tcl)#
#copy and paste this at the tcl prompt.
proc intf {} {
set runningcfg [exec show run | inc ^interface Loopback]
foreach line [split $runningcfg \n] {
if {[regexp {interface (Loopback[0-1])} $line -> interface] } {
ios_config "ip tftp source-interface $interface"
return "ip tftp source-interface $interface"
# now type the name of the proc (intf) at the tcl prompt.
C1811(tcl)#intf
# If loopback0 or 1 is present the tftp source interface is added to the running config.
ip tftp source-interface Loopback0
C1811(tcl)# -
NTP always uses the outbound interface, regardless of configuration of source interface.
Managed to get it to work by combining the source interface on the server command line. So instead of:
ntp server xxxxx
ntp source Loopback0
we used the command
ntp server xxxx source Loopback0
Be sure to eliminate the other ntp server and source commands.If you're referring to applets, the command is "source-interface" as an argument to the mail action:
action X mail to "[email protected]" from "[email protected]" server 10.1.1.1 subject "Test" body "this is a test" source-interface Gi0/0 -
Radius request source interface
HI !
I have controllers WLC 5508 and release 7.4.
If I, in the WLAN configurations about AAA and radius servers, use the possibillty to change the radius request source interface by "Radius Server Overwrite Interface" it will, use the interface that the SSID is configured to, as a source address.
If my SSID is configured to a interface group, what will happend then??
Will only the first configured vlan be used as a source or will he vary the source address between the vlan included inte the interface group?
(It, of cource, need to be the the same every the time, every request and predictable)
/matsHi,
Yes, I did get an answer on my tac-case on this. It will use the first configured vlan in the group.
I have had it configured and use "radius server overwrite" on the interface group right now. It working this way since these months. It seems to work well. :-)
/mats -
Configuration guide for ASA Ipsec.
Ho guys.
I need configuration guide for ASA Ipsec using Cli.
Thank you.
Sent from Cisco Technical Support iPad AppHi,
please check the below link
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml?referring_site=smartnavRD
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
Thanks and Regards,
ROHAN -
Hi All,
Is it necessary to mention snmp-server trap-source <interface name> while configuring SNMP in a router/switch?. what if we do not configure this command on a device having multiple interfaces?
Regards,
VBThe original post had a two part question, so I will provide a two part answer.
1) Is it necessary to specify the trap source interface? No it is not necessary to specify the trap source interface. Traps will be sent anyway but it becomes more difficult to predict what source address will be used.
2) What happens if we do not configure it. As Afroz explains the device will use what it considers to be the closest interface at that particular time to send the trap. The result is that as interface status may change or as routing table information changes some traps may be sent with Gig0/1 as the source while other traps are sent with Gig0/2 as the source. The reality is that all these traps are from the same device but it will be difficult to see that as you look at the received traps and see different sources.
So I would say that while it is not necessary it is certainly recommended, especially when the device has more than one interface that could potentially serve as the source.
HTH
Rick -
SNMP inform request source-interface
Instead of using SNMP TRAPS I would like to use INFORM requests. When I receive TRAPS everything is working correcty. When I receive INFORM requests, the source interface is reported wrong.
My config:
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server enable traps snmp linkup
snmp-server enable traps config
snmp-server host 10.101.1.15 inform version 2c public
snmp-server host 10.101.1.15 version 2c public
The TRAPS report their source address as Loopback0 but the INFORMS report their source address as FastEthernet0.Hello,
we are also migrating from traps to informs and I can see that this source-interface issue is still open. I can confirm it is happening on Cisco 7609-S with IOS: 12.2.(33)SRD5, SRD6 and SRE2.
In bug toolkit I can see it opened for 6500 under CSCtc43231 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc43231) but there is no any SR release under affected versions.
If anyone knows any workaround, I would appreciate it a lot.
Thanks in advance! -
CCS 11501 Tacacs Source Interface.
Hello all,
I am trying to use the management interface of a CCS11501 as the source interface of any Tacacs+ authentication.
I have added a managment route for the subnet where the tacacas servers are but authentication is still going via circuit VLAN1.
It will not allow me to add a "normal" route due to the overlap with the management interface.
What I really want is a tacacs source interface equivalant.
Any and all help appreciated,
Andrew.Andrew,
The CSS management interface is not designed to be used for user traffic flow or for tacacs, radius, syslog, ntp etc. Therefore there is no way to force tacacs traffic to use this interface. Also there is no equivelent to "ip tacacs source-interface" in IOS.
The management interface was designed to be used only for telnet, ssh and web GUI access to the CSS.
Peter -
Radius source-interface not working ?
I'm running IOS 150-2.SE2 on 3750-X switches.
In my config, I have the command:
ip radius source-interface Loopback1
but all radius requests still have the source IP address of the "nearest" interface, not the loopback interface.
Interface Loopback1 is up and is pingable from the radius server.
Any suggestions ?
Thanks,
GTGThe only command I can see for controlling radius source address/interface is that global ip radius source-interface command.
My full AAA configuration is:
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
ip radius source-interface Loopback1
radius server radius1
address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
key 7
GTG -
NX-OS 6.2 Cannot specify interface vlan as source-interface for logging
I have the following config on Catalyst:
logging source-interface Vlan1024
I want to be able to specify an interface vlan as the source-interface on NX-OS. The only option I can get is to use a loopback interface as the source-interface, but I want to specify an SVI. Is that possible with NX-OS?
NEXUS-7710(config)# logging source-interface ?
loopback Loopback interfaceHello
AppleWorks is bundled with only SOME machines, the iBook, iMac G5, eMac and macMini.
Of course, as the media used is a DVD with a huge capacity, the app is stored on the support wher the operating system SPECIFIC to the machine is also stored.
But this implies NO link with the two products.
AppleWorks 6 was carbonised in a hurry to show that the thing was do-able.
My point of view is that it was done assuming that a replacement app would be available quickly. So, stick to human guidelines was certainly not a priority.
In fact, what was thought to be a short period beame a long one because Mac OS X needed a lot of time to become a sufficiently stable basis on which Apple was able to build a successor to AppleWorks and, as we all know, the successor named iWork is far from a complete product. There is nothing like a spreadsheet or a database tool.
So, we have to continue to use our old fashioned AppleWorks (which is also, for many of us an old friend whith sympathetic wrinkles.)
Yvan KOENIG (from FRANCE lundi 30 janvier 2006 19:00:44) -
How to change Nexus 1000v (N1KV) flow exporter's source interface?
Dear ALL,
I am trying to setup NetFlow from a N1000v towards a NAM, and I need to change the 'flow exporter's source interface from 'mgmt 0' to something else.
I've encountered the following problems:
1. Even tho the Cisco document here describes that the source interface can be changed, logging into the CLI of N1000v does not give alternative options:
N1k# conf t
N1k(config)# flow exporter TEST1
N1k(config-flow-explorter)# source ?
mgmt Management interface
N1k(config-flow-explorter)# source mgmt ?
<0-0> Management interface number
N1k(config-flow-explorter)# source mgmt 0 ?
<CR>
N1k(config-flow-explorter)#
2. In order to be able to use other source interface for NetFlow than 'mgmt 0' I would need a L3 interface. I am kind of missing the concept of a 'interface vlan' used in IOS from NX-OS. I tried to look around and find documentation, explanations, however could not find anything useful yet.
NX-OS running on N1k is 4.0(4)SV1(3b)
Could you please advise on this topic?
Thanks,
AndrasHi Padma,
and
Happy New Year. Best Whishes
I found some missconfiguration in my port profile, and when associate correct NIC with coreect port profiles everything work nice
Thank you. -
Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: endHi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun
Maybe you are looking for
-
How to print Title in RTF Template
I want to define the Title of the Report Using Word File -> Properties -> Summary Say XYZ I would then like to reference this Title in my RTF Template. What syntax i can use for this?
-
PC will not recognise my iphone but itunes will play music
SO frustrated I cannot charge my iphone 4S with the new IOS7 software and I cannot download anything but I can listen to my music on the computer from playlist. HELP so aggrevated. I even rebooted several times and tried system restore but nothing
-
WRT54GS V6 Constantly Losing Connection
I have recently purchased a Linksys WRT54GS V6 router. I initially had it running fine with only 2 computers, 1 wired the other wireless. I have now moved into a house shared with 5 other college students which brings the total to 7 wireless computer
-
How to merge 2 or more Report Builder reports and output as one pdf
I'm in a J2E shop in which I develop Oracle reports that are called and published by the application as jsp's. I need display output multiple reports sequentially and then print them out (as one pdf). All component reports currently exist as their ow
-
My client is unable to save the filled in pdf whilst I can ? Part2
I followed instructions as per my earler post and enabled the usage rights see image below. I found the path was (thanks to jersey girl) at under Advanced select"Extend Features in Adboe Reader" in Acrobat 9. The pop upbox below appears, I selected t