ASA NAT Problem - I think?
Hi Guys,
I have an ASA5520 with an interface to the internet on a /28 public network and an interface to a /24 public network - I will connect other interfaces to other networks in time, but I just want to get the thing working for now.
Anyway, I have set it up from the ASDM using the wizard and some extra config my self. I don't want NAT - i.e I want hosts on the /24 network to be reachable to their original IP from the internet. I can ping anything from the firewall. I can ping the local interface from my test pc (on the /24 network) but I cannot ping, web, telnet etc anything on the internet. However the syslog shows the packets going through the firewall and I have opened the rules up completely for testing.
Can anyone see why the test box cannot reach the internet and vice versa?
Is it NAT?
Config is below (* = omitted text.
Thanks,
Niall.
: Saved
ASA Version 7.0(6)
hostname cr01-sh
domain-name *.net
enable password B6R1dZUX1mTgE6pC encrypted
names
name 213.*.*.2 Aurix01-s01
dns-guard
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 217.*.*.34 255.255.255.240
interface GigabitEthernet0/1
nameif Customer
security-level 10
ip address 213.*.*.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Customer_access_in extended permit ip any any log
access-list Customer_access_in extended permit icmp any any log
access-list Customer_access_in extended permit udp any any log
access-list Customer_access_in extended permit tcp any any log
access-list WAN_access_out extended permit tcp any any log
access-list WAN_access_out extended permit udp any any log
access-list WAN_access_out extended permit icmp any any log
access-list WAN_access_out extended permit ip any any log
access-list WAN_access_in extended permit ip any host Aurix01-s01
access-list WAN_access_in extended permit icmp any host Aurix01-s01
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu Customer 1500
mtu management 1500
no failover
monitor-interface WAN
monitor-interface Customer
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group Customer_access_in in interface Customer
route WAN 0.0.0.0 0.0.0.0 217.*.*.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 WAN
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Cryptochecksum:74609abf4a90bd20175922f0ae6b0e52
: end
Thanks for the help again.
OK - I have re-run the setup wizard, tested, played around with changing the security levels so the wan was lower then the customer interface and still nothing. removed and readded acls etc. still nothing.
I have a theory:
I wonder if my isp have loaded in the routes to the customer network?
I ran a tracert from my home to the wan router (gateway for the ASA) and it resolved in 10 hops. I then ran a tracert to the aurix-s01 IP (on the customer network) and it partially resolved to 5 hops and then timed out - it timed out once it made it to my ISP's core router! would this be because they have not loaded the route for the customer network we have ordered?
Would this be why I cannot get internet access through the ASA because the default gateway doesn't know of the network it is coming from and it is not coming from the interface for its default route?
Also would this be why the ASA shows the ping build and tear down in the syslog and no dropped packets but nothing gets out?
Thanks again for your help.
Niall.
Similar Messages
-
Hi Everyone,
We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.15 255.255.255.255 outside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
Ken
Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
Branch ASA Config Parts:
: Saved
ASA Version 9.1(2)
hostname BRANCHASA5505
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description LAN_NETWORK
nameif inside
security-level 100
ip address 10.15.6.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network BRANCH_NETWORKS
description BRANCH LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network NETWORK_MGMT
network-object 10.0.0.0 255.0.0.0
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
access-list DATACENTER_VPN_ACL remark *******************************************************************
access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
logging host inside 10.1.1.15
flow-export destination inside 10.1.1.15 2055
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group FROM_OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group <outside ip datacenter asa> type ipsec-l2l
tunnel-group <outside ip datacenter asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map type regex match-any DomainBlockList
match regex DomainList-Netflix
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map httptraffic
match access-list INSIDE_FILTER
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action log
class BlockDomainsClass
reset log
policy-map URL-filter-policy
class httptraffic
inspect http http_inspection_policy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
class class-default
flow-export event-type all destination 10.1.1.15
service-policy URL-filter-policy interface inside
prompt hostname context
Datacenter ASA Config Parts:
ASA Version 9.0(1)
hostname DATACENTERASA5540
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface GigabitEthernet0/0
description *** TO OUTSIDE NETWORK AT DATACENTER ***
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address <outside ip>
interface GigabitEthernet0/1
description *** TO INSIDE NETWORK ***
nameif INSIDE
security-level 100
ip address 10.1.3.2 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 134.200.131.0 255.255.255.0
network-object 134.200.220.0 255.255.255.0
network-object 134.201.2.0 255.255.255.0
network-object 163.243.195.0 255.255.255.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.1.3.0 255.255.255.0
network-object 10.31.2.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0
network-object 172.26.1.0 255.255.255.0
object-group network DATACENTER_NETWORKS
network-object 10.1.0.0 255.255.0.0
object-group network BRANCH_NETWORKS
network-object 10.15.6.0 255.255.254.0
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL remark * FOR SITE TO SITE VPN TO BRANCH WV USA *
access-list BRANCH_VPN_ACL remark ****************************************************
access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
flow-export destination INSIDE 10.1.1.15 2055
flow-export template timeout-rate 1
flow-export delay flow-create 180
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
access-group FROM_OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
crypto map OUTSIDE-MAP 156 set pfs
crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
tunnel-group <outside ip branch asa> type ipsec-l2l
tunnel-group <outside ip branch asa> ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
flow-export event-type all destination 10.1.1.15
user-statistics accounting
service-policy global_policy global
smtp-server 172.19.1.137
prompt hostname context
call-home reporting anonymous
Again, any help you can provide is appreciated... will vote for best...I ran it, with the source IP corrected (it is 10.15.6.2):
BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0b6698, priority=1, domain=permit, deny=false
hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.15/0 to 10.1.1.15/0
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.15.6.0 255.255.254.0 inside
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Static translate 10.15.6.2/0 to 10.15.6.2/0
Forward Flow based lookup yields rule:
in id=0xcb12f2f0, priority=6, domain=nat, deny=false
hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 143081, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
NAT Problems Converting from 7.2(2) to 8.6(1)2
I am trying to replace an ASA 5510 running 7.2(2) with an ASA 5515x running 8.6(1)2. The problem I am having is that the NAT entries are not working on the ASA 5515x. Is there anything that needs to be considered when moving the configuration from the ASA 5510 to the ASA 5515x.
Hi,
ASAs NAT configuration format went under a big change when going from 8.2 to 8.3. The NAT configuration format changed completely and therefore none of the old NAT configurations work anymore. These are "global" , "nat" and "static". Actual NAT configurations start with the command "nat" though but otherwise in a totally different format.
Your new ASA 5500-X series firewall can only use 8.6 or above software level. That is its "oldest" software. Therefore you cant use your old configuration on it. People who simply upgrade software on the original ASA5500 series will be able to just boot their ASA to the new software. Though while the ASA then migrates the NAT configurations to the new format, the results arent always the best.
One major change would also be ACLs. In the new software you will always use the real IP address in the interface ACL when allowing traffic somewhere. So even if you were allowing traffic to some server (that has a Static NAT configured on the ASA) you would now use the real IP address as the destination rather than the NAT IP address. This is mainly due to the fact that ASA handles NAT before ACL now in the new software.
There is also some minor changes to the commands related to VPN configurations.
But the above are the biggest changes.
How large NAT configuration do you have on the original ASA5510? If we are not talking about a huge configuration I could probably help with converting the NAT configurations.
Here is a document I wrote about the new NAT configuration format
https://supportforums.cisco.com/docs/DOC-31116
Here is also a good document that might help you compare the old and new NAT configuration formats
https://supportforums.cisco.com/docs/DOC-9129
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni -
Open NAT problems with Xbox One .
When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?
Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .
-
ASA5512 iOS 9.3 inside nat problem
Hi,
I face some nat problem. i have ASA5512 iOS 9.3 its connect outside (ip: 37.10.1.2/29) for internet and inside (ip 10.78.61.1/24) for LAN and server.
I configure dynamic nat for internet its work. In LAN switch has 4 VLAN one server VLAN ip add 10.88.61.0/24.
Now i map a public ip 37.10.1.3 for server 10.88.61.10 from outside internet its work. But when i try to ping server public ip 37.10.1.3 from LAN its not ping but server local ip 10.88.61.10 ping from LAN.
How can solve the issue i need to ping public ip from LAN. ALL LAN VLAN are nat on ASA outside interface (ip: 37.10.1.2/29).
interface GigabitEthernet0/0
description #### Connect TO Internet ####
nameif outside
security-level 0
ip address 37.10.1.2 255.255.255.248
interface GigabitEthernet0/1
description #### Connect TO Core Switch ####
nameif inside
security-level 100
ip address 10.78.61.1 255.255.255.0
access-list outside-in extended permit ip any any
access-group outside-in in interface outside
access-group outside-in in interface inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_Ser
host 10.88.61.10
object network obj_Ser_WAN
host 37.10.1.3
nat (inside,outside) source static obj_Ser obj_Ser_WAN
object network obj_any
nat (inside,outside) dynamic 37.10.1.4
same-security-traffic permit intra-interface
Thanks
AfzalHi,
Try this NAT:-
nat (inside,inside) source static obj_Ser obj_Ser_WAN
Thanks and Regards,
Vibhor Amrodia -
Hey
I am running a 17 inch imac and experiencing some trouble with my bittorrent client Azureus.
I simply never get the green smiley face. I read the wipi-help from Azureus and confirmed by using their instructions that I do have a NAT problem. I have no firewall running. I did continue reading the explanation in the Wiki but it seems to be PC oriented. Can anybody give me some good info to fix this problem?
By the way will my downloads be faster when I do use a correctly configured NAT?
Samuel
PS I am not using a router just a ADSL ModemI had the same problem but turned off my firewall, opened the port 59981, turned my firewall back on & it worked straightaway, my d/l speed shot up frpom 20kb to 280kb. My only problem now is that when I am running azereus my internet connection sometimes drops and the only way round it seems to be turning off my mac & cable modem and rebooting. I'm on Telewest Blueyonder cable with a webstar cable modem and it only happens when I'm using Azereus.
Very frustrating!! -
dears,
I have a problem with iPhone is that I can replace it at points of sale in the U.S. because I bought from Saudi Arabia because the problem I think in the hard ware I do resoftware more than 3 times did not fix.
Network also always missing.
I am living in KS Wichita. I hope you help me pleas.
Regards.iPhone warranty is not international. You will have to return your
iPhone to Saudi Arabia for repair/replacement. Either take it back
yourself or send to friend/relative for them to take to Apple. Apple
will not accept international shipments for repair nor will Apple
ship repaired/replaced iPhones out of the country where the repair
was done. -
i have a question my iphone4s has a problem when updated iOS8 there will be freeze problem i think iOS8 is not supported in 4s!!!!!!!!!.
one more question when i phone5 update with iOS 8.1.2 this iOS supported iphone5???Hi Ios 8.1.2 Should work on iPhone 4s / 5 You may have a bug Backup to cloud over WiFi Then Restore back to Factory Settings This will make iPhone as new. Use same Apple ID & you will get your Apps & Data back Do Restore over your WiFi. Cheers Brian
-
I am having the same problem I think. With mobileme you simply copy documents to the idisk folder and then synch. I cannot seem to sink that folder anymore. Any idea as to how I can simply copy folders to icloud and then access the MS Word and PDF files on my iphone?
Apple never bopthered to explain that this would happen
Your iDisk is still accessible after moving to iCloud in exactly the same way as before. Nothing is deleted until June 30th 2012.
, so I could easily have lost ALL of the files I kept on iDisk.
No, you couldn't. Firstly, nothing was deleted from your iDisk. Secondly, any files stored on your iDisk should never be your only copy. Even if your iDisk spontaneously combusted, you should keep local backups elsewhere.
Does Apple WANT people to move their storage elsewhere and stop paying Apple for it?
Yes. Apple doesn't provide such a service anymore, nor are you paying them for it.
Apple has made no effort to suggest remedies for the problem it has given iDisk users
They've provided instructions on how to download your files from your iDisk. What you do with them after that is your choice. -
why cant u get a open nat with ps3 always on moderate how do u get it to open ?
This link should help.
NAT Problems on games consoles and computers
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Xbox360 WRT54GS ver. 6 NAT problems
my xbox 360's NAT is set to strict and prevens me from connecting with a lot of otehr players and my wireless router is a WRT54GS ver. 6
for xbox 360 having NAT problem... you need to call Xbox to ask for the port numbers to open...now if your isp is dsl then call them up and set the modem to bridge to set the rtr to pppoe...in this way we will be able eliminate the multiple NAT issues and for your xbox to work...
CamZ -
ASA NAT when not on interface network
We are trying to restructure our edge network. The ASA with NATs is currently on a natural /24, as is its upstream router. We are trying to change the ASA and router to reside on a /28 that is part of the existing /24. In so doing we have added routes to the router to send traffic for the NAT range to the ASA's new 'outside' IP:
Router IP: 10.10.10.226/28, HSRP IP 10.10.10.225
ASA IP: 10.10.10.228/28 stby 10.10.10.229
ip route 10.10.10.0 255.255.255.128 10.10.10.228 250 (High AD so as not to interfere with BGP later)
ip route 10.10.10.128 255.255.255.192 10.10.10.228 250 (High AD so as not to interfere with BGP later)
ASA NATs: 10.10.10.11-.135
From the ASA configured this way, we can ping the router IP fine.
One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.
Should either of these methods work?
Thanks - PaulPaul
One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.
Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.
Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.
What exactly didn't work ?
Jon -
Hi,
I'm trying to migrate a configuration of an ASA 5520(Version: ASA 8.0(5)) to an ASA 5585 (Version: 8.4(2)). I keep getting some errors which are included below. I've been struggling with these for some copule of weeks and read the documentation on cisco.com (
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html) and also some pages on this forum. Some lines are written in bold of which I wasn't able to find any information about. Any help is appreciated. Thanks.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203062349.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1291, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1292, "access-group inside_acce..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1293, "access-group DMZ_access_..."
WARNING: MIGRATION: During migration of access-list <XXXXXXX> expanded
this object-group ACE
permit object-group DM_INLINE_SERVICE_5 XXX 255.255.255.0 DMZnet 255.255.255.0
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1298, "access-group XXXXX..."
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 2
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 3
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 4
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 5
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 6
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 7
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 8
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 9
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 10
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 11
*** Output from config line 1797, "service-policy global-po..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 access-list inside_nat_outbound
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
global (outside) 10 interface
nat (inside) 0 logserver 255.255.255.255
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
nat (inside) 0 logserver 255.255.255.255
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 icnetwork 255.255.0.0
ERROR: MIGRATION: No memory to create migrated service-policy element
The following 'nat' command didn't have a matching 'global' rule on interface 'TAV' and was not migrated.
nat (dmz) 1 access-list dmz_nat_outbound
INFO: NAT migration completed.
ERROR: an object-group with the same name (egitim) exist.
WARNING: Failed to create an object for name 'egitim' in the following ACL:
access-list DMZ_access_in extended permit tcp host 9.1.1.90 object-group egitim anyUmmm,
Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system. -
Hi there,
i have a problem with Routing on ASA 5505.
Here is a brief explanation of the topology:
DC Upstream IP: 77.246.165.141/30
ASA 5505 Upstream to DC IP: 77.246.165.142/30
Interface outside.
There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.
ASA 5505 Public VLAN interface ip: 31.24.36.1/26
Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.
From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.
Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.
I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.
On the ASA 5505 i added the route to this Public2 VLAN:
#route public 31.24.36.192 255.255.255.192 31.24.36.62 1
Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.
But I can't access the Internet from the Switch with Source IP: 31.24.36.193.Thanks for the replies.
I am running:
Cisco Adaptive Security Appliance Software Version 8.2(2)
As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:
global (outside) 1 interface
nat (inside) 1 192.168.X.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:
nat (inside) 0 access-list inside_nat0_outbound1
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0
I don't have any ACL configured on the Public interface in any direction.
Here is the configuration on the Switch regarding this scenario:
interface FastEthernet2/0/X
description Access Port for Public Subnet(31.24.32.0/26) to ASA
switchport access vlan 500
switchport mode access
interface Vlan500
description Public VLAN 1
ip address 31.24.36.62 255.255.255.192
interface Vlan510
description Public VLAN 2
ip address 31.24.36.193 255.255.255.192
ip route 0.0.0.0 0.0.0.0 31.24.36.1
Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)
SWITCH#ping 31.24.36.1 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
And here is when I try to ping some Internet host:
SWITCH#ping 8.8.8.8 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 0 percent (0/5) -
ASA NAT/Traceroute Inside to Outside Issues
Hi All,
Product in question: ASA5512-x in HA Active/Standby Failover mode
When running a ping from the inside network to a device on the internet I recieve replies and all is good. However when running a traceroute from inside the network to a device on the internet I receive timeouts which look to be caused by a ACL deny rule, that being "outside/internet_access_in" If I quickly add an access rule for "outside/internet" incoming rule and allow any any with ICMP_Group then I get replies and the ACL is allowing it, however the replies for the traceroute are always the same, which is the device IP your tracing. I wouldn't think you would want an outside/internet incoming rule for this kind of service as it would open you up and kinda defeat the purpose of firewal etc.
To me it sounds like NAT is certainly causing some weirdness here, possilby they way it's setup...
The following is the explanation from the Deny message on syslog.
%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)]
dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)]
[type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]
A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.
Following are the 2 NAT rules in place at the moment - The first one was auto created when configuration a site-to-site VPN which is meant to tell the traffice over the VPN not to NAT.
nat (inside,internet) source static Private_Network_Classes Private_Network_Classes destination static Test_VPN_Site Test_VPN_Site no-proxy-arp route-lookup
nat (inside,internet) source dynamic any interface
I hope this gives some insight into the issue I am having and someone can suggest some fixes/reconfig's to work around this. It certainly hasn't been easy trying to explain what is occuring here in writting.
Thank you for your time.Hi Jouni,
I would agree with your comments as well after obtaining better understanding of the issue myself with your support.
As per request below is exact syslog message from traceroute.
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:21|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:17|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:13|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:00:02|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:00:00|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:57|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:55|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:53|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:51|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:50|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:48|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
Software Version:
Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(3)
Maybe you are looking for
-
How to update Sold-To Party (In ORDER_SAVE BADI)
Hi, I have a requirement as follows: In for a Sales Order, In ORDER_SAVE BADI, I have to do validation for Sold-to Party. If validation fails, I need to display an error message and I need to clear the Sold-to Party field, hence user has to select an
-
SAPSQL_ARRAY_INSERT_DUPREC in tcide SU01
Hi Gurus, Good day! I would to seek your assistance how can deal with this ABAP dump issue "SAPSQL_ARRAY_INSERT_DUPREC". This error occured while creating a user via transaction SU01. Do we need to apply OSS note in order to get rid of this error? Pl
-
How to add a system into Solution Manager directory.
Hi! Can anybody tell me how to add a system into Solution Manager directory before generating license key for ECC installation . Also, How to connect the XI in same box with SolMan and ECC in defferent server to SolMan 3.2 . I am going to install Sol
-
Mildew/Mold in Macbook Pro Display?
I have a Macbook Pro from early 2007. A couple of years ago, it started to develop this weird mildew/mold around the edge of the screen. It has progressively gotten worse. I am wondering if anyone has heard of anything like this, and what I can possi
-
Overflow-field in multi-rows block
Hi! How can i realize overflow-field in multi-rows block. I place overflow fields in the footer area of block and get value use ${uix.current['Description']} - but no have results. Use javascript to set value of overflow-field? thanks