ASA-QOS-POP3
Recently upgraded connection for Internet/Web. Used to do QOS on Cisco routers but when upgraded connection ISP supplied router & they do not use any QOS. Remote offices connect & use POP3 for mail retriever & now seeing problems & need to use QOS on the ASA. Which should I use ! Traffic policing ? Traffic shaping ? Traffic marking ?
Any sample config's would be grateful !
Thanks !
Traffic shaping will be good for remote offices connecting to central site. Following links may help you
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml
Similar Messages
-
ASA QoS shared pool of bandwidth
I have the following QoS scenario to configure on an ASA.
1. Allocate a shared bandwidth pool between a defined range of subnets.
2. Allocate bandwidth for a single subnet.
I've considered policing below, where 2 (or more) subnets would share an 8Mb pool of bandwidth, and a single subnet has a dedicated 16Mb.
Would the following work - I need to ensure the separate flows from the shared pool subnets don't exceed the defined policing.
! Shared ACL Pool
access-list qos-shared extended permit ip 172.18.1.0 255.255.255.0 any
access-list qos-shared extended permit ip any 172.18.1.0 255.255.255.0
access-list qos-shared extended permit ip 172.18.2.0 255.255.255.0 any
access-list qos-shared extended permit ip any 172.18.2.0 255.255.255.0
access-list qos-single extended permit ip 10.1.1.0 255.255.255.0 any
access-list qos-single extended permit ip any 10.1.1.0 255.255.255.0
class-map qos-shared
match access-list qos-shared
class-map qos-single
match access-list qos-single
policy-map qos
class qos-shared
police output 8000000 4000
police input 8000000 4000
class qos-single
police output 16000000 4000
police input 16000000 4000
service-policy qos interface insideI have the following QoS scenario to configure on an ASA.
1. Allocate a shared bandwidth pool between a defined range of subnets.
2. Allocate bandwidth for a single subnet.
I've considered policing below, where 2 (or more) subnets would share an 8Mb pool of bandwidth, and a single subnet has a dedicated 16Mb.
Would the following work - I need to ensure the separate flows from the shared pool subnets don't exceed the defined policing.
! Shared ACL Pool
access-list qos-shared extended permit ip 172.18.1.0 255.255.255.0 any
access-list qos-shared extended permit ip any 172.18.1.0 255.255.255.0
access-list qos-shared extended permit ip 172.18.2.0 255.255.255.0 any
access-list qos-shared extended permit ip any 172.18.2.0 255.255.255.0
access-list qos-single extended permit ip 10.1.1.0 255.255.255.0 any
access-list qos-single extended permit ip any 10.1.1.0 255.255.255.0
class-map qos-shared
match access-list qos-shared
class-map qos-single
match access-list qos-single
policy-map qos
class qos-shared
police output 8000000 4000
police input 8000000 4000
class qos-single
police output 16000000 4000
police input 16000000 4000
service-policy qos interface inside -
Hello all. ASA IOS is v8.22. I have setup overall police (10 down 5 up) on outside interface to match ISP bandwidth (for congestion determination) as well as two rules to put packest into LLQ. First rule is for all traffic to DataCenter and it is working as I can see the LLQ packet count increasing during access. Second rule is for all traffic coming from our internal ProxyServer to outside, but it is not working. No packets from this second rule are entering the LLQ. Thank you to anyone who can assist or point me in direction of clues to priorty queue packets from our ProxyServer.
name 77.77.77.0 DataCenter
name 192.168.1.158 ProxyServer
access-list MIConnection_mpc extended permit ip any DataCenter 255.255.192.0
access-list MIConnection_mpc extended permit ip host ProxyServer any
priority-queue MIConnection
class-map QOS
match access-list MIConnection_mpc
class-map mi_band
match any
policy-map mi_band_police
class mi_band
police input 10000000
police output 5000000 2500
class QOS
priority
service-policy mi_band_police interface outsideMarius: My ASA IOS is v8.22. The outside interface is connected to a cable modem. In my current setup, I have the cable ISP policed at 10/5 Mbit. If I adjust down to 2/1 Mbit speedtest.net adjusts accordingly, so I know the police on the cable ISP is working. The 1st QoS Rule (QOS) is priorty for our datacenter, and I can see packets hitting the LLQ when this rule is applied. The 2nd QoS rule (DropAmazon) I cannot get to work. It is suppose to police all input and output traffic to AmazonS3 servers at 0.05 Mbit (our offsite backups), but it refuses. I have all the IP ranges for AmazonS3 defined, and I have sniffed the traffic and verified it is going to these ranges, however with the rule active uploads to Amazon still run at full ISP bandwidth (5 Mbit). I will continue to research and test but have been working on this for weeks now. Hopefully I can find out why I cannot police bandwidth to AmazonS3. I can also provide you with the full configuration if you can offer your assistance. Thank you!
names
name 72.15.192.0 Peak10
name 72.21.192.0 AmazonS3.1
name 207.171.160.0 AmazonS3.2
name 176.0.0.0 AmazonS3.3
name 205.251.192.0 AmazonS3.4
interface Ethernet0/2
nameif MIConnection
security-level 0
ip address 24.224.90.78 255.255.255.0
access-list MIConnection_mpc_1 extended permit ip any object-group AmazonS3
access-list MIConnection_mpc_1 extended permit ip object-group AmazonS3 any
access-list MIConnection_access_in extended permit icmp any any
access-list MIConnection_mpc extended permit ip host 192.168.1.158 any inactive
access-list MIConnection_mpc extended permit ip any Peak10 255.255.192.0
access-list MIConnection_mpc extended permit ip Peak10 255.255.192.0 any
priority-queue MIConnection
class-map QOS
match access-list MIConnection_mpc
class-map mi_band
match any
class-map DropAmazon
match access-list MIConnection_mpc_1
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list http-list2
policy-map mi_band_police
class mi_band
police input 10000000
police output 5000000 2500
class QOS
priority
class DropAmazon
police input 50000 1500
police output 50000 1500
service-policy mi_band_police interface MIConnection -
I was looking at this article regarding QoS implementation on the ASA through VPN tunnels
https://supportforums.cisco.com/docs/DOC-1230
I though that you could either do a traffic policing policy, OR a traffic shaping policy on one interface (or for one tunnel).
The author seems to suggest we can do both.
Can we? Will there be a conflict?Hi Colin,
No, we can't. Also in the doc Panos mentioned this while defining shaping:
Traffic Shaping with Prioritization
Now, lets assume that we have the same ASA as in the previous case. And we now want to traffic shape all traffic and prioritize the voice through the VPN.
Check out the service-policies he applied:
In case of policing:
ASA(config-pmap-c)# service-policy police-priority-policy interface outside
In case of shaping:
ASA(config-pmap-c)# service-policy shape-priority-policy interface outside
For further clarity, check this section on configuration guide which explains how various QOS features interact:
http://www.cisco.com/en/US/customer/docs/security/asa/asa84/configuration/guide/conns_qos.html#wp1234418
As per above link:
Typically, if you enable traffic shaping, you do not also enable policing for the same traffic, although the ASA does not restrict you from configuring this.
Because it won't make much of a sense anyways.
HTH.
Sourav -
Hi All,
I have a question, if someone can help me with it, it so appreciated!!
I have Cisco ASA 5505 with OS 8.2(5). I have 3Mbps WAN connection to it. what I need is how to do limit interface itself for 3Mbps. and then shape the traffic and with ability to give a balance for IP address use the bandwidth as fair not used by on IP if it do a massive download or so.
Another question can I do a outbound policy to inside interface to control the download and outbound policy to outside interface to control the upload??
Thanks in advance
MikeHello,
I have Cisco ASA 5505 with OS 8.2(5). I have 3Mbps WAN connection to it. what I need is how to do limit interface itself for 3Mbps. and then shape the traffic and with ability to give a balance for IP address use the bandwidth as fair not used by on IP if it do a massive download or so.
A/ You got to chooce whether to police the traffic ( Drop the traffic that does not follow the restriction ) or prioritize the traffic ( Hold the traffic that exceeds the limit on a software queue) So you first got to determine witch one to use as both of them would restrict traffic to 3 Mbps if properly setup. Now regarding the balance between ip there is no way to accomplish that, you could configure priority for certain traffic but the ASA will not allow you to get that deep into QoS ( ASA was not build to provide QoS stuff but eventhough that is not it's job it provides a fair QoS infrastructure)
Another question can I do a outbound policy to inside interface to control the download and outbound policy to outside interface to control the upload??
A/Police can be applied on more than one interface whether using a dedicated per interface service policy or one global , and police can be applied on any direction on a router but ASA speaking can be only applied on the outbound direction ... so if you want to do that you will be my guess
Give it a try and let us know the result
Regards,
Julio
Security Trainer -
Cisco ASA QoS traffic policing - how to count conform burst
hi,
I have cisco ASA 8.4(5). I will do configuration for QoS traffic policing. Maximum output/input rate will be 850 Mbits/s.
I am not sure if I need to do configuration also for conform burst ? if yes, can I count suitable value for it ? I must admit that I dont understand difference between conform rate and conform burst.
access-list acl_qos_policing_admin extended permit ip any any
class-map class_qos_policing_admin
match access-list acl_qos_policing_admin
policy-map policy_qos_policing_admin
class class_qos_policing_admin
police output 850000000 xxxxxxx
police input 850000000 xxxxxxx
service-policy policy_qos_policing_admin interface
inside_ADMHi, I already have done configuration on production firewall. Bandwidth test worked very good for 200Mbps or 300 Mbps. But I got little strange results for bigger rate limits such 600Mbps or 850 Mbps. I could not see any dropped packets. I did test via http://www.speedtest.net. Maybe because
I need to set conform-burst? there is now only default value (If you set bigger conform-rate then you get bigger conform-burst with default value).
Interface inside_EDU:
Service-policy: policy_qos_policing_edu
Class-map: class_qos_policing_edu
Output police Interface inside_EDU:
cir 200000000 bps, bc 6250000 bytes
Input police Interface inside_EDU:
cir 200000000 bps, bc 6250000 bytes
Interface inside_EDU:
Service-policy: policy_qos_policing_edu
Class-map: class_qos_policing_edu
Output police Interface inside_EDU:
cir 600000000 bps, bc 18750000 bytes
Input police Interface inside_EDU:
cir 600000000 bps, bc 18750000 bytes
Interface inside_ADM:
Service-policy: policy_qos_policing_admin
Class-map: class_qos_policing_admin
Output police Interface inside_ADM:
cir 300000000 bps, bc 9375000 bytes
Input police Interface inside_ADM:
cir 300000000 bps, bc 9375000 bytes
Interface inside_ADM:
Service-policy: policy_qos_policing_admin
Class-map: class_qos_policing_admin
Output police Interface inside_ADM:
cir 850000000 bps, bc 26562500 bytes
Input police Interface inside_ADM:
cir 850000000 bps, bc 26562500 bytes -
Incoming Calls start dropping right after when you pick up the phone
THe phone system is managed by Auxion company but i have a QOS on ASA 5510, Phone Company Stating that the problem in Qos or ISP but nothing has been changed in ASA Qos , any ideas if ther is missconfiguration ?
class-map VOIP
match rtp 10000 16383
class-map voip-class
match access-list voip-traffic
class-map CONNS
match any
class-map inspection_default
match default-inspection-traffic
policy-map QOS
class CONNS
set connection conn-max 2000 embryonic-conn-max 3000
class class-default
shape average 5024000
policy-map VOIPP
class VOIP
priority
class CONNS
set connection conn-max 2000 embryonic-conn-max 3000
class class-default
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
inspect pptp
class VOIP
priority
class class-default
user-statistics accounting
Arsen Gharibyan
http://www.neocomp.com/If a call sets up ok and then drops it may well be a codec negotiation issue.
-
How to configure QOS on certain IP in the Cisco ASA 5510
Hi,
I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
Can this done on a ASA 5510 series? if yes can you help me how ?
Regards,
VenkatYes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
I hope it helps.
PK -
Guys,
Can you help me,
I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
Best Regards,
Rizal FerdiyanHi Rizal,
Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
-Mike -
Between client and server I have WAN link and on that WAN link I have QOS seted up with several trafic classes and so. If I build IPSEC VPN tunnel between client and ASA device in front of server, I guess I will lose capability to to see traffic on WAN link and my QOS will stop working.
Hi,
the IPSec standard mandates, that the TOS byte of the original header is copied into the new IPSec header. After encryption the original IP packet can not be detected by an intermediate router. Thus your QoS policy can only work, if you mark different traffic classes with f.e. different DSCP values and match on those DSCP values on your WAN router.
Hope this helps!
Regards, Martin -
is there a way to configure per user QoS Policy in ASA?
I need this because to configure ssl vpn users to have different bandwidthHi,
Please can you explain me how "per SSL VPN group basis" is going to work.
For my requirement that per group policy is also OK. Then it is needed to configure bandwidth limiters per group policy.
thanks & regards
Chandana -
Hi, I'm having trouble configuring Threat-detection and QoS polices at the same time.
The problem is that if I have QoS rules enabled, this is policing a traffic defined by ACLs, I can't enable at the same time the threat-detection feature "Shun hosts detected by scanning threat" because it shuns the hosts on which there is applying the policing.
I suppose this is because the policing is based in hits on ACL's so the ASA thinks this is an attack.
So, how can I resolve this? How can I have policing and shunnig enabled at the same time?
ThanksHi,
Weird stuff, one feature doesnt necessarily has to do anything with the Other. Scannig threat what is does is to take statistics of a host in specific and determine if it is sweeping the network or trying to find out if there is a host checking which ports/networks are available. You have to check what is the factor that is causing the shun to be tiggered. There are a lot of thresholds on scanning theat detection that you will need to modify if it is causing an issue.
By the thresholds I mean the following table:
Packet Drop Reason Trigger Settings
Average Rate Burst Rate
•DoS attack detected
•Bad packet format
•Connection limits exceeded
•Suspicious ICMP packets detected
100 drops/sec over the last 600 seconds.
400 drops/sec over the last 20 second period.
80 drops/sec over the last 3600 seconds.
320 drops/sec over the last 120 second period.
Scanning attack detected
5 drops/sec over the last 600 seconds.
10 drops/sec over the last 20 second period.
4 drops/sec over the last 3600 seconds.
8 drops/sec over the last 120 second period.
Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)
100 drops/sec over the last 600 seconds.
200 drops/sec over the last 20 second period.
80 drops/sec over the last 3600 seconds.
160 drops/sec over the last 120 second period.
Denial by access lists
400 drops/sec over the last 600 seconds.
800 drops/sec over the last 20 second period.
320 drops/sec over the last 3600 seconds.
640 drops/sec over the last 120 second period.
•Basic firewall checks failed
•Packets failed application inspection
400 drops/sec over the last 600 seconds.
1600 drops/sec over the last 20 second period.
320 drops/sec over the last 3600 seconds.
1280 drops/sec over the last 120 second period.
Interface overload
2000 drops/sec over the last 600 seconds.
8000 drops/sec over the last 20 second period.
1600 drops/sec over the last 3600 seconds.
6400 drops/sec over the last 120 second period.
As you can see on the following document:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1072953
Scanning threat is based on the threat detection statistics. So you will need to modify those in order to avoid the host to be shunned.
That being said, I think if you only enable threat detection alone, it would probably to the same thing as if it was configured in conjunction with QoS.
Bottom line (and sorry for all the info), modify the threat detection rate values and you should be ok.
Mike -
Cisco ASA - Pass Through QoS Traffic
Hi Sirs,
Given the following topology:
Switch - IP Phone (Branch) |----| Router |----| MPLS |----| Router |----| ASA |----| Switch - Voice Network (Head Office)
My question, the ASA can impact the QoS traffic to pass through it?
Thank you!
Rafael TrujilhoHi Andrew,
I want the ASA does NOT take any markings, NOT impacting the quality applied to voice traffic.
Regards,
Trujilho -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
Hi Cisco Guru's,
I hope someone can help to resolve this issue we are having with our ASA....
A little background on the setup, our LAN is connected via the inside interface (inside int & LAN are on the same subnet), we have an MPLS link connected to another interface on the ASA (mpls) with a security level of 50.
The MPLS link is for a remote site we have, all communication to this site works as it should, the only problem being I get flooded with these ASDM logs -> Deny IP Spoof from (192.168.50.31) to 192.168.102.253 on interface inside
192.168.102.253 is a core switch at the remote site.
Please see sanitised config below (possible typo's):
: Saved
ASA Version 8.2(5)
hostname UK-FW-1
domain-name company.local
enable password ********* encrypted
passwd ******** encrypted
names
name 192.168.44.0 Visitors-Wifi
name 192.168.48.0 LAN
name 192.168.50.3 Int-SFTP
name 192.168.50.133 Int-Linux_SSH
name 10.0.0.0 Servers
name 10.20.30.0 VPN
name xxx.xxx.xxx.xxx Ext-PRTG
name xxx.xxx.xxx.xxx Ext-Linux_SSH
name xxx.xxx.xxx.xxx Ext-SFTP
name 192.168.57.0 Phone-Network
name 10.255.255.248 Admin-VPN
name 172.31.0.0 Cisco-Admin
name 10.0.0.62 Int-PRTG
name 192.168.255.0 MPLS
name 192.168.103.0 Network2
name 192.168.104.0 Network3
name 192.168.105.0 Network4
name 192.168.102.0 Network1
name xxx.xxx.xxx.xxx Ext-Partner_Extranet
name 10.0.0.13 Int-Partner_Extranet
interface Ethernet0/0
description External Interface
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
interface Ethernet0/1
description Internal Interface
nameif inside
security-level 100
ip address 192.168.50.31 255.255.248.0 standby 192.168.50.30
interface Ethernet0/1.5
description Visitors Wifi
vlan 5
nameif visitors
security-level 25
ip address 192.168.44.1 255.255.255.0
interface Ethernet0/2
description MPLS
nameif mpls
security-level 50
ip address 192.168.255.254 255.255.255.0
interface Ethernet0/3
description LAN/STATE Failover Interface
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
banner login -
banner login ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!!
banner login -
banner motd -
banner motd ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!!
banner motd This is a privately owned computing system.
banner motd Access is permitted only by authorized employees or agents of the company.
banner motd The system may be used only for authorized company business.
banner motd Company management approval is required for all access privileges.
banner motd This system is equipped with a security system intended to prevent and
banner motd record unauthorized access attempts.
banner motd Unauthorized access or use is a crime under the law.
banner motd -
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.50.72
name-server 192.168.50.82
name-server 8.8.8.8
domain-name company.local
object-group service Guest-tcp-group tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq ssh
object-group service Guest-udp-group udp
port-object eq domain
port-object eq ntp
object-group service PRTG-Group tcp
port-object eq https
object-group service SFTP-Group tcp
port-object eq ssh
object-group network TEST
network-object Network1 255.255.255.0
network-object Network2 255.255.255.0
network-object Network3 255.255.255.0
network-object Network4 255.255.255.0
network-object 192.168.42.0 255.255.255.0
object-group service Extranet-Group tcp
port-object eq https
port-object eq www
access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.248.0 VPN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.248.0 Admin-VPN 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.248.0 object-group TEST
access-list inside_outbound_nat0_acl extended permit ip LAN 255.255.248.0 MPLS 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Servers 255.255.255.192 VPN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Servers 255.255.255.192 Admin-VPN 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip Servers 255.255.255.192 object-group TEST
access-list inside_outbound_nat0_acl extended permit ip Servers 255.255.255.192 MPLS 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Phone-Network 255.255.255.0 VPN 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Phone-Network 255.255.255.0 Admin-VPN 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip Phone-Network 255.255.255.0 object-group TEST
access-list inside_outbound_nat0_acl extended permit ip Phone-Network 255.255.255.0 MPLS 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Cisco-Admin 255.255.255.224 Admin-VPN 255.255.255.248
access-list split_tunnel_acl standard permit LAN 255.255.248.0
access-list split_tunnel_acl standard permit Servers 255.255.255.192
access-list split_tunnel_acl standard permit Network1 255.255.255.0
access-list split_tunnel_acl standard permit Phone-Network 255.255.255.0
access-list split_tunnel_acl standard permit Cisco-Admin 255.255.255.224
access-list split_tunnel_acl standard permit Network2 255.255.255.0
access-list split_tunnel_acl standard permit Network3 255.255.255.0
access-list split_tunnel_acl standard permit Network4 255.255.255.0
access-list outside_access_in extended permit tcp any host Ext-PRTG object-group PRTG-Group
access-list outside_access_in extended permit tcp any host Ext-SFTP object-group SFTP-Group
access-list outside_access_in extended permit tcp any host Ext-Linux_SSH object-group SFTP-Group
access-list outside_access_in extended permit tcp any host Ext-Partner_Extranet object-group Extranet-Group
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended deny ip any any log
access-list visitors_access_in extended permit ip any any
access-list visitors_access_in extended deny ip any any
access-list mpls_nat0_outbound extended permit ip MPLS 255.255.255.0 LAN 255.255.248.0
access-list mpls_nat0_outbound extended permit ip MPLS 255.255.255.0 Servers 255.255.255.192
access-list mpls_nat0_outbound extended permit ip MPLS 255.255.255.0 Phone-Network 255.255.255.0
access-list mpls_nat0_outbound extended permit ip object-group TEST Admin-VPN 255.255.255.248
access-list mpls_nat0_outbound extended permit ip object-group TEST VPN 255.255.255.0
access-list mpls_nat0_outbound extended permit ip object-group TEST LAN 255.255.248.0
access-list mpls_nat0_outbound extended permit ip object-group TEST Servers 255.255.255.192
access-list mpls_nat0_outbound extended permit ip object-group TEST Phone-Network 255.255.255.0
access-list mpls_acl extended permit ip any any log
access-list mpls_acl extended permit icmp any any log
access-list mpls_acl extended deny ip Network4 255.255.255.0 any
access-list mpls_acl extended deny ip any any log
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging list email-alert message 716001-716002
logging list email-alert message 722022-722023
logging list email-alert message 713049
logging list email-alert message 113019
logging list email-alert message 713119-713120
logging list email-alert message 113015
logging list email-alert message 713184
logging list email-alert message 113012
logging list email-alert message 315004
logging list email-alert message 315011
logging list email-alert message 105007
logging list email-alert message 105043
logging list email-alert message 111001-111003
logging list email-alert message 111005-111006
logging list email-alert message 111008-111010
logging buffer-size 8192
logging buffered alerts
logging asdm errors
logging mail email-alert
logging from-address
[email protected]
logging recipient-address
[email protected]
level notifications
mtu outside 1500
mtu inside 1500
mtu visitors 1500
mtu mpls 1500
ip local pool VPN-Pool 10.20.30.5-10.20.30.254 mask 255.255.255.0
ip local pool VPNAdmin-Pool 10.255.255.249-10.255.255.254 mask 255.255.255.248
ip local pool SSLVPN-Pool 10.20.30.2-10.20.30.4 mask 255.255.255.0
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface LAN/STATE Ethernet0/3
failover key *******
failover link LAN/STATE Ethernet0/3
failover interface ip LAN/STATE 1.1.1.1 255.255.255.252 standby 1.1.1.2
monitor-interface visitors
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any time-exceeded inside
icmp permit any echo visitors
icmp permit any echo-reply visitors
icmp permit any time-exceeded visitors
icmp permit any echo mpls
icmp permit any echo-reply mpls
icmp permit any time-exceeded mpls
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 Cisco-Admin 255.255.255.224
nat (inside) 1 Servers 255.255.255.192
nat (inside) 1 Phone-Network 255.255.255.0
nat (inside) 1 Network1 255.255.255.0
nat (inside) 1 Network2 255.255.255.0
nat (inside) 1 Network3 255.255.255.0
nat (inside) 1 Network4 255.255.255.0
nat (inside) 1 MPLS 255.255.255.0
nat (inside) 1 LAN 255.255.248.0
nat (visitors) 1 Visitors-Wifi 255.255.255.0
nat (mpls) 0 access-list mpls_nat0_outbound
nat (mpls) 1 192.168.42.0 255.255.255.0
nat (mpls) 1 Network1 255.255.255.0
nat (mpls) 1 Network2 255.255.255.0
nat (mpls) 1 Network3 255.255.255.0
nat (mpls) 1 Network4 255.255.255.0
nat (mpls) 1 MPLS 255.255.255.0
nat (mpls) 1 LAN 255.255.248.0
static (inside,outside) Ext-PRTG Int-PRTG netmask 255.255.255.255
static (inside,outside) Ext-SFTP Int-SFTP netmask 255.255.255.255
static (inside,outside) Ext-Linux_SSH Int-Linux_SSH netmask 255.255.255.255
static (outside,inside) Int-PRTG Ext-PRTG netmask 255.255.255.255
static (outside,inside) Int-SFTP Ext-SFTP netmask 255.255.255.255
static (outside,inside) Int-Linux_SSH Ext-Linux_SSH netmask 255.255.255.255
static (inside,outside) Ext-Partner_Extranet Int-Partner_Extranet netmask 255.255.255.255
static (outside,inside) Int-Partner_Extranet Ext-Partner_Extranet netmask 255.255.255.255
static (inside,mpls) LAN LAN netmask 255.255.248.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group visitors_access_in in interface visitors
access-group mpls_acl in interface mpls
route inside Network1 255.255.255.0 192.168.50.13 1 track 1
route outside 0.0.0.0 0.0.0.0 86.188.161.81 1
route inside Servers 255.255.255.192 192.168.50.13 1
route inside Cisco-Admin 255.255.255.224 192.168.50.13 1
route mpls 192.168.42.0 255.255.255.0 192.168.255.1 1
route inside Phone-Network 255.255.255.0 192.168.50.13 1
route mpls Network1 255.255.255.0 192.168.255.1 254
route mpls Network2 255.255.255.0 192.168.255.1 1
route mpls Network3 255.255.255.0 192.168.255.1 1
route mpls Network4 255.255.255.0 192.168.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask enable default svc
aaa-server ActiveDirectory protocol radius
aaa-server ActiveDirectory (inside) host 192.168.50.82
key *******
radius-common-pw *******
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server
no snmp-server location
no snmp-server contact
snmp-server community public
sysopt noproxyarp inside
sla monitor 1
type echo protocol ipIcmpEcho 192.168.102.253 interface inside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 65535 set pfs group1
crypto dynamic-map dmap 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map imap 10 ipsec-isakmp dynamic dmap
crypto map imap interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn xxx.xxx.xxx.xxx
subject-name CN=xxx.xxx.xxx.xxx
keypair sslvpnkey
crl configure
crypto ca certificate chain localtrust
<cert removed>
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 1 reachability
no vpn-addr-assign dhcp
telnet timeout 1
console timeout 15
management-access inside
dhcpd address 192.168.44.100-192.168.44.254 visitors
dhcpd dns 8.8.8.8 8.8.4.4 interface visitors
dhcpd domain company.net interface visitors
dhcpd enable visitors
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.72 255.255.255.255
threat-detection scanning-threat shun except ip-address 192.168.50.82 255.255.255.255
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 212.13.197.135 prefer
ntp server 192.168.50.72
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy SSLVPNUsers internal
group-policy SSLVPNUsers attributes
wins-server none
dns-server value 192.168.50.72 192.168.50.82
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout 240
vpn-tunnel-protocol webvpn
group-lock value SSLVPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl
default-domain value company.local
address-pools value SSLVPN-Pool
webvpn
svc ask none default svc
customization value DfltCustomization
group-policy DfltGrpPoicy internal
group-policy DfltGrpPoicy attributes
dns-server value 192.168.50.72 192.168.50.82
group-policy VPNAdmin internal
group-policy VPNAdmin attributes
dns-server value 192.168.50.72 192.168.50.82
vpn-simultaneous-logins 6
vpn-idle-timeout 15
vpn-session-timeout 120
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl
default-domain value company.local
group-policy VPNUsers internal
group-policy VPNUsers attributes
dns-server value 192.168.50.72 192.168.50.82
vpn-simultaneous-logins 200
vpn-idle-timeout 60
vpn-session-timeout 480
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl
default-domain value company.local
group-policy VPNRadius internal
group-policy VPNRadius attributes
dns-server value 192.168.50.72 192.168.50.82
vpn-simultaneous-logins 250
vpn-idle-timeout 60
vpn-session-timeout 480
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_acl
default-domain value company.local
vpn-group-policy VPNUsers
service-type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ActiveDirectory
tunnel-group VPNUsers type remote-access
tunnel-group VPNUsers general-attributes
address-pool VPN-Pool
default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
pre-shared-key *********
tunnel-group VPNRadius type remote-access
tunnel-group VPNRadius general-attributes
address-pool VPN-Pool
authentication-server-group ActiveDirectory
default-group-policy VPNRadius
tunnel-group VPNRadius ipsec-attributes
pre-shared-key *********
tunnel-group VPNAdmin type remote-access
tunnel-group VPNAdmin general-attributes
address-pool VPNAdmin-Pool
default-group-policy VPNAdmin
tunnel-group VPNAdmin ipsec-attributes
pre-shared-key **********
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSLVPN-Pool
authentication-server-group ActiveDirectory
default-group-policy SSLVPNUsers
tunnel-group SSLVPN webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
class-map qos
match access-list visitors_access_in
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect ip-options
class class-default
set connection decrement-ttl
policy-map qos
class qos
police input 5000000
police output 5000000
service-policy global_policy global
service-policy qos interface visitors
smtp-server xxx.xxx.xxx.xxx
prompt hostname context
no call-home reporting anonymous
: end
Many thanks in advance.
Zeb.Zeb,
Your issue is with the SLA monitor and tracking...
name 192.168.102.0 Network1
route inside Network1 255.255.255.0 192.168.50.13 1 track 1
route mpls Network1 255.255.255.0 192.168.255.1 254
track 1 rtr 1 reachability
sla monitor 1
type echo protocol ipIcmpEcho 192.168.102.253 interface inside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
You're tracking an inside route to Network1 using the inside interface but the ping test is going to the core switch at 192.168.102.253 which is in the mpls network. This is impossible.
Turn off your SLA monitor and I bet the logs stop.
I'm not sure what requirement you are trying to meet with the tracking. Either 192.168.102.0/24 is off the inside interface or its off the mpls interface. It can not be both.
Maybe you are looking for
-
Windows 8.1: Printer Offline Issue - POSSIBLE SOLUTION
Hi all - I came across this extremely annoying problem between my Toshiba Win-spit-dows 8.1 (shudder) laptop and my HP 71197B Photosmart 5510. a) I found out my printer ip using Fing on my mobile - use any method to find this out. b) I typed this in
-
(I'm using the current AE CC 2014)... I've tried twice to start working on a project in After Effects while a DIFFERENT project is rendering in Media Encoder. Both times it (Media Encoder) hung up/crashed. I thought the point of a separate encoder pr
-
hello... i have photoshop cs5 fully updated with the latest version 12.0.3 and until yesterday everything was fine..... now something stange is happening because de adobe update manager is asking me to update to version 12.0.2.... off course at the e
-
Hello gurus, I have a question about query designer. I have various selections (cost centre) on structure. And i want under each selection the detail os costs for each cost centre. i have: structure: selection 1 (cc = 1100001) sel
-
OS X 10.4.6 and Linksys PPSX1 printing issue
I recently upgraded to Tiger from Panther with a couple of regrets, one of which is related to using a Linksys PPSX1 Etherfast Print Server. Under Panther I had successfully created a printer using LPD/LPR, naming a que and selecting my printer (an N