ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

Hello!
We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
All branch offices are connected to central asa though IPsec.
The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
According to the sheme:
172.16.1.0/24 is on of the branch office LANs
10.1.1.0/24 and 10.2.2.0/24 are central office LAN
The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
The aim is to
restrict access from 172.16.1.0/24 to 10.1.1.0/24
When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
class-map tcp_bypass_map
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass_acl
policy-map tcp_bypass_policy
class tcp_bypass_map
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface outside
service-policy tcp_bypass_policy interface inside
Does anyone know, how to make TCP State Bypass works properly?

I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
You can still control access on center site by using vpn-filters.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Ajay

Similar Messages

  • Cisco ASA 5505 Reset-I Problem with TCP State Bypass

    Hello,
    I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
    6
    May 16 2014
    14:52:52
    302014
    72.135.115.37
    6915
    192.168.20.2
    6801
    Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
    My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
    I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
    Any help would be greatly appreciated!

    Thanks Rizwan,
    Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
    homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
    Success rate is 0
    homeasa(config)# debug crypto isakmp 7
    homeasa(config)# debug crypto ipsec 7
    homeasa(config)# sho crypto isakmp 7
                                       ^
    ERROR: % Invalid input detected at '^' marker.
    homeasa(config)# sho crypto isakmp
    There are no isakmp sas
    Global IKE Statistics
    Active Tunnels: 0
    Previous Tunnels: 0
    In Octets: 0
    In Packets: 0
    In Drop Packets: 0
    In Notifys: 0
    In P2 Exchanges: 0
    In P2 Exchange Invalids: 0
    In P2 Exchange Rejects: 0
    In P2 Sa Delete Requests: 0
    Out Octets: 0
    Out Packets: 0
    Out Drop Packets: 0
    Out Notifys: 0
    Out P2 Exchanges: 0
    Out P2 Exchange Invalids: 0
    Out P2 Exchange Rejects: 0
    Out P2 Sa Delete Requests: 0
    Initiator Tunnels: 0
    Initiator Fails: 0
    Responder Fails: 0
    System Capacity Fails: 0
    Auth Fails: 0
    Decrypt Fails: 0
    Hash Valid Fails: 0
    No Sa Fails: 0
    Global IPSec over TCP Statistics
    Embryonic connections: 0
    Active connections: 0
    Previous connections: 0
    Inbound packets: 0
    Inbound dropped packets: 0
    Outbound packets: 0
    Outbound dropped packets: 0
    RST packets: 0
    Recevied ACK heart-beat packets: 0
    Bad headers: 0
    Bad trailers: 0
    Timer failures: 0
    Checksum errors: 0
    Internal errors: 0
    hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
    There are no ipsec sas
    homeasa(config)#

  • All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

    Hi, all,
      I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
    Quote :
    Question ? :
    Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
    Dallas (Main) Lan Net is: 10.10.200.0/24
    Austin (Remote) LAN Net is: 10.20.2.0/24
    The Dallas (Main) site has a VPN config of:
    Local Net: 0.0.0.0/0
    Remote Net: 10.20.2.0/24
    The Austin (Remote) site has a VPN config of:
    10.20.2.0/24
    Remote Net: 0.0.0.0/0
    The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
    I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
    Answer:
    Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
    Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
    My question ?
    The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
    how to do it , could anybody give me the specific configuration ? thanks a lot.

    Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
    crypto isakmp policy 100
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 60
    crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
    crypto dynamic-map IPsecdyn 100
    set transform-set IPsectrans
    match address 102
    crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
    interface Loopback1
    ip address 10.10.200.1 255.255.255.0
    interface FastEthernet0/0
    ip address 113.113.1.1 255.255.255.128
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map IPsecmap
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 113.113.1.2
    ip http server
    no ip http secure-server
    ip nat inside source list 100 interface FastEthernet0/0 overload
    access-list 100 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit ip any 10.20.2.0 0.0.0.255

  • NAT traffic over a IPSec tunnel (ISR)

    Hi.
    I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
    So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
    IPSec tunnel is created using the 10.10.1.1 IP-address.
    The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
    Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
    Anyone who could shed some light? Any insight appreciated.
    Sheers!
    /Johan Christensson

    Thanks jjohnston1127!
    Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
    How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
    access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
    If i change it to something like this, the tunnel negotiation get triggerd.
    access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
    How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
    Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
    Can this behavior be changed?
    Best regards,
    Johan Christensson

  • Tunnel Traffic going inside IPSEC tunnel

    Hi Everyone,
    Site A  has IP Sec Tunnel to Site B via ASA.
    Now Switch on Site A has GRE tunnel and destination of that tunnel is going inside the IPSEC tunnel.
    In other words IPSEC tunnel between 2 sites is also carrying the GRE Tunnel Traffic.
    Which command i can run on ASA to know if IPSEC is carrying GRE tunnel traffic  or
    What line in ASA config will tell me that this IPSEC is also carrying GRE tunnel traffic?
    Thanks
    MAhesh

    Hi Jouni,
    I can not put config here.
    But here is the info
    sh crypto map shows ASA  outside interface say GGG this interface has ipsec connection to other site.
    also sh conn all | inc GRE shows bunch of output.
    It shows ASA outside inetrface which is to WAN say GGG   8 times and it has say subnet range
    GRE GGG  10.22.31.4  XY 10.x.x.x.x
    GRE GGG  10.22.31.4  XY  10.x.x.x
    GRE GGG  10.22.31.3
    GRE GGG  10.22.31.3
    GRE GGG  10.22.31.3
    GRE GGG  10.22.31.4
    GRE GGG  10.22.31.4
    GRE GGG  10.22.31.4
    Where XY is interface of ASA which is next hop to tunnel destination.
    IP 10.x.x.x  is the tunnel source IP which is loopback on the switch.
    Do you know why it has 2 entries for same ASA  interface XY ?
    Also it has other entries for other ASA  interface.
    So does number of entries tell us number of GRE connections running ?
    Thanks
    MAhesh
    Message was edited by: mahesh parmar

  • COLLECT statement in start routine of update rules for data coming from R/3

    Hi,
    I have more than one record with the same key combination that comes from R/3. I have a condition wherein I write into an error log. Hence I want only ione entry to be written into a error log and not multiple instances.
    I had written a similar one for ODS.
    Loop at IT_ODS into WA_ODS.
    Collect WA_ODS into IT_SUM.
    How to collect data that is coming in from R/3. Any inputs?

    Hi,
    I think, by using ATEND you can acheive control break logic.
    Regards,
    -Vj

  • Need exit/badi to carry out new pricing(b) for SO coming from CRM...

    Hello Experts,
    We are transferring internet sales orders from CRM to R/3. Now, what I need to do is
    to trigger the 'carry out new pricing' for all the line items. Just like when we click
    the update button in the conditions tab and click on the 'carry new pricing' option even though
    user only displays the sales order in R/3.
    Hope you can help me guys. Thank you and take care!

    No Answer...

  • CUP 5.3 - Role Reaffirmation for roles coming from ERM

    Hi All,
    our source system for roles in the CUP is the ERM.
    can i do Role Reaffirmation for those  roles ? because i saw that they don't come with validity dats
    Thanks
    Yudit

    Hi,
      My personal recommendation would be to either go with spreadsheet or backend system. Even when you bring roles from SAP system, it doesn't have any role reaffirm date as there is no such field in backend system. If you want to maintain roles properly then please configure them in spreadsheet so if you need to do mass changes it would be very easy to perform those updates.
    Regards,
    Alpesh

  • Learning Curve for Rules - coming from HFM 9.3.3 to 11.1.2 Cal Mgr

    We are currently are on 9.3.3 for HFM, Planning, and Essbase and contemplating an upgrade to 11.1.2.2. In the documents for 11.1.2.2, I read that we will have to migrate to calc manager for the rules. We are currently on the classic versions for each application rather than EPMA.
    Whats the learning curve for moving to calc manager? Are people taking a class on it or picking up on their own?

    Hi all,
    I just completed an installation of 11.1.2.2 and I am testing various applications in order to assess the situation and propose to my clients.
    Calculation manager is not the only way to maintain your rule file. As I have seen Oracle has discuntinued the Rule Editor but you can use any notepad to edit your rules (Notepad ++ for example) and load the rule file Workspace.
    I am not really impressed from calculation manager yet. Definately in one of the following versions we will have to migrate all the rule files but I do not believe that we can do that in this version. For example in my files there is a huge issue of displaying the variables....
    Regards,
    Athanasios

  • Listening in main application for event coming from custom component

    I have a custom component that im using for a login.  i watch videos and tutorials on how to pass variables between custom components and application. the problem im having is that must tutorials or explanation have you put the event on the custom component and then it refers to some function within the main app.
    Is there a way to just listen on the main app when that event kicks off? ive been trying for hours and i know there has to be something im missing it cant be that hard. any help i would really appreciate.
    Thanks
    Miguel

    Sounds like you're asking about addEventListener():
         <fx:Script>
              <![CDATA[
                   import mx.events.FlexEvent;
                   protected function windowedapplication1_creationCompleteHandler(event:FlexEvent):void
                        comp.addEventListener("test", testHandler);
                   private function testHandler(e:Event):void {
                        trace(e);
              ]]>
         </fx:Script>
         <local:TestComponent id="comp"/>
    Add an event listener on your custom component (first string is the 'type' of the event).

  • What is security central - is it a virus (it pops up saying needed for firefox-coming from you)...google said it is a dangerous virus -- any protection?

    Received 3 popups today - indicating that Firefox wanted to install Security Central 137 and Security Central 577 because my computer is unprotected (then a number of trojans and viruses were listed). I didn't buy it, so googled "security central" -- search revealed that security central is a virus.
    Is security central OK or not...was that popup from Firefox or Mozilla? If not, is there a fix?

    My Avira detect that installer as a virus, beware of it!!!
    [http://www.ebookreviewdownload.com/ Book Lover]

  • Best desktop publisher for MBP coming from Microsoft publisher

    Hey gang,
    My wife has a small business.  She now has two MPB.  She runs one with Parallels and windows XP because she is in love with Microsoft publisher for making newsletters and similar.  I am going to buy her a new MBP and want to go to Yosemite and get her off Windows.  We have Pages, Numbers, Excel, Powerpoint, keynote etc.  What software would you recommend that she can use and make the easy transition of Publisher to whatever?  Can .pub files be opened in other applications?  Any advice would be great.
    Thanks,
    Michael

    Here's a link to an article describing some of the options for converting Publisher files:
    http://desktoppub.about.com/cs/publisher/f/share_pubfiles.htm
    If she is actually making do with Publisher, Pages might be sufficient, but there are plenty of options: Swift Publisher, Scribus, Printworks, eventually Affinity Publisher (not yet available for the Mac OS but in the works).
    http://teratalks.com/2012/08/forget-adobe-inexpensive-desktop-publishing-is-aliv e-and-well-on-the-mac/
    http://www.belightsoft.com/products/printworks/overview.php

  • How to pass ra vpn subnet traffic through an ipsec tunnel

    Dear geeks,
    I have two sites lets call it main and dr connected via ipsec site to site vpn from cisco asa to cisco asa at both the ends. I also have Remote access vpn on both the ends  to the main site as well as on the dr site. 
    Now the question is if i connect to the ra vpn to the dr site can i pass the traffic from the ra subnet through the ipsec site to site to the main site so from the ra vpn connected pc i can directly access the servers in the main site also. the ra subnet traffic can it be included in the crypto access-list in the site to site .
    is there any drawbacks for this ..
    please do let me know if you need more details.
    thanks
    Manek

    This is a common implementation and described in numerous articles - it is often referred to as "hairpinning" or "U-Turn" as the traffic from RA VPN comes in via outside interface and then back out same interface to the peer site.
    Three things are generally required:
    1. the appropriate access-list entries (referenced by the crypto map associated with the tunnel)
    2. NAT exemption for the RA subnet traffic headed to the peer site
    3. permitting traffic via same-security-interface.
    (You'll generally get better visibility for this sort of question on the VPN forum. You can recategorize your original post via the widget in the top right.)

  • NAT list getting hit for traffic from WAN IP

    I have an 871 setup at home with a fairly basic configuration (NAT, Firewall, EasyVPN, Wireless). What I've noticed is that for traffic going from the WAN interface (FastEthernet4), it seems to be hitting the ACL in place for NAT. My config:
    interface Loopback0
    ip address 192.168.254.1 255.255.255.255
    interface FastEthernet4
    description Cable Modem Connection
    bandwidth 384
    ip address dhcp
    ip nat outside
    ip nat enable
    no ip virtual-reassembly
    duplex auto
    speed auto
    interface Vlan1
    no ip address
    bridge-group 1
    interface BVI1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip nat inside source list NATLIST interface FastEthernet4 overload
    ip access-list extended NATLIST
    permit ip 192.168.1.0 0.0.0.255 any
    deny ip any any log
    Seems to work just fine, but I will see this in my logs:
    Oct 30 17:21:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 68.87.69.146(0), 1 packet
    Oct 30 17:21:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 140.142.16.34(0), 1 packet
    Oct 30 17:21:56 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 24.64.94.41 (0/0), 1 packet
    Oct 30 17:23:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 207.188.29.230(0), 1 packet
    Oct 30 17:25:38 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 121.18.13.100 (0/0), 2 packets
    Oct 30 17:27:38 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 24.64.94.41 (0/0), 1 packet
    Where 76.22.98.39 is the dynamic IP address from the cable provider. If the traffic isn't passing through the router, why is it trying to NAT it?
    IOS Version is 12.4(6)T9

    Hello Brom,
    I am facing the same situation that I can see a whole bunch of log-entries which state that IP-packets with the source address of the routers own WAN-interface-address are trying to reach a variety of IPs somewhere out there.
    I don't feel fine with just ignoring something - in only very rare situations this has been a good advise. I believe this is not a solution.
    There's just one naging question you should be able to answer.
    Since when needs the routers traffic translation? If the router sends packets because it want's to reach a destination for some reason it uses as source-address the address of the interface the traffic is supposed to leave and send's it directly there, doesn't it?
    So why in the world are there thousends of packets denied by the NAT-process (ofcourse, the NATACL doesn't allow this address), all showing the same pattern
    (pattern == protocol=udp AND source=ownWANIP AND port=0 AND destination=someIPoutthere AND port=0) as you can see from the following output, cause I think this is supicious and tryed it - wow! How do these packets get to the NAT-process anyway?!
    000894: Oct 10 06:57:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000895: Oct 10 06:58:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 4 packets 
    000896: Oct 10 06:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000897: Oct 10 06:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000898: Oct 10 07:02:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000899: Oct 10 07:04:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 16 packets 
    000900: Oct 10 07:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000901: Oct 10 07:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000902: Oct 10 07:08:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000903: Oct 10 07:09:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000904: Oct 10 07:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000905: Oct 10 07:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000906: Oct 10 07:13:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000907: Oct 10 07:14:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 14 packets 
    000908: Oct 10 07:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000909: Oct 10 07:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000910: Oct 10 07:18:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000911: Oct 10 07:19:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000913: Oct 10 07:22:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000914: Oct 10 07:22:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 3 packets 
    000915: Oct 10 07:23:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000916: Oct 10 07:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 8 packets 
    000917: Oct 10 07:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 3 packets 
    000918: Oct 10 07:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000919: Oct 10 07:29:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 3 packets 
    000920: Oct 10 07:30:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000921: Oct 10 07:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 3 packets 
    000922: Oct 10 07:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 3 packets 
    000923: Oct 10 07:34:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000924: Oct 10 07:35:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 24 packets 
    000925: Oct 10 07:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000926: Oct 10 07:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000928: Oct 10 07:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 3 packets 
    000929: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    000930: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000931: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000932: Oct 10 07:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000936: Oct 10 07:47:35: %SEC-6-IPACCESSLOGP: list FAE00IN denied tcp 222.173.130.154(6000) -> 212.152.155.204(1433), 1 packet 
    000937: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000938: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000939: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000940: Oct 10 07:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000941: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000942: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000943: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000946: Oct 10 07:56:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000947: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 7 packets 
    000948: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000949: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000950: Oct 10 08:01:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000951: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 15 packets 
    000952: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000953: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000954: Oct 10 08:06:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000956: Oct 10 08:10:26: %SEC-6-IPACCESSLOGDP: list FORNAT denied icmp 212.152.155.204 -> 172.16.0.151 (0/0), 1 packet 
    000957: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000958: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000959: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000960: Oct 10 08:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000961: Oct 10 08:14:49: %SEC-6-IPACCESSLOGP: list FAE00IN denied tcp 216.133.175.69(2087) -> 212.152.155.204(5900), 1 packet 
    000962: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000963: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 11 packets 
    000964: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000966: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000968: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000969: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000970: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000971: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000972: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000973: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 3 packets 
    000974: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000975: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000976: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000977: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 29 packets 
    000978: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000979: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000980: Oct 10 08:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000981: Oct 10 08:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000982: Oct 10 08:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000983: Oct 10 08:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000984: Oct 10 08:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    000985: Oct 10 08:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000986: Oct 10 08:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000987: Oct 10 08:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000988: Oct 10 08:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000989: Oct 10 08:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000990: Oct 10 08:52:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000991: Oct 10 08:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000992: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000993: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000994: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000995: Oct 10 09:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000996: Oct 10 09:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 17 packets 
    000997: Oct 10 09:07:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000998: Oct 10 09:07:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000999: Oct 10 09:09:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001002: Oct 10 09:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 7 packets 
    001003: Oct 10 09:15:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 14 packets 
    001004: Oct 10 09:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001005: Oct 10 09:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001006: Oct 10 09:17:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001007: Oct 10 09:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    001008: Oct 10 09:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001009: Oct 10 09:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001010: Oct 10 09:26:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001012: Oct 10 09:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 4 packets 
    001013: Oct 10 09:32:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 26 packets 
    001014: Oct 10 09:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001015: Oct 10 09:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001016: Oct 10 09:35:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001017: Oct 10 09:37:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    001018: Oct 10 09:41:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001019: Oct 10 09:41:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001020: Oct 10 09:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001021: Oct 10 09:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    001022: Oct 10 09:48:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 74 packets 
    001023: Oct 10 09:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001024: Oct 10 09:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001027: Oct 10 09:52:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 

  • Syslog messages coming from Standyby ASA ?

    I have a pair of ASA's in Active/Standby configuration.  I noticed this morning that the secondary ASA is generating syslog messages when I dont think it should.  Here is the logging configuration -
    logging enable
    logging timestamp
    logging buffer-size 1048576
    logging console informational
    logging buffered informational
    logging trap informational
    logging history critical
    logging asdm critical
    logging mail critical
    logging host inside 10.1.4.12
    This is the interface that syslog should be coming out of on the primary ASA -
    interface GigabitEthernet0/1
    description 10.1.85.0/24 Internal Interface
    nameif inside
    security-level 100
    ip address 10.1.85.31 255.255.255.0 standby 10.1.85.32
    ospf retransmit-interval 1
    ospf hello-interval 1
    ospf dead-interval 3
    Cisco Adaptive Security Appliance Software Version 8.2(3)
    Device Manager Version 6.3(4)
    I ran the packet capture wizard on the secondary ASA and saw no syslog traffic coming from it.
    Anybody else seen this ?
    Ron

    Ron
    The message that you show us is part of what the ASA is doing to maintain state for all the VPN connections from the primary ASA. I see similar syslog messages from the standby unit in an ASA active/standby pair.
    You say:"I wouldnt expect any messages to be coming from it since it isnt really doing anything." But the standby unit is really doing things. As a new session is established on the primary the secondary must process and retain that information. And when a session is discontinued on the primary then the standby must process that also and remove the session from the state table. If the standby were not busy doing these things then it would not be able to take over and process sessions correctly if the primary were to fail.
    HTH
    Rick

Maybe you are looking for

  • When save as pdf, the dialog windows does not open. What is wrong?

    Working in illustrator, when saving time choose save as and click pdf, what is expect is, "the dialog box that  enable me to choose the quailty in pdf"  but it (the dialog box) does not appeared today. It still works yesterday. What went wrong? Pleas

  • Is it possible if I use Adobe Acrobat reader

    Hi all. I have some question to ask about Adobe acrobat reader and Adobe acrobat professional. Is it possible if I use Adobe Acrobat reader to input data in PDF file that is generated by interactive form using web dynpro or Abap program. I try to use

  • HGTV in widescreen only

    Noticed today that HGTV is in widescreen only mode in hd , and sd.  The wife hates it because of the black boxes above and below.  We have tried to correct this in the box settings and the tv settings.  Anybody else notice this?  We are in southern C

  • Reg: cancel GR tag printing

    Hi All, how to cancel GR tag printing when receiving goods in plant XXXX / Storage location XXXX. Because the pallet/frame/bearer is in IM level and stored in a separated room. we donu2019t need the GR tag at all. So could you pls help to delete the

  • How to configure connection pooling in WebLogic

    how to configure connection pooling in WebLogic