ASA5505 and SA540

kindly find the attached file . i have many question about figure 
1- first , can i configure ASA5505 ans SA540 as shown in figure ?
2- if question 1 yes , HOW ?
3 - can each firewall make PAT for local network to real ip and in the same time just make routing for voice server with real ip to access internet ? 
4 - can i make VPN tunnel between two firewall without any conflict happen to server Voice ?
if first question no , is there any other way to asign real ip to sever voice behind firewall ?
thanks alot 

Suggestion: Make sure you reboot your RV when you think it should be working and everything matches.
Wasted an hour on my RV320 the other night because it had hung up somehow.  Changes were not taking effect and a reboot fixed it.

Similar Messages

  • How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520

    Hello,
    I just deployed one Cisco SA540 and three SA520s.
    The SA540 is at the Main Site.
    The three SA520s are the the spoke sites.
    Main Site:
    Downstream Speed: 32 Mbps
    Upstream Speed: 9.4 Mbps
    Spoke Site#1:
    Downstream Speed: 3.6 Mbps
    Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
    The SA tunnels are "Established"
    I see packets being tranmsitted and received.
    Pinging across the tunnel has an average speed of 32 ms (which is good).
    DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
    But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
    It takes about 15 minutes to print across the vpn tunnel.
    The remedy this, we have implemented Terminal Services across the Internet.
    Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
    Logging on to the network takes about 10 minutes over the vpn tunnel.
    Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
    I have used ASAs before in other implementation without any issues at all.
    I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
    I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
    I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
    Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
    I just know that my experience with the Cisco TAC has been great for the last 10 years.
    My short experience with the Cisco Small Business Support Center has not been as great at all.
    Bottom Line:
    I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
    Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
    Please help.
    I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.

    Hi Anthony,
    I agree!.  My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
    But I want to know WHY this is happening too.
    I will definitely run a sniffer trace to see what is happening.
    Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
    1.  Upgrade the SA540 at the Main Site to 2.1.45.
    2a. For cable connections, use the standard MTU of 1500 bytes.
    2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
    ping -f -l packetsize
    Perform the items below to see if this increases performance:
    I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
    3a. Lower the IKE encryption algorithm from "AES-128" to DES.
    3b. Lower the IKE authentication algorithm to MD5
    3c. Also do the above for the VPN Policy
    Any input is welcome!

  • ASA5505 and AD with security group

    Hello,
    i have configured ASA5505 with VPN and with AAA from Active Directory. How i can define Security Group? Now everyone from domain can connect to VPN tunnel. But i need specify users in Security Group in AD.
    regards
    Tomas

    Hi Tomas,
    Please see the document /docs/DOC-9361 In this example, you have to replace "radious.25" with "Idap.memberOf"
    Let us know if you have any more questions.
    Thanks,
    Cisco Moderation Team

  • ASA5505 And Cisco WAP4410N

    Hello,
    A couple of days ago, my old access point burned out. It was a proxim ap-700. Anyway, I bought a new ap and recieve it today. I have been having trouble getting it up and going. I was wondering if anybody might have any idea what I'm messing up on.
    Now the 5505 has already been configured for dmz, ip 10.10.10.1/24, vlan id 13--- But when I try to input information into the ap and save it from it being connected to my laptop.. Then after that I unplug it and plug it into my 5505 in the same port as the other dead ap was in... It takes a long time to connect to it, then when I do.... I can't connect to the Internet or anything.
    ip: 10.10.10.245
    sub: 255.255.255.0
    gate: 10.10.10.1
    dns1: 8.8.8.8
    dns2 8.8.4.4

    Yes, I'm sure.
    I followed these steps to get it going. But I'm faced with something stupid... I can connect to the ap and it says I have Internet, but when I try to go to google or anything, my browser tells me it can't connect.
    I'm trying to figure out what happened.
    http://www.mailbeyond.com/adding-dmz-to-cisco-asa5505
    Link I used to figure most of it out..

  • Having problems with brand new ASA5505 and ASDM

    I have a brand new out of the box ASA5505.  I can connect with https://192.168.1.1 and login with blank username/password
    From there I get a screen that tells me I can either
    - Install ASDM Launcher and run ASDM or
    - Install Java Web Start
    If I choose the first option, ASDM runs, I put in 192.168.1.1 (and leave the UNAP blank) and it just sits there trying to connect
    If I choose option 2, it just loads java.com
    I have gone to java.com and installed the Java SE package (32bit and 64bit just in case - I'm on a 64bit Windows OS) which the docs say include Java Web Start, but the router still tells me "Java Web Start is required to run ASDM, but it is not installed on this computer"
    I'm stuck, I've been googling for 2 hours.  Found people say if ASDM doesn't run it could be a java mismatch and just to use the java web start client.  Any help is greatly appreciated.  Thanks.

    Hi
    Yes normally you need a smartnetcontract, but atleast in sweden you can talk to your ciscorep to get the newest software during the first 90 days.
    And yes updating the Java have in several occations in the past made the ASDM stop working.
    Thats the problem with java, it is incompatible with itself so the question must then be why use it to something as important as ASDM and log handeling ?
    I am sorry but I have no answer to that.
    Good luck
    HTH

  • Remote VPN between ASA5505 and Netscreen SSG140

    Dears,
    I'm trying to set up a VPN between an ASA 5505 and  SSG40Juniper and the VPN keep flaping:
    Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, NP encrypt rule look up for crypto map TEST 1 matching ACL ACL_VPN: returned cs_id=cd2e0998; encrypt_rule=cd39bd50; tunnelFlow_rule=cd488220
    Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, Security negotiation complete for LAN-to-LAN Group (89.XXX)  Responder, Inbound SPI = 0xb98f5dbe, Outbound SPI = 0xddd1484a
    Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE got a KEY_ADD msg for SA: SPI = 0xddd1484a
    Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Pitcher: received KEY_UPDATE, spi 0xb98f5dbe
    Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3060 seconds.
    Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
    Nov 27 04:47:31 [IKEv1]IKE Receiver: Packet received on 81.1XXX:500 from 89.XXX:500
    Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
    Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
    Nov 27 04:47:31 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3056 seconds.
    Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
    Nov 27 04:47:35 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
    Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
    Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
    Nov 27 04:47:35 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3052 seconds.
    Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
    Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a4070b7)
    Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
    Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
    Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=8977946c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
    Nov 27 04:47:38 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
    Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE RECEIVED Message (msgid=8e9a1247) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
    Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing hash payload
    Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing notify payload
    Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a4070b7)
    Nov 27 04:47:39 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
    Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
    Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
    Nov 27 04:47:39 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3048 seconds.
    Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
    Nov 27 04:47:43 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
    Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected.  Retransmitting last packet.
    Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE QM Responder FSM error history (struct &0xcd58eee8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_ACTIVE, EV_RESEND_MSG-->QM_ACTIVE, NullEvent-->QM_ACTIVE, EV_VM_START-->QM_ACTIVE, EV_ACTIVE-->QM_RSND_LST_MSG, EV_RESET_LIFETIME-->QM_RSND_LST_MSG, EV_IS_REKEY_SECS-->QM_RSND_LST_MSG, EV_RESEND_MSG
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IPSec delete payload
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
    Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=57422aa9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE Deleting SA: Remote Proxy 172.24.0.0, Local Proxy 10.143.0.0
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b terminating:  flags 0x01000002, refcnt 0, tuncnt 0
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IKE delete payload
    Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
    Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=c364409e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
    Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
    Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
    Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Session is being torn down. Reason: Lost Service
    Nov 27 04:47:43 [IKEv1]Ignoring msg to mark SA with dsID 1658880 dead because SA delete
    On the Cisco side
    crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto map TEST 1 match address ACL_VPN
    crypto map TEST 1 set peer 89.XXX.XXX.XXX
    crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
    crypto map TEST interface outside
    crypto ca trustpool policy
    no crypto isakmp nat-traversal
    crypto ikev1 enable outside
    crypto ikev1 policy 1
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 172.24.0.0 255.255.0.0
    On the juniper side:
    set ike gateway "TO_XXX_ASA" address 81.XXX.XXX.XXX Main outgoing-interface "ethernet0/2" preshare "XXXXXXX" proposal "pre-g2-3des-md5"
    set vpn "DATACENTER_XXX_ASA" proxy-id local-ip 172.24.0.0/16 remote-ip 10.143.0.0/16 "ANY" 
    set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" 
    set vpn "DATACENTER_XXX_ASA" monitor optimized rekey
    set vpn "DATACENTER_XXX_ASA" id 0x78 bind interface tunnel.2
    set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5" 
    set vpn "DATACENTER_XXX_ASA" monitor source-interface ethernet0/2 destination-ip 10.143.0.1 optimized rekey
    set vpn "DATACENTER_XXX_ASA" id 0x7b bind interface tunnel.2
    PFS is disabled.
    Any idea why I receive these errors?
     Duplicate Phase 2 packet detected.  Retransmitting last packet.
    QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!

    Hey,
    anybody any idea on this problem? We encountered this problem also.
    i can see in ASA log that phase1 is completed.
    after that we get the msg for phase2 completed.
    but followed with a "responder resending lost, last msg" this 3 times, than a QM FSM error and the tunnel being shut down on our end.
    the other side, is getting an active SA, but ofc not working.
    any idea?
    5 Jan 23 2015 14:59:14 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
    7 Jan 23 2015 14:59:18 713906 IKE Receiver: Packet received on yy.yy.yy.yy:500 from xx.xx.xx.xx:500
    5 Jan 23 2015 14:59:18 713201 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 2 packet detected.  Retransmitting last packet.
    6 Jan 23 2015 14:59:18 713905 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Responder resending lost, last msg
    7 Jan 23 2015 14:59:18 715080 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Starting P2 rekey timer: 27357 seconds.
    5 Jan 23 2015 14:59:18 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
    3x times
    3 Jan 23 2015 14:59:30 713902 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0x00007fff2a9921f0, mess id 0x440ce73e)!
    with kind regards,
    Bernd

  • ASA5505 and ASDM trying to login..

    I upgraded the BIN files of both the ASDM and the ASA image.
    Everything seems to be good, I can access it via SSH and login no problem.
    Went from ASDM-523 to ASDM-615 and ASA-723 to ASA-804...
    I cannot access the ASA via HTTPS or ASDM manager as a box comes up and asks me to select a certificate to be used for authentication from the list, but there is none there...
    How do I fix this?

    Please try this solution .. use asdm-603.bin
    asdm 615 seems to be having issues based on reports.
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25be7/0

  • Transparent ASA5505 and dhcp relay

    Team,
    I have another asa5505 configured transparently but i noticed that it does not pass dhcp by default how can i enable this feature firewall ip 10.200.200.50/24 dhcp server 10.200.200.1/24 also def gateway.

    add a line for dhcp to your access-list:
    access-list ACL-CLIENTS permit udp any eq bootpc any eq bootps
    access-list ACL-SERVER permit udp any eq bootps any eq bootpc
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

    Hello,
    I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
    881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
    When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
    VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
    Can you help me, how can I debug or troubleshoot this problem ?
    I am unable to update software on ASA5505 side.

    Hello,
    Hire is what my config look like:
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 60 set pfs
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 80 set pfs
    crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 100 set pfs
    crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 120 set pfs
    crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 140 set pfs
    crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
    crypto dynamic-map outside_dyn_map 160 set pfs
    crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 180 set pfs
    crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 200 set pfs
    crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 2
     authentication pre-share
     encryption 3des
     hash sha
     group 1
     lifetime 86400
    crypto isakmp policy 3
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    tunnel-group HW-CLIENT-GROUPR type ipsec-ra
    tunnel-group HW-CLIENT-GROUP general-attributes
     address-pool HW-CLIENT-GROUP-POOL
     default-group-policy HW-CLIENT-GROUP
    tunnel-group HW-CLIENT-GROUP ipsec-attributes
     pre-shared-key *******
    group-policy HW-CLIENT-GROUP internal
    group-policy HW-CLIENT-GROUP attributes
     password-storage enable
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value cisco_splitTunnelAcl
     nem enable

  • ASA5505 - Cannot access the internet and use Teamviewer

    Hi guys, I have a ASA5505 and I'm having trouble to achieve the following setup, block any kind of connection from outside except for IIS on port 80 and 443 but allow from the server to access any outside address, by domain or ip. Right now apps writen in C# on the server are throughing socket errors and Teamviewer remote control is not working, I would like it to replace remote desktop.
    Could you take a look at my screenshot and give me any advise?
    Thanks

    Hi Paulo,
    First, I You don't have to configure your ACLs like(source: any ==> Detsination: any). To permit anyone to access your server (example 192.168.1.1) use an ACL like this:
    So, I recommend you to always specify the source and the destionation in your ACLs ( not any ==> any) !!
    Best regards.

  • Problem accessing an adjacent remote network over VPN (2 asa5505)

    Hello all,
    I have 2 ASA5505 (CORP and remote) connected via VPN. The remote site contains 2 subnets (192.168.1.0/24 and 192.168.0.0/24 (for remote VPN users)). The corp site has 192.168.2.0/24 directly connected to ASA5505 and an adjacent network connected via another device namely the 172.16.0.0/16 network.
    I am able to ping site-to-site between 192.168.0 -> 192.168.2
    and
    192.168.1 -> 192.168.2
    I am unable to ping from remote site to the 172.16 network however.
    I added permit ACLs on both my NAT and CRYPTO ACLs. and when I am trying to ping the remote 172.16 network I get the following messages on my CORP ASA:
    4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside
    reply is timing out though.
    Any tips would be appreciated!
    My ACLS:
    REMOTE SITE:
    #NONAT
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.1.0 255.255.255.0
    #CRYPTO ACL
    access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
    access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list 100 extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
    access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    CORP SITE:
    #CORP
    access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
    access-list 200 extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
    access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
    access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
    nat (inside) 0 access-list 200
    nat (inside) 1 0.0.0.0 0.0.0.0
    #CRYPTO ACL
    access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
    access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
    access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    Thanks in advance!

    The config looks ok.
    If you were trying to ping 172.16.x.x I don't see why the log would be what you displayed. Where are you pinging from, the remote site?
    "4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside"
    Does the 172.16 network have a route to the 192.168.0.0 and 192.168.1.0 network?

  • Clientless SSL VPN and ActiveX question

    Hey All,
    First post for me here, so be gentle.  I'll try to be as detailed as possible.
    With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
    First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
    Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
    I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
      match ip inside any outside any
        NAT exempt
        translate_hits = 8915, untranslate_hits = 6574
    access-list nonat extended permit ip any any log notifications
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list outside_in extended permit icmp any any log notifications
    access-list outside_in extended permit tcp any any log notifications
    pager lines 24
    logging enable
    logging asdm informational
    logging ftp-server 192.168.16.34 / syslog *****
    mtu inside 1500
    mtu outside 1500
    ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 1 interface
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.16.32 255.255.255.224
    nat (inside) 1 192.168.17.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group outside_in in interface outside
    192.168.2.0 is my corp network range
    192.168.2.171 is my internal IP for corp ASA5510
    97.x.x.x is the external interface for my corp ASA5510
    192.168.16.34 is the internal interface for the remote ASA5505
    64.x.x.x is the external interface for the remote ASA5505
    192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
    As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
    I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
    Thanks much for any and all ideas!

    Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

  • ASA5505 I cannot reach to an outside network from a branch office

    My customer has a HQ office and many Branch offices. In the HQ there is an ASA5510 configured as a default gateway, From HQ customer must access to internet (everythig works fine), from Inside LAN should reach to anyway including special services like Credit Card service provider and others (it works fine). From Branch offices must reach Inside LAN hosts (it works fine), from Branch Offices must reach DMZ (it works fine), from branch offices should reach CC Service provider and here's the point of this Q, From almost all branch offices they reach CCSP fine but branch offices where an ASA5505 is installed (Offices that reach CCSP have a RV042 installed or a TPlink ER6120 installed) but offices with ASA just can ping to LAN side of CCSP's router.
    I think ASA5505 conf is an opened door configuration. Here's the 5505 configuration and also attached the network diagram. Some one can help please

    Hi,
    Are the branch offices connected to the HQ through some ISP MPLS network since I do not see any L2L VPN configurations on the ASA5505?
    I presume this is the case. Since you say that the connections between Branch Office (with ASA5505) and HQ LAN work fine it should tell us that there should be no routing problems between those networks.
    The diagram possibly also suggests that all the Branch Office connections come to your HQ network through the same Router at the edge so if other Branc Offices connections CCSP work then there should be no routing problem between the Branch Offices and the CCSP (atleast regarding your part of the network)
    Now, some questions.
    Does the ISR Router forward traffic destined to CCSP directly to the Router at 192.168.2.249 ?
    Does the Router with the connection to the CCSP use the Internet to reach the CCSP or is there somekind of dedicated connection between these networks?
    If the Router towards CCSP uses Internet then does it lack some NAT configurations for the source network 192.168.27.0/24? Does it perhaps lack a route towards the network 192.168.27.0/24? Or is there any possible errors in the configurations (wrong gateway IP or network mask somewhere?)
    Is there any ACLs configured on the Router that has the connection to the CCSP that might block traffic?
    Does the CCSP have all the required routing information to pass traffic towards the network 192.168.27.0/24? (If were talking about a dedicated connection and not traffic through the Internet) Have they allowed traffic from the mentioned network 192.168.27.0/24 to their servers/network?
    Have you taken "packet-tracer" output from the ASA5505 to confirm that the ASA configurations allow the traffic and dont drop it for some reason?
    For example
    packet-tracer input inside tcp 192.168.27.100 12345 193.168.1.100 80
    You can modify the IP addresses (source/destination) and the used destination port and protocol to match the connections that are actually attempted.
    Have you monitored the connections on the ASA when users attempt them? This should atleast tell you why they are failing or give a hint. You could also configure traffic capture on the ASA5505 if you wanted to make sure if any traffic was coming from the CCSP towards this ASA (return traffic for connection attempt)
    Hope this helps :)
    Let me know if I missunderstood the situation wrong somehow.
    - Jouni

  • New ASA5512- 5515: content filter and WAN load balancing

    Hi,
    it's possible to make the content filter with the new models of asa?
    One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
    It' s possible also make the load balancing between 2 WAN?
    Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
    Thanks in advance,
    Paolo.

    I saw that you can add CX feature:
    CX - Context Aware Security Feature:
    Cisco  ASA CX Context-Aware Security is a modular security service that  extends the ASA platform with next-generation capabilities. It is  available with SSD purchase for model such as 5512-X, 5515-X, 5525-X,  55545-X and 5555-X.
    Application Visibility Control (AVC):
    This  is additional feature in CX. Activation of this feature require  seperate license. This is the feature that do deep packet inspection for  Application recognition. provide context-aware firewall security.
    Web Security Essentials (WSE):
    This  is additional feature in CX. Activation of this feature require  seperate license. It deliver features like "URL Filtering" and "Global  Threat Intelligence".
    Can somebody confirm that?
    Have somebody already used and configured this features?
    Thank you,
    Paolo.

  • Ridiculous ASA5505 OSX Problem

    So this is wild.  I took an ASA5505 out of the box and upgrade the firmware to 8.4.(2)8.  I used the VPN wizard to build an IPSEC remote access VPN.  I test with a win7 full cisco client and it works (test from a virtual machine using a wireless connection on the host), i test with my iphone running IOS 5 .0.1 and it works.  I test with a laptop running snow leopard 10.7.2 and the same wireless connection from above and it cannot negotiate.  If i plug directly into the ASA5505 and try to VPN it connects instantly.
    Below is the config, i'm completely baffled here.
    Result of the command: "sh run"
    : Saved
    ASA Version 8.4(2)8
    hostname ciscoasa
    enable password QSM0mlnK8RBz4RL9 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.150.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network NETWORK_OBJ_10.1.2.0_25
    subnet 10.1.2.0 255.255.255.128
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool kay 10.1.2.1-10.1.2.100 mask 255.255.255.255
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.1.2.0_25 NETWORK_OBJ_10.1.2.0_25 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.150.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.150.5-192.168.150.254 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy kay internal
    group-policy kay attributes
    dns-server value 192.168.1.1
    vpn-tunnel-protocol ikev1
    username test password P4ttSyrm33SV8TYp encrypted
    tunnel-group kay type remote-access
    tunnel-group kay general-attributes
    address-pool kay
    default-group-policy kay
    tunnel-group kay ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:9aa371b81e66638060a3ecff943a3d02
    : end

    Hi brookkaren
    I agree this seems weird but it's hard to say what's wrong without more information.
    I would suggest to start with enabling these debugs on the ASA:
    debug crypto ipsec  10
    debug crypto ikev1  10
    debug crypto ike-common 10
    as well as checking the client logs (see the "log" tab, you can increase the logging level in the "logging" menu).
    hth
    Herbert

Maybe you are looking for

  • Unable to delete the file. (Some times deletes and sometime fails to delet)

    Please help me in deleting the file from the temporary location . Below is my code //Append the session is with filename as there is possibility of having same name of file. try{ boolean isMultipart     = ServletFileUpload.isMultipartContent(request)

  • Applet : How to use Images in Jar file

    I want to put all images into a jar file to improve speed of loading. But how to invoke images from Jar file? Thanks.

  • Web Component with servlet in j2ee 1.4.2

    I get this error message when I try to deploy my .war file using the deploy tool: distribute: C:\Sun\AppServer2\Applications\WV\WV_WEB.war [TIMEOUT: 'ProgressObject' never started running.] !!! Operation Incomplete [NotRunning] !!! [Completed (time=1

  • Error messages when downloading Mavericks

    Hello. I have tried to download Mavericks over two periods of time. My problem is that I keep getting the same error when trying to download the file. It just state than an error has occured and that I should try to redownload from Purchases. When I

  • Remotely Shutdown Mac/ Find IP Address from Back to My Mac

    So I use Screen Sharing frequently with the Back to My Mac service with Mobile Me. Tonight I was screen sharing to my Mac Pro in my dorm room from my Macbook Pro at home, and changed the display resolution of the remote machine (MacPro), which now ju