ASDM problem on ASA5510
Hi,
I am trying to access Cisco ASA5510 using ASDM but not successful. The running config file is attached herewith. I have tried to debug ASDM and HTTP and got following error...
HTTP: processing handoff to legacy admin server [/admin]
HTTP: session verified = [0]
HTTP: processing GET URL '/admin' from host 6.6.6.10
HTTP: redirecting to: /admin/public/index.html
HTTP: session verified = [0]
HTTP: processing GET URL '/admin/public/index.html' from host 6.6.6.10
HTTP: authentication not required
HTTP: file not found: public/index.html
HTTP: processing handoff to legacy admin server [/favicon.ico]
HTTP: session verified = [0]
HTTP: processing GET URL '/favicon.ico' from host 6.6.6.10
HTTP: authentication required, no authentication information was provided
I have tried my best to troubleshoot but not successful. Please help to resolve the issue.
Arshi
Hi Arshi,
The problem should be related to the asdm version compatibility, you are using an incompatibile asdm version with your ASA ios version. ASA 8.2(1) requires asdm version 6.2(1) or later, and the recommended version would be the 7.3(1).
Regards,
Aref
Similar Messages
-
I have problem with Cisco ASA 5505 (asa844-9-k8.bin) and ASDM 7.0(2) I have Windows XP with java ver 7 17
when I click on Run ASDM, I get error Unable to launch application
com.sun.deploy.net.FailedDownloadException: Unable to load resource: https://192.168.1.70/admin/public/asdm.jnlp
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine._downloadCacheEntry(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResourceCacheEntry(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResourceCacheEntry(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
When I click Install ASDM launcher I get error Unable to launch devices manager from 192.168.1.70
my run, anyway that is default, I use this ASA for CCNA Security
asa1# sh run
: Saved
ASA Version 8.4(4)9
hostname asa1
domain-name brokenbyte.org
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
shutdown
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif management
security-level 0
ip address 192.168.1.70 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name brokenbyte.org
pager lines 24
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 255.255.255.255 255.255.255.255 management
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username zeenmc password 3/spT3R67sfjIhix encrypted privilege 15
class-map inspection_default
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:559d292746bf2f88f66e9acc483a68f7
: end
Please help me, first time, maybe before a few months, I use ASDM normalyI find what is problem, on the start, i think about that, but I don't find any older Java, I install now Java 6 44, now everything is OK
-
Help open port on ASA5510 (version 8.3)
Hi all,
I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900
If i configured with only one port 5900 or 3389, is't ok, i don't undesrtand what 's the problem?
ASA5510>
ASA5510> ena
Password: ***********************
ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password *********************** encrypted
passwd *********************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no na
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network Remote_Desktop
host 192.168.100.29
object network VNC
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_in extended permit tcp any host 192.168.100.29
access-list outside_in extended permit tcp any host 192.168.100.4
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network Remote_Desktop
nat (inside,outside) static interface service tcp 3389 3389
object network VNC
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password *********************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:667cb3ec729681c78ccab9a57abd89df
: end
ASA5510#ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password ****************** encrypted
passwd ****************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network remote_desktop
host 192.168.100.2
object network remote_vnc
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_access_in extended permit tcp any host 192.168.100.4 eq 5900
access-list outside_access_in extended permit tcp any host 192.168.100.2 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asd
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network remote_desktop
nat (inside,outside) static interface service tcp 3389 3389
object network remote_vnc
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 172.16.17.1 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ****************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4f061a213185354518601f754e41494c
: end
ASA5510#
So i configured again, but i'm not to access to 5900 port -
Cannot access ASA5510 for first time config ASDM or PING
Hi
I have a fresh out the box asa5510 with 8.4 on it.
I have built these before but for some reason cannot get this one to work. I am consoled on, have applied the following config but can still not ping to or from, can not asdm, cannot http/s. Arp table shows device it tries to ping, but device trying to pping it has incomplete arp entry.
I am really stumped, does anyone have any idea?
Please also see attached diagram for topology.
Thanks in advance
ciscoasa(config)# show run
: Saved
ASA Version 8.4(4)1
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 0
ip address 10.90.255.99 255.255.255.128
ftp mode passive
access-list MANAGEMENT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list MANAGEMENT extended permit icmp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list MANAGEMENT extended deny ip any any
pager lines 24
logging enable
logging console debugging
logging buffered warnings
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
no asdm history enable
arp timeout 14400
route management 0.0.0.0 0.0.0.0 10.90.255.126 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:79dc4cfc6161dcbd01a016ad9a2a2ca5
: end
%ASA-7-111009: User 'enable_15' executed cmd: show running-config
ciscoasa(config)#Hi,
In this configuration:
interface Management0/0
nameif management
security-level 0
ip address 10.90.255.99 255.255.255.128
access-list MANAGEMENT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 // ACE1
access-list MANAGEMENT extended permit icmp 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 // ACE2
access-list MANAGEMENT extended deny ip any any // ACE3
In ACE1 the network 10.0.0.0/8 in the destination is not in the same network with 10.90.255.0/25 (MGMT interface)
Can you try these ACEs:
access-list MANAGEMENT extended permit ip 10.0.0.0 255.0.0.0 10.90.255.0 255.255.255.128
access-list MANAGEMENT extended permit icmp 10.0.0.0 255.0.0.0 10.90.255.0 255.255.255.128
access-list MANAGEMENT extended deny ip any any
I agree with Jouni, in first time use a PC directly to the MGMT interface.
and use the clear arp command to clear the ARP cache
Best regards -
Managing ASA5510 using ASDM via internal interface
Hello
I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else. Is this correct?
I only configured one internal port and it is the path to my LAN. I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process. Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1. If I open ASDM and connect thru the management port and select Configuration/Device Management/Management Access/ASDM/HTTPS/Telnet/SSH
select "ADD"
select access type "ASDM/HTTPS"
select interface "internal"
IP Address "10.1.1.0"
Mask "255.255.255.0"
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA?
Sorry if this is confusing... I don't know how else to phrase it.
Thanks
EdHi
it sounds like a better plan than opening up for each and every unit on the inside :).
But if you have a old laptop or something like that I would state that setting that up with a syslog server and use that to manage the firewall would be a even better option.
that way you would get logs and a management station.
there are several syslog servers that are free and I like to use grep that is also free to filter information.
http 10.1.1.52 255.255.255.255 inside
will make the 10.1.1.52 the only server to work with asdm
but you will have to remove the old http 10.1.1.0 255.255.255.0 inside statement.
If you find the answers helpful please rate.
good luck
HTH -
Having problems with brand new ASA5505 and ASDM
I have a brand new out of the box ASA5505. I can connect with https://192.168.1.1 and login with blank username/password
From there I get a screen that tells me I can either
- Install ASDM Launcher and run ASDM or
- Install Java Web Start
If I choose the first option, ASDM runs, I put in 192.168.1.1 (and leave the UNAP blank) and it just sits there trying to connect
If I choose option 2, it just loads java.com
I have gone to java.com and installed the Java SE package (32bit and 64bit just in case - I'm on a 64bit Windows OS) which the docs say include Java Web Start, but the router still tells me "Java Web Start is required to run ASDM, but it is not installed on this computer"
I'm stuck, I've been googling for 2 hours. Found people say if ASDM doesn't run it could be a java mismatch and just to use the java web start client. Any help is greatly appreciated. Thanks.Hi
Yes normally you need a smartnetcontract, but atleast in sweden you can talk to your ciscorep to get the newest software during the first 90 days.
And yes updating the Java have in several occations in the past made the ASDM stop working.
Thats the problem with java, it is incompatible with itself so the question must then be why use it to something as important as ASDM and log handeling ?
I am sorry but I have no answer to that.
Good luck
HTH -
Problems to reach ASA5510 via IE on Windows Vista
Dear all,
since some days we have a ASA5510, we connected it on a Windows Vista Laptop via ethernet cable (using at the back of the router the mgtm slot) and connect it on the network slot on the laptop.
Laptop is getting IP addresses automatically.
Now we tried to reach the router in the Internet Explorer using: http://192.168.1.1, but we could not reach this site.
When I try to ping the router via cmd and typing ping 192.168.1.1 I get answers.
For us it is very important to change the IP address of the router, as he will be used in a network with 10.xxx.xxx.xx addresses.
I have no idea, what I did wrong here
Would be nice, if someone has an idea.
Just to let you know, I'm not that Network specialist, all I know comes from learning by doing. So sorry in advance for any stupid question I may have.
Thanks for your patience.Great, this worked!
I have now changed the IP address into one of the address ranges I need and waiting now that the step of communicating the new configuration to the rotuer will be finished.
Let's cross the fingers, that it will work successfully.
Edit 1 11:07 - Is it normal that it take that long to send the new IP address configuration to the Router?
Edit 2 14:54 - It is now accessable on the new IP range. Now having another issue for which I will create a new discussion.
Message was edited by: Simone Schultz -
ASA5510 ASDM 6.0 GUI console login issue
HI All,
I have Cisco5510 running with ADSM 6.0 version, I was able to access it fine since few months but suddenly I am unable to login through that.
Its prompting for username and password and loading it to 100% but not opening the GUI console.
I feel this could be the JAVA version issue but with the same version of JAVA I am able run another ASA 5520 which is running with 6.4ASDM version.
Request you to suggest the right JAVA version to run 5510 with ASDM 6.0 GUI console, else if I am wrong on this suggest the solution to close this issue.
Regards
SureshSuresh,
Have you tried to update the ASDM? It is mostlikely a Java issue, but it would be a good idea to update the ASDM to the same version. We have noticed issues with old versions of ASDM running newer versions of Java.
Give it a try and let us know.
Mike -
Problem Opening ASA5512-IPS from ASDM
Hi,
I previously was able to open ASA5512-IPS from ASDM, but now I can't. it gives me error "ASDM 7.3 (2) doesn't support IPS 7.1 (3) E4"
So what should I do, upgrade IPS or ASDM or do what exactly ? I want to use ASDM not IME or anything else.
Also I can't open IPS from browser, Is there a specific configuration to let me access it through browser ?I got this from IME, it opens the sensor. but i can't configure it. see attached file
-
ASA5510 - access asdm through outside
Is it possible to access adsm through outside interface?
I issued bellow command
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
and in/outside interfaces is allowed ip any any
I can access asdm through inside but outside not
I don't Know what is the ploblem.. T.T
Sent from Cisco Technical Support iPhone AppHello,
Ofcourse it is,
Are you using anyconnect ?
Is the traffic reaching the ASA?
Does the computer you use uses a Java version lower than 7?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura -
ASA5510 smartnet renewal problem
We had an ASA 5510 under Smartnet and it was replaced when the power supply died. Due to a wide degree of circumstances we either never were notified that the Smartnet needed to be renewed or whatever.
Well, now this replacement has died. We got quotes on Smartnet for this replacement and all of the quotes were out of sight high. When we asked for a reason every vendor came back with the same reason: your ASA has an 'SSM' card and advanced software that requires an upgraded version of Smartnet, except this ASA is a base ASA5510-BUN-K9 and has never had any cards or advanced iOS on it. It's a stock ASA.
So how can we get the right Smartnet for this unit?
Has anyone else had this happen, and if so, how did you/they fix it.
Thanks...
Sent from Cisco Technical Support iPad AppHi naznbex,
I'm here to help! What happens when you try to enter your credit card info? Are you able to log in to your account at www.adobe.com? Do you get any sort of error when you try to enter your payment details?
Best,
Sara -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
PIX515 to ASA5510 8.4(5) migration
Hi, We're migrating as mentioned in the subject and this new format is quite a departure from previous iOS versions so I thought I'd post the configs of the PIX and the ASA and ask if someone is willing to compare them and verify that it is correct and should be basically plug and play. The xxx.xxx.xxx are outside IP addresses and the yyy.yyy.yyy are inside addresses. Thanks.
Existing PIX config
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
password lines removed
hostname PIX515
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.xxx.173 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.171 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq 53612
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq 587
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq pop3
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq 3389
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq 4660
pager lines 24
logging trap informational
logging host inside yyy.yyy.yyy.20
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.170 255.255.255.248
ip address inside yyy.yyy.yyy.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.171 https yyy.yyy.yyy.7 https
static (inside,outside) tcp xxx.xxx.xxx.170 https yyy.yyy.yyy.16 https
static (inside,outside) tcp xxx.xxx.xxx.170 smtp yyy.yyy.yyy.16 smtp
static (inside,outside) tcp xxx.xxx.xxx.170 53612 yyy.yyy.yyy.16 3389
static (inside,outside) tcp xxx.xxx.xxx.170 587 yyy.yyy.yyy.16 587
static (inside,outside) tcp xxx.xxx.xxx.170 pop3 yyy.yyy.yyy.16 pop3
static (inside,outside) tcp xxx.xxx.xxx.174 https yyy.yyy.yyy.20 https
static (inside,outside) tcp xxx.xxx.xxx.174 www yyy.yyy.yyy.20 www
static (inside,outside) tcp xxx.xxx.xxx.174 3389 yyy.yyy.yyy.20 3389
static (inside,outside) tcp xxx.xxx.xxx.174 4660 yyy.yyy.yyy.20 4660
static (inside,outside) tcp xxx.xxx.xxx.173 https yyy.yyy.yyy.15 https
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http yyy.yyy.yyy.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet yyy.yyy.yyy.0 255.255.255.0 inside
telnet timeout 60ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a56326d3418814261280ec410c8e7a63
: end
PIX515(config)#
Proposed ASA 5510 configuration
ASA5510(config)# sh run
: Saved
ASA Version 8.4(5)
hostname ASA5510
domain-name ciscopix.com
enable password zaU1v9tMuOQsj2hW encrypted
passwd zaU1v9tMuOQsj2hW encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address xxx.xxx.xxx.170 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address yyy.yyy.yyy.254 255.255.255.0
interface Ethernet0/2
shutdown
nameif intf2
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa845-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ciscopix.com
object network intranet-https
host yyy.yyy.yyy.7
object network propalms-https
host yyy.yyy.yyy.20
object network webmail-https
host yyy.yyy.yyy.16
object network webmail-smtp
host yyy.yyy.yyy.16
object network webmail-rdp53612
host yyy.yyy.yyy.16
object network webmail-smtp587
host yyy.yyy.yyy.16
object network webmail-pop3
host yyy.yyy.yyy.16
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network propalms-http
host yyy.yyy.yyy.20
object network propalms-rdp
host yyy.yyy.yyy.20
object network propalms-4660
host yyy.yyy.yyy.20
description Required by ProPalms App.
object network infonet-https
host yyy.yyy.yyy.15
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host yyy.yyy.yyy.7 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq smtp
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq 3389
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq 587
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq pop3
access-list 100 extended permit tcp any host yyy.yyy.yyy.15 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq www
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq 3389
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq 4660
pager lines 24
logging trap informational
logging asdm informational
logging host inside yyy.yyy.yyy.20
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
asdm history enable
arp timeout 14400
arp permit-nonconnected
object network intranet-https
nat (inside,outside) static xxx.xxx.xxx.171 service tcp https https
object network propalms-https
nat (inside,outside) static xxx.xxx.xxx.174 service tcp https https
object network webmail-https
nat (inside,outside) static interface service tcp https https
object network webmail-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network webmail-rdp53612
nat (inside,outside) static interface service tcp 3389 53612
object network webmail-smtp587
nat (inside,outside) static interface service tcp 587 587
object network webmail-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj_any
nat (inside,outside) dynamic interface
object network propalms-http
nat (inside,outside) static xxx.xxx.xxx.174 service tcp www www
object network propalms-rdp
nat (inside,outside) static xxx.xxx.xxx.174 service tcp 3389 3389
object network propalms-4660
nat (inside,outside) static xxx.xxx.xxx.174 service tcp 4660 4660
object network infonet-https
nat (inside,outside) static xxx.xxx.xxx.173 service tcp https https
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.169 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
http server enable
http yyy.yyy.yyy.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet yyy.yyy.yyy.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:016f67d8cb4e77dcbca7c041d1af6a35
: end
ASA5510(config)#Hi,
The new version of the configurations seem ok to me atleast. Unless I missed something.
One thing I would do is remove this NAT
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
And configure it with a similiar
nat (inside,outside) after-auto source dynamic any interface
To my understanding this should move the default PAT configuration to the very end of the NAT rules.
You also seem to have an 8 IP address block from the ISP (of which 2 arent usable and 1 is used for "outside" interface IP address). You dont seem to be using all of the public IP addresses yet (even in the older configuration). You are doing Port Forward configurations even though every public IP address is used for only 1 corresponding LAN IP address. Usually Port Forwarding is done when you want to "split" one public IP address between several LAN hosts/servers
I would think you could at this point actually just configure normal Static NAT between the public IP address and the LAN host to avoid all the different Port Forward configurations and simply make 1 Static NAT per LAN server and open the ports you need on the access-list. The NAT configurations using the "outside" interface IP address would naturally have to be kept as they are now otherwise you would need to change public IP address.
Then again there is nothing stopping from keeping the original setup you had on the PIX. And in this case it might be even better for you to avoid any more changes to make the device change/update as simple as possible.
If you dont want to start changing anything at this point, the configuration should be fine.
Do notice that there is a possibility that when you replace the PIX with the ASA there might be some old ARP information on the connected devices or ISP devices that might cause some connection problems (if they dont update). Since IP address is staying the same but the replacement of device means the MAC/Hardware address of each public IP address changes.
- Jouni -
i have test to access the firewall of ASA5510 with ASA845-K8/asa902-k8bin + asdm-712.bin +JAVA6 / 7, is completely no problem
When i try to install a new ASA5505 existing IOS is asdm825-k8 and also asdm-712 with JAVA7 is not allow to access the firewall with ASDM
After i type in username password, it stuck on the page loading , sometimes it will come up with cannnot to the device something like that.
telnet and SSH is no problem, i still can download the IOS with TFTP.
Anyone have the idea of it? if that is the java problem, is difficult to find the older java to downgrade.
I think may be the java problem, because i just to connect with wrong ip and password, it also stuck in this page.I can't show the last two command, i choose to show all of them
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.23 08:51:15 =~=~=~=~=~=~=~=~=~=~=~=
ter
ASA5505# terminal len 0
^
ERROR: % Invalid input detected at '^' marker.
ASA5505# terminal len 0 ?
monitor Syslog monitor
no Turn off syslogging to this terminal
pager Control page length for pagination. The page length set here is not
saved to configuration.
ASA5505# terminal sh run asdm
asdm image disk0:/asdm-645.bin
no asdm history enable
ASA5505# sh run http
http server enable 444
http 192.168.18.0 255.255.255.0 LAN
http 0.0.0.0 0.0.0.0 internet
ASA5505# sh flash | i.bin
^
ERROR: % Invalid input detected at '^' marker.
ASA5505# sh flash | i.bin i.bin
^
ERROR: % Invalid input detected at '^' marker.
ASA5505# sh a run all |i ssl_encryption
^
ERROR: % Invalid input detected at '^' marker.
ASA5505# sh run
: Saved
ASA Version 8.2(5)
hostname ASA5505
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
<--- More --->
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif internet
security-level 0
ip address 10X.247.161.XXX 255.255.255.252
interface Vlan2
nameif LAN
security-level 100
ip address 192.168.18.254 255.255.255.0
ftp mode passive
object-group network Web_server
object-group network Nat
object-group network pop3
object-group network smtp
object-group service 5900
object-group service 8443
<--- More --->
object-group network 8443_168
object-group network SSH
object-group network 5900_168
object-group service DM_INLINE_TCP_1 tcp
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_SERVICE_1
access-list Internet_access_in extended deny ip any any
access-list Lan_access_in extended permit ip 192.168.18.0 255.255.255.0 any
access-list Lan_access_in extended deny ip any any
pager lines 24
mtu internet 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
access-group Lan_access_in in interface LAN
route internet 0.0.0.0 0.0.0.0 124.244.208.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.18.0 255.255.255.0 LAN
http 0.0.0.0 0.0.0.0 internet
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 internet
ssh 192.168.18.0 255.255.255.0 LAN
ssh timeout 5
console timeout 0
management-access LAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
<--- More --->
username itadmin password M5SKGxQcWvugHZqs encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
<--- More --->
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5f4fd23c149351a064901cafe5b059d7
: end
ASA5505# -
I am trying to connect our site to a remote site using the Site2Site VPN wizard. I got the IPSEC tunnel connected without issues..
The problem is that I can't ping from one network to the other...
This is out layout..
10.10.x.x/16 - - ASA5510(site1) <==> ASA5510(site2) - - 10.50.x.x/16
When I ping from the nearest switch to the ASA on 10.10.x.x network to 10.50.x.x, the ASDM syslog output says..
3 Feb 21 2012 20:51:56 10.10.x.x 10.50.x.x Deny inbound icmp src inside:10.10.x.x dst inside:10.50.x.x (type 8, code 0)
Any advice is greatly appreciated..
Thanks!!!I am guessing you have a route on your ASA5510 that routes 10.0.0.0/8 to the inside. What you will need to do is add a static route for 10.50.0.0/16 and point it toward your ISP. The error message you are seeing is saying that (as far as it knows) traffic is going from 'inside' to 'inside' which really isn't possible without some out of the ordinary configuration on the ASA.
Hope this helps.
Matt
Maybe you are looking for
-
Creating a text output using XML Publisher
Hi All, Recently i created a report for my client using XMl Publisher. The Data Definition was XML and the template type was RTF and i got the output in a PDF format. All was going smoothly until the client decided at the last moment that they wante
-
Passing variables in an array to jtextarea?
What method could I use to pass different Strings in an array to a jtextarea each time the "Next" button (a JButton) in my JFrame is pressed? So, for example, if i hit next, i might want the word "frank" to print in the jtextarea, but the next time i
-
I imported TestIMletListener.zip into netbeans, tried to run the project and got this error: C:\[user name]\Documents\NetBeansProjects\TestIMletListener\nbproject\build-impl.xml:468: Problem: failed to create task or type nb-copyliblets Cause: The na
-
Match Total Exposure Not Working For Me
I am taking several pictures (sometimes 100s) of the same object in a studio setting. I have all of the camera controls locked down in manual mode so things like ISO, aperture, and shutter speed are uniform across the entire shoot. I am also using
-
Hi All, I have some problem with the radio button concept i will tell u what i did so that u can help me out , I have an emp table , which has deptno, two radio buttons(name of radio button : Enter Directly", "Enter thro Database",), name , salry , t