Bandwidth decrease in the inside network.
I just setup an asa5505, the isp give me 10MBPS.
When I do a internet speed test before apply a IM inspect class map, I got 8MB aprox.
after setup the IM inspection, the speed is reduced drastically to 2MBPS.
The ASA5505 has 1mb of ram, the cpu never pass the 10% and the memory in use is only 299MB.
The number of connection is low.
Its is ok?. may be an error in the configuration?
this the config with the inspection enabled:
: Saved
: Written by enable_15 at 18:11:50.359 COST Sun Sep 2 2012
ASA Version 8.4(4)1
hostname ASA5505
names
interface Ethernet0/0
switchport access vlan 190
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 201
interface Ethernet0/3
description DVR-HOST
switchport access vlan 111
interface Ethernet0/4
switchport access vlan 172
interface Ethernet0/5
switchport trunk allowed vlan 11,111,172,190,200-201
switchport mode trunk
interface Ethernet0/6
switchport access vlan 172
interface Ethernet0/7
switchport access vlan 172
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan111
description DMZ for Servers
nameif dmz
security-level 50
ip address 192.168.111.1 255.255.255.0
interface Vlan172
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
interface Vlan190
description Telmex ISP
nameif isp1
security-level 0
ip address xxx.xxx.134.64 255.255.255.0
interface Vlan200
description UNE ISP
nameif isp2
security-level 0
ip address yyy.yyy.11.57 255.255.255.0
interface Vlan201
description Metrotel ISP
nameif isp3
security-level 0
ip address zzz.zzz.121.202 255.255.255.0
ftp mode passive
clock timezone COST -5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PCoIP-host
host 192.168.111.61
description PCoIP Host
object network web-mail-host
host 192.168.111.215
description Web and Mail Host
object network smtp-host
host 192.168.111.216
object network www-host
host 192.168.111.216
object network pop3s-host
host 192.168.111.216
object network dns-tcp-host
host 192.168.111.216
object network dns-udp-host
host 192.168.111.216
object network dvr-host
host 192.168.111.202
object network dmz-network
subnet 192.168.111.0 255.255.255.0
description DMZ
object network isp1-network
subnet xxx.xxx.134.0 255.255.255.0
description Telmex Network
object network vpn-network
range 10.47.75.50 10.47.75.69
description vpn
object network inside-isp1-network
subnet 172.16.1.0 255.255.255.0
object network inside-isp2-network
subnet 172.16.1.0 255.255.255.0
object network 10.10.10-isp1-network
subnet 10.10.10.0 255.255.255.0
object network 10.10.10-isp2-network
subnet 10.10.10.0 255.255.255.0
object network 192.168.10-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.10-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.50-isp1-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.50-isp2-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.100-isp1-network
subnet 192.168.100.0 255.255.255.0
object network 192.168.100-isp2-network
subnet 192.168.100.0 255.255.255.0
object-group protocol tcp-udp
protocol-object tcp
protocol-object udp
object-group protocol tcp-udp-icmp
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group service web-mail-services tcp-udp
port-object eq domain
port-object eq www
port-object eq 995
port-object eq 443
port-object eq 8080
object-group service vmware-view-services tcp-udp
port-object eq 4172
port-object eq 3389
port-object eq 22
access-list isp1-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp1-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp2-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp2-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp3-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp3-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list Split-Tunneling standard permit 192.168.111.0 255.255.255.0
access-list Split-Tunneling standard permit host xxx.xxx.134.215
pager lines 40
logging enable
logging asdm informational
mtu dmz 1500
mtu inside 1500
mtu isp1 1500
mtu isp2 1500
mtu isp3 1500
ip local pool vpnpool 10.47.75.50-10.47.75.69 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network PCoIP-host
nat (dmz,isp1) static xxx.xxx.134.61
object network helpdesk-host
nat (dmz,isp1) static xxx.xxx.134.48
object network web-mail-host
nat (dmz,isp1) static xxx.xxx.134.214
object network smtp-host
nat (dmz,isp2) static interface service tcp smtp smtp
object network www-host
nat (dmz,isp2) static interface service tcp www www
object network pop3s-host
nat (dmz,isp2) static interface service tcp 995 995
object network dns-tcp-host
nat (dmz,isp2) static interface service tcp domain domain
object network dns-udp-host
nat (dmz,isp2) static interface service udp domain domain
object network dvr-host
nat (dmz,isp3) static interface service tcp www 8080
object network dmz-network
nat (dmz,isp1) dynamic interface
object network vpn-network
nat (inside,isp1) dynamic interface
object network inside-isp1-network
nat (inside,isp1) dynamic interface
object network inside-isp2-network
nat (inside,isp2) dynamic interface
object network 10.10.10-isp1-network
nat (inside,isp1) dynamic interface
object network 10.10.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.10-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.15-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.15-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.50-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.50-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.100-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.100-isp2-network
nat (inside,isp2) dynamic interface
access-group isp1-in in interface isp1
access-group isp2-in in interface isp2
access-group isp3-in in interface isp3
route isp1 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1 track 1
route isp2 0.0.0.0 0.0.0.0 200.55.66.70 254
route inside 10.10.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.15.0 255.255.255.0 172.16.1.254 1
route inside 192.168.50.0 255.255.255.0 172.16.1.254 1
route inside 192.168.100.0 255.255.255.0 172.16.1.254 1
route isp2 yyy.yyy.224.254 255.255.255.255 yyy.yyy.11.1 1
route isp2 yyy.yyy.249.101 255.255.255.255 yyy.yyy.11.1 1
route isp1 xxx.xxx.2.66 255.255.255.255 xxx.xxx.134.1 1
route isp1 xxx.xxx.2.85 255.255.255.255 xxx.xxx.134.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho xxx.xxx.134.1 interface isp1
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 172.16.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 5
dhcpd address 172.16.1.50-172.16.1.54 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
webvpn
enable isp1
enable isp2
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyCon internal
group-policy GroupPolicy_AnyCon attributes
dns-server value 192.168.10.101
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunneling
default-domain none
webvpn
anyconnect keep-installer none
group-policy VPNClient internal
group-policy VPNClient attributes
wins-server value 192.168.10.101
dns-server value 192.168.10.101
vpn-tunnel-protocol ikev1
default-domain value fffffffff
username user1 password .vQx4rek encrypted privilege 15
tunnel-group AnyCon type remote-access
tunnel-group AnyCon general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_AnyCon
class-map type inspect im match-any MSN
description MSN y Yahoo
match protocol msn-im yahoo-im
match service chat file-transfer games voice-chat webcam
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect im MSN
description MSN y Yahoo
parameters
class MSN
reset
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect im MSN
class class-default
user-statistics accounting
inspect im MSN
service-policy global_policy global
prompt hostname context
service call-home
no call-home reporting anonymous
call-home
contact-email-addr gggggggggg
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Similar Messages
-
The inside network is accessable only through IPsec, do I need enable ios FW?
I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels. There is no unecrypted access to the internet. Should I still configure the ISR firewall? If so , why?
If I get your set correctly imagined (haha)
Anyway, it really depends on you:
However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well
for split-tunnel, then configure it in your remote site.
Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly.
Best part of stateless firewall is it can be content based.
EX:
class-map match-any FILTER
match protocol http host *yahoo*
match protocol facebook
match protocol youtube
#class-map type urlfilter match-any CONTENT_DROP
#match url category Adult-Mature-Content
There are more protocols as well, and (i think) even p2p protocol can be blocked (utorrent, bitorrent etc)
Content filtering however is a subscription license and needs to be registered/enabled
SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html -
ASA 5505 VPN no access to inside network
Trying to set up ipsec/l2tp vpn to provide full access to internal network for remote users with only Windows built-in vpn client.
The vpn client can connect successfully, but can't see anything on the inside network.
The ASA is not the gateway for hosts on the internal network
name x.y.z.129 isp-gateway
name 172.16.1.0 vpn-address-pool
name 10.11.10.0 inside-network
name x.y.z.128 outside-network
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list vpn extended permit ip inside-network 255.255.254.0 vpn-address-pool 255.255.255.0
access-list outside_access_in extended permit ip any any
global (outside) 1 interface
nat (outside) 1 vpn-address-pool 255.255.255.0
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 isp-gateway 1
ciscoasa# show route
Gateway of last resort is cic-gateway to network 0.0.0.0
C outside-network 255.255.255.128 is directly connected, outside
S 172.16.1.5 255.255.255.255 [1/0] via isp-gateway, outside
C inside-network 255.255.254.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via isp-gateway, outsideDo you configure split tunnel or no split tunnel policy?
Also when you are connected and try to access internal network, can you pls share the output of :
show cry isa sa
show cry ipsec sa -
VPN clients cannot access inside network
I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.
I realized after I posted that I should have a connection active when running this command. Here is the results:
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)
current_peer: 169.130.14.253, username: kenz
dynamic allocated peer ip: 10.27.2.2
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 208F45F5
inbound esp sas:
spi: 0x2026D973 (539416947)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x208F45F5 (546260469)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
So it looks like there are encrypts but no decrypts. What should I do now? -
How to manage c877(outside) in RFC1483 mode through ASA5505 from (inside)network
Hi All
Here is a quick summary of my network setup.
ISP ADSL2 -- C877 Router(RFC1483) -- ASA5505(PPPoE) -- Internal network(s).
I am trying to figure out how to correctly configure my C877 & my ASA so I can telnet and manage the C877 from one of the inside networks on the ASA5505.
With the current configuration I can ping the C877 but only from the outside (PPPoE) interface of my ASA5505. I cannot connect to it from any other inside network.
Interface connectivity is as follows:
ISP <-> C877 PoTS
C877 FA/0 <-> ASA Eth0/0[outside_public] [Zone SEC=0]
ASA Eth0/1[inside_private][Zone SEC=100] <-> HP L2 Switch
HP L2 Switch <-> Home PC.
Device IPs:
Cisco ASA [inside_private] gateway IP = 192.168.50.1 / 24
Home PC = 192.168.50.81 / 24
Router C877 IP = 192.168.50.2 / 24
Everything is working as expected, except I want to be able to manage the C877 from the Home PC, but currently I am not able to establish any connectivity to the C877 from the [inside_private] network.
Here is what I have tried so far but without luck:
Connected (a 2nd) network cable from the C877 to the L2 switch. No connectivity from the Home PC.
Connected (a 2nd) network cable from the C877 to ASA on another interface added to the [inside_private] network. No connectivity from the Home PC.
Any help much appreciated!
C877 config below:
Current configuration : 1422 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname c877
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone UTC 11 0
crypto pki token default removal timeout 0
dot11 syslog
ip source-route
ip cef
ip domain name --CUT--
no ipv6 cef
multilink bundle-name authenticated
username --CUT-- privilege 15 password 7 --CUT--
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
bridge-group 1
pvc 8/35
encapsulation aal5snap
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
no ip address
bridge-group 1
interface BVI1
ip address 192.168.50.2 255.255.255.0
ip default-gateway 192.168.50.1
ip forward-protocol nd
no ip http server
no ip http secure-server
snmp-server community public RO
snmp-server ifindex persist
control-plane
bridge 1 protocol ieee
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input all
end
ASA5505 config below:
ASA Version 9.1(3)
hostname asa5505
enable password --CUT-- encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd --CUT-- encrypted
names
interface Ethernet0/0
switchport access vlan 10
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 20
interface Ethernet0/3
switchport access vlan 30
interface Ethernet0/4
switchport access vlan 40
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 70
interface Ethernet0/7
switchport access vlan 70
interface Vlan1
nameif inside_private
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan10
nameif outside_public
security-level 0
pppoe client vpdn group ADSL2
ip address pppoe setroute
interface Vlan20
nameif inside_dmz
security-level 70
ip address 192.168.60.1 255.255.255.0
interface Vlan30
nameif inside_guest
security-level 50
ip address 192.168.70.1 255.255.255.0
interface Vlan40
nameif inside_experimental
security-level 60
ip address 10.0.0.1 255.255.0.0
interface Vlan70
nameif inside_phone
security-level 10
ip address 192.168.80.1 255.255.255.192
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside_dmz
dns server-group DefaultDNS
name-server 192.168.60.2
same-security-traffic permit intra-interface
object network LAN_private
subnet 192.168.50.0 255.255.255.0
object network LAN_dmz
subnet 192.168.60.0 255.255.255.0
object network LAN_guest
subnet 192.168.70.0 255.255.255.0
object network LAN_experimental
subnet 10.0.0.0 255.255.0.0
object network QNAP_host
host 192.168.50.9
object network INTELNUC_host
host 192.168.60.2
object network INTELNUC_prtgservice
host 192.168.60.2
object network INTELNUC_webservice
host 192.168.60.2
object network QNAP_management
host 192.168.50.9
object network QNAP_transmission
host 192.168.50.9
object network LAN_guest_wireless
range 192.168.70.31 192.168.70.50
object network QNAP_t51413
host 192.168.50.9
object network QNAP_u51413
host 192.168.50.9
object service 9000-9049
service udp destination range 9000 9049
object network C7940_u10000-20000
host 192.168.80.11
object network C7940_t5060
host 192.168.80.11
object network LAN_phone
subnet 192.168.80.0 255.255.255.192
object network SPINTEL_host
host --CUT--
object service 16384-32766
service udp source range 16384 32766
object network C7940_host
host 192.168.80.11
object service 10000-20000
service udp destination range 10000 20000
object network C7940_u5060
host 192.168.80.11
object-group network LAN_all
network-object object LAN_dmz
network-object object LAN_experimental
network-object object LAN_guest
network-object object LAN_private
network-object object LAN_phone
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service 5060 tcp-udp
port-object eq sip
object-group service 53 tcp-udp
port-object eq domain
access-list public_ACL extended permit tcp any object QNAP_host eq 8080
access-list public_ACL extended permit tcp any object QNAP_host eq 51413
access-list public_ACL extended permit udp any object QNAP_host eq 51413
access-list public_ACL extended permit tcp any object QNAP_host eq 9091
access-list public_ACL extended permit tcp any object INTELNUC_host eq 444
access-list public_ACL extended permit tcp any object INTELNUC_host eq www
access-list public_ACL extended permit object-group TCPUDP any object C7940_host eq domain inactive
access-list public_ACL extended permit tcp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit udp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit icmp object SPINTEL_host object C7940_host
access-list public_ACL extended permit object 10000-20000 object SPINTEL_host object C7940_host
access-list public_ACL extended permit ip object SPINTEL_host object C7940_host
access-list dmz_ACL extended permit icmp any any echo
access-list dmz_ACL extended permit udp any any eq snmp
access-list dmz_ACL extended permit ip object INTELNUC_host object-group LAN_all
access-list dmz_ACL extended deny ip any object LAN_private
access-list dmz_ACL extended deny ip any object LAN_guest
access-list dmz_ACL extended deny ip any object LAN_experimental
access-list dmz_ACL extended deny ip any object LAN_phone
access-list dmz_ACL extended permit ip any any
access-list guest_ACL extended permit icmp any any echo
access-list guest_ACL extended permit udp any any eq snmp
access-list guest_ACL extended permit object-group TCPUDP object LAN_guest_wireless object INTELNUC_host eq domain
access-list guest_ACL extended deny ip object LAN_guest_wireless object INTELNUC_host
access-list guest_ACL extended deny ip object LAN_guest_wireless object QNAP_host
access-list guest_ACL extended permit ip any object INTELNUC_host
access-list guest_ACL extended permit ip any object QNAP_host
access-list guest_ACL extended deny ip any object LAN_private
access-list guest_ACL extended deny ip any object LAN_dmz
access-list guest_ACL extended deny ip any object LAN_experimental
access-list guest_ACL extended deny ip any object LAN_phone
access-list guest_ACL extended permit ip any any
access-list phone_ACL extended permit udp object C7940_host object INTELNUC_host eq tftp
access-list phone_ACL extended permit icmp object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object 16384-32766 object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object-group TCPUDP object C7940_host any eq domain
access-list phone_ACL extended permit udp object C7940_host any eq ntp
access-list phone_ACL extended permit tcp object C7940_host any eq sip
access-list phone_ACL extended permit udp object C7940_host any eq sip
access-list phone_ACL extended permit ip object C7940_host any inactive
access-list phone_ACL extended permit ip object LAN_phone any inactive
pager lines 24
logging enable
logging asdm notifications
mtu inside_private 1500
mtu outside_public 1492
mtu inside_dmz 1500
mtu inside_guest 1500
mtu inside_experimental 1500
mtu inside_phone 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside_private,outside_public) source static C7940_u10000-20000 interface service 10000-20000 10000-20000
object network LAN_private
nat (inside_private,outside_public) dynamic interface
object network LAN_dmz
nat (inside_dmz,outside_public) dynamic interface
object network LAN_guest
nat (inside_guest,outside_public) dynamic interface
object network LAN_experimental
nat (inside_experimental,outside_public) dynamic interface
object network INTELNUC_prtgservice
nat (inside_dmz,outside_public) static interface service tcp 444 444
object network INTELNUC_webservice
nat (inside_dmz,outside_public) static interface service tcp www www
object network QNAP_management
nat (inside_private,outside_public) static interface service tcp 8080 8080
object network QNAP_transmission
nat (inside_private,outside_public) static interface service tcp 9091 9091
object network QNAP_t51413
nat (inside_private,outside_public) static interface service tcp 51413 51413
object network QNAP_u51413
nat (inside_private,outside_public) static interface service udp 51413 51413
object network C7940_t5060
nat (inside_private,outside_public) static interface service tcp sip sip
object network LAN_phone
nat (inside_phone,outside_public) dynamic interface
object network C7940_u5060
nat (inside_private,outside_public) static interface service udp sip sip
access-group public_ACL in interface outside_public
access-group dmz_ACL in interface inside_dmz
access-group guest_ACL in interface inside_guest
access-group phone_ACL in interface inside_phone
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside_private
snmp-server host inside_dmz 192.168.60.2 community *****
snmp-server location inside_dmz
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint localtrust
enrollment self
fqdn asa5505.--CUT--
subject-name CN=sasa5505.--CUT--
keypair sslvpnkey
crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
certificate --CUT--
telnet 192.168.50.0 255.255.255.0 inside_private
telnet timeout 60
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ADSL2 request dialout pppoe
vpdn group ADSL2 localname --CUT--
vpdn group ADSL2 ppp authentication pap
vpdn username --CUT-- password --CUT-- store-local
dhcpd auto_config outside_public
dhcprelay server 192.168.60.2 inside_dmz
dhcprelay enable inside_private
dhcprelay enable inside_guest
dhcprelay enable inside_experimental
dhcprelay enable inside_phone
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server --CUT-- source inside_private
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
ssl trust-point localtrust outside_public
webvpn
anyconnect-essentials
username --CUT-- password --CUT-- encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:--CUT--Ansar,
A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.
As an example.
If you had
service pete
ip address 1.1.1.1
active
content pete
add service pete
protocol tcp
port 80
vip address 2.2.2.2
active
group pete_out
vip address 2.2.2.2
add service pete
active
So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.
You can also apply a source group via an acl as another option.
Regards
Pete..
[email protected] -
Does having a guest network decrease the power of the main network?
I set up a guest network when I set up my Airport Extreme ... not sure why I did this exactly. I have moved into a larger home and now have some issues with the router reaching the entire unit. (It does actually cover it all ... but very weak in the farthest areas from the router.) Does the guest network take power away from the primary network. In other words, if I reset the router without the guest network, would I be better off?
THANKS.When you enable the Guest network, the bandwidth is split between the Main and Guest networks, so performance wise, it would make sense to only use the Guest network feature when you really have "guests".
Now, if you turn the Guest network off...whether you will actually "see" any improvement is open to question. Worth a try.
To turn off the Guest Network....
Open AirPort Utility - Click Manual Setup
Click the Guest Network tab below the row of icons
Remove the check mark next to "Enable Guest Network"
Click Update to save the changes and the AirPort will restart in 25-30 seconds.
If you need more wireless coverage, you might want to look at adding another AirPort Extreme or AirPort Express to "extend" the wireless signal. -
One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni -
Allow VPN client to connect from the inside to another remote network
Hi, if I have a Cisco VPN client software on the inside of network and client is to connect to a remote network, over the internet. What ports need to be opened and on the outside interface/inside/both?
Thanks.Basically, all you need is UDP port 500, NAT-T will do the rest.
Connections are initiated from the inside and while everything is allowed in that direction, this should work by default.
If you have an access-list that limits traffic from inside to outside, you might need to allow this traffic.
Regards,
Leo -
WLC-2106 and multiple interfaces on the same network
Hi there,
I recently created a TAC request to the Cisco support regarding our WLC-2106, but they could not help me. Basically I just learned that you can create new interfaces for the wireless LAN controller and then dedicate them to a given wireless network (SSID). This way I could more effectively utilize network bandwidth also. Problem is that all of the interfaces have to be in a different network segment in order to work, which is not what I want. I specifically want to have several interfaces on the same network segment.
Has anyone tried to accomplish the same?Basically what I've misunderstood is that all the traffic generated by our wireless clients have been going through the single 100Mbit/s ethernet port on the wireless LAN controller (management interface), and to mitigate this I thought I could create new interfaces (ports) and dedicate those to given WLAN networks.. I see now that this is not supported. Not inside the same network at least.
So, by reading further and consulting my best friend Google I learned about a setting called "AP Mode". Changing that from Local (the default) to H-REAP the APs should not route their traffic anymore through the management interface on the wireless controller, but instead route all the client traffic directly to the local LAN. This way you effectively remove the 100Mbit/s bottle-neck when all the APs were using the management interface both for configuration and client data traffic.
It seems you also have to enable H-REAP Local switching from a given WLAN network in addition to changing the AP Mode of your access points to H-REAP. I'm still in the testing phase here so should anyone have any insight to this, I'd be greatful to hear more. -
Background: My home does not have access to landline internet and I am relying on a Verizon Jetpack device rather than satellite cable for internet access. Within my JetPack wireless network I have several devices connected, iPADs, PC’s, printer, etc. (up to 5 devices can be connected with my system). Recently, I had one device within my immediate wireless network that I needed to transfer data via FTP to another local device within my immediate network. The receiving device FTP’d data from device (198.168.1.42) to local IP (address 192.168.1.2). To understand the data path a Trace rout for this transfer is 198.168.1.42 (source) to 198.168.1.1 (Jetpack) to 192.168.1.2 (receiver). Note that the VZW network ((cloud)/4G network) was NOT used in this transfer nor was any VZW bandwidth used for this transfer (of course less the typical overhead status/maintenance communications that happen regardless). Use of the VZW bandwidth would be something like downloading a movie from Netflix, (transferring data from a remote site, through the VZW network, into the Jetpack and to the target device). I also understand if ones devices have auto SW updates that would also go against the usage as well. I get that. My understanding of my usage billing is based data transfer across the VZW network.
Now to the problem: To my surprise I was quite substantially charged for the “internal” direct transfer of this data although I didn’t use the VZW network at all. This does not seem to be right, and doesn’t make much sense to me. Usage is should be based on the VZW network not a local Wi-Fi. In this case, Verizon actually gets free money from me without any use of or impact to the VZW network. Basically this is a VERY expensive rental for the jetpack device, which I bought anyway. Considering this, I am also charged each time I print locally. Dive into this further, I am also interested in knowing what is the overhead (non-data) communications between the jetpack router and devices and how much does that add up to over time?
Once I realized I was getting socked in bandwidth, as a temp solution I found an old Wi-Fi router, created a separate Wi-Fi network off the Jetpack, but the billing damage was already done. Switching each device back and forth to FTP and print is a hassle and there should be no reason the existing hardware couldn’t handle this and charges aligned with VSW usage. Is purposely intended by Verizon? Is this charging correct? And can I get some help with this?
Logically, usage should be based on VZW network usage not internal transfers. All transfers between IP addresses 192.168 are by default internal. Any data that needs to leave the internal network are translated in to the dynamic IP addresses established by the VZW network. That should be very easily detected for usage. In the very least, this fact needs to be clearly identified and clarified to users of the Jetpack. How would one use a local network and not get socked with usage charges? Can one set up a Wi-Fi network with another router, hardwire directly from the router to the Jetpack so that only data to and from the VZW network is billed? I might be able to figure out how to have the jetpack powered on but disable the VZW connection, but I don’t want to experiment and find out that the internal transfers are being logged and the log sent after the fact anyway once I connect…. A reasonable solution should be that users be able to use the router functions of the Jetpack (since one has to buy the device anyway) and only be billed for VZW usage.
Your help in this would be greatly appreciated. Thanksi had one mac and spilt water on it, the motherboard fried so i had to buy a used one...being in school and all. it is a MC375lla
Model Name:
MacBook Pro
Model Identifier:
MacBookPro7,1
Processor Name:
Intel Core 2 Duo
Processor Speed:
2.66 GHz
Number of Processors:
1
Total Number of Cores:
2
L2 Cache:
3 MB
Memory:
8 GB
Bus Speed:
1.07 GHz
Boot ROM Version:
MBP71.0039.B0E
SMC Version (system):
1.62f7
Hardware UUID:
A802DE22-1E57-5509-93C5-27CEF01377B7
Sudden Motion Sensor:
State:
Enabled
i do not have a backup of it, so i am thinking about replacing my old hard drive from the water damaged into this one, not even sure if that would work, but it did not seem to be damaged, as i recovered all the files i wanted off of it to put onto this mbp
the previous owner didnt have it set to boot, they had all their settings left on it and tried to edit all the names on it, had a bunch of server info and printers etc crap on it. i do not believe he edited the terminal system though--he doesnt seem to terribly bright(if thats possible)
tbh i hate lion compared to the old one i had, this one has so many more issues-overheating,fan noise, cd dvd noise
if you need screenshots or data of anything else as away
[problem is i do not want to start from scratch if there is a chance of fixing it, this one did not come with disks or anything like my first. so i dont even know if i could, and how it sets now i am basically starting from scratch, because now all my apps are reset but working, i am hoping to get my data back somehow though, i lost all of my bookmarks and editing all my apps and setting again would be a pain -
AnyConnect to ASA 5505 ver 8.4 unable to ping/access Inside network
My AnyConnect VPN connect to the ASA, however I cannot access my inside network hosts (tried Split Tunnel and it didn't work either). I plan to use a Split Tunnel configuration but I thought I would get this working before I implemented that configuration. My inside hosts are on a 10.0.1.0/24 network and 10.1.0.0/16 networks. My AnyConnect hosts are using 192.168.60.0/24 addresses.
I have seen other people that appeared to have similar posts but none of those solutions have worked for me. I have also tried several NAT and ACL configurations to allow traffic form my Inside network to the ANYConnect hosts and back, but apparently I did it incorrectly. I undestand that this ver 8.4 is supposed to be easier to perform NAT and such, but I now in the router IOS it was much simpler.
My configuration is included below.
Thank you in advance for your assistance.
Jerry
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password (removed)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Generic_All_Network interface
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: endHi,
Yes, I have saved the config and did a write erase and reloaded the config, no difference. I rebuilt it once a couple of weeks ago, but that was before I had gotten this far with your assistance. I'll include my ASA and switches configs after this. Here is a little background (took it form the Firewall section issue just because it gives a little insight for the network). I have 2 3560s, one as a L3 switch the other L2 with an etherchannel between them (one of the cables was bad so I am waiting on the replacement to have 2 - Gigabit channels between the switches).
I think our issue with the VPN not getting to the Inside is posibly related to my DMZ issue not getting to the internet.
I am using 2 VLANs on my switch for Guests - one is wired and the other is wireless. I am trying to keep them separate because the wireless are any guest that might be at our restaurant that is getting on WiFi. The wired is for our Private Dining Rooms that vendors may need access and I don't want the wireless being able to see the wired network in that situation.
I have ports on my 3560s that are assigned to VLAN 20 (Guest Wired) and VLAN 22 (Guest Wireless). I am not routing those addresses within the 3560s (one 3560 is setup as a L3 switch). Those VLANs are being L2 switched to the ASA via the trunk to save ports (I tried separating them and used 2 ports on the ASA and it still didn't work). The ASA is providing DCHP for those VLANs and the routing for the DMZ VLANs. I can ping each of the gateways (which are the VLANs on the ASA from devices on the 3560s - 172.26.20.1 and 172.26.22.1. I have those in my DMZ off the ASA so it can control and route the data.
The 3560 is routing for my Corp VLANs. So far I have tested the Wired VLAN 10 (10.1.10.0/24) and it is working and gets to the Internet. I have a default route (0.0.0.0 0.0.0.0) from the L3 switch to e0/1 on the ASA and e0/1 is an Inside interface.
E0/0 on the ASA is my Outside interface and gets it IP from the upstream router (will be an AT&T router/modem when I move it to the building).
So for a simple diagram:
PC (172.26.20.21/24) -----3560 (L2) ------Trunk----(VLAN 20 - DMZ/ VLAN 22 - DMZ2)---- ASA -----Outside ------- Internet (via router/modem)
I will be back at this tomorrow morning - I've been up since 4pm yesterday and it is almost 3pm.
Thank you for all of your assistance.
Jerry
Current ASA Config:
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password $$$$$$$$$$$$$$$ encrypted
passwd $$$$$$$$$$$$$$$$ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
switchport access vlan 20
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
object network INSIDE
subnet 10.0.1.0 255.255.255.0
access-list capdmz extended permit icmp host 172.26.20.22 host 208.67.222.222
access-list capdmz extended permit icmp host 208.67.222.222 host 172.26.20.22
access-list capout extended permit icmp host 192.168.1.231 host 208.67.222.222
access-list capout extended permit icmp host 208.67.222.222 host 192.168.1.231
access-list capvpn extended permit icmp host 192.168.60.20 host 10.1.10.23
access-list capvpn extended permit icmp host 10.1.10.23 host 192.168.60.20
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list SPLIT-TUNNEL standard permit 10.0.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.1.0.0 255.255.0.0
access-list capins extended permit icmp host 10.1.10.23 host 10.0.1.1
access-list capins extended permit icmp host 10.0.1.1 host 10.1.10.23
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
nat (inside,outside) after-auto source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6d9bbacca2a5c8b5af946a8ddc12550
: end
L3 3560 connects to ASA via port f0/3 routed port 10.0.1.0/24 network
Connects to second 3560 via G0/3 & G0/4
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560a
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip dhcp excluded-address 10.1.10.1 10.1.10.20
ip dhcp excluded-address 10.1.12.1 10.1.12.20
ip dhcp excluded-address 10.1.14.1 10.1.14.20
ip dhcp excluded-address 10.1.16.1 10.1.16.20
ip dhcp excluded-address 10.1.30.1 10.1.30.20
ip dhcp excluded-address 10.1.35.1 10.1.35.20
ip dhcp excluded-address 10.1.50.1 10.1.50.20
ip dhcp excluded-address 10.1.80.1 10.1.80.20
ip dhcp excluded-address 10.1.90.1 10.1.90.20
ip dhcp excluded-address 10.1.100.1 10.1.100.20
ip dhcp excluded-address 10.1.101.1 10.1.101.20
ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN12
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN14
network 10.1.14.0 255.255.255.0
default-router 10.1.14.1
option 150 ip 10.1.13.1
ip dhcp pool VLAN16
network 10.1.16.0 255.255.255.0
default-router 10.1.16.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN30
network 10.1.30.0 255.255.255.0
default-router 10.1.30.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN35
network 10.1.35.0 255.255.255.0
default-router 10.1.35.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
default-router 10.1.50.1
option 43 hex f104.0a01.6564
ip dhcp pool VLAN80
network 10.1.80.0 255.255.255.0
default-router 10.1.80.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN90
network 10.1.90.0 255.255.255.0
default-router 10.1.90.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
default-router 10.1.100.1
ip dhcp pool VLAN101
network 10.1.101.0 255.255.255.0
default-router 10.1.101.1
ip dhcp pool VLAN40
dns-server 208.67.222.222 208.67.220.220
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 1 downstream
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
power inline never
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/3
description Interface to MXFW E0/1
no switchport
ip address 10.0.1.2 255.255.255.0
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
switchport mode access
shutdown
power inline never
interface FastEthernet0/6
switchport mode access
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
power inline never
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
switchport mode access
shutdown
power inline never
interface FastEthernet0/10
switchport mode access
shutdown
power inline never
interface FastEthernet0/11
switchport mode access
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 50
switchport mode access
interface FastEthernet0/18
switchport mode access
shutdown
power inline never
interface FastEthernet0/19
switchport mode access
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
switchport mode access
shutdown
power inline never
interface FastEthernet0/22
switchport mode access
shutdown
power inline never
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/24
switchport access vlan 35
switchport mode access
power inline never
interface FastEthernet0/25
switchport mode access
shutdown
power inline never
interface FastEthernet0/26
switchport mode access
shutdown
power inline never
interface FastEthernet0/27
switchport mode access
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 50
switchport mode access
interface FastEthernet0/34
switchport mode access
shutdown
power inline never
interface FastEthernet0/35
switchport mode access
shutdown
power inline never
interface FastEthernet0/36
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
switchport mode access
shutdown
power inline never
interface FastEthernet0/38
switchport mode access
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
switchport mode access
shutdown
power inline never
interface FastEthernet0/42
switchport mode access
shutdown
power inline never
interface FastEthernet0/43
switchport mode access
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport mode access
shutdown
power inline never
interface GigabitEthernet0/1
description Interface to MXC2911 Port G0/0
no switchport
ip address 10.1.13.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 10.1.10.1 255.255.255.0
interface Vlan12
ip address 10.1.12.1 255.255.255.0
interface Vlan14
ip address 10.1.14.1 255.255.255.0
interface Vlan16
ip address 10.1.16.1 255.255.255.0
interface Vlan20
ip address 172.26.20.1 255.255.255.0
interface Vlan22
ip address 172.26.22.1 255.255.255.0
interface Vlan30
ip address 10.1.30.1 255.255.255.0
interface Vlan35
ip address 10.1.35.1 255.255.255.0
interface Vlan40
ip address 10.1.40.1 255.255.255.0
interface Vlan50
ip address 10.1.50.1 255.255.255.0
interface Vlan80
ip address 172.16.80.1 255.255.255.0
interface Vlan86
no ip address
shutdown
interface Vlan90
ip address 10.1.90.1 255.255.255.0
interface Vlan100
ip address 10.1.100.1 255.255.255.0
interface Vlan101
ip address 10.1.101.1 255.255.255.0
router eigrp 1
network 10.0.0.0
network 10.1.13.0 0.0.0.255
network 10.1.14.0 0.0.0.255
passive-interface default
no passive-interface GigabitEthernet0/1
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/3 10.0.1.1
ip route 192.168.60.0 255.255.255.0 FastEthernet0/3 10.0.1.1 2
ip http server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
L3 3560 Route Table (I added 192.168.60.0/24 instead of just using the default route just in case it wasn't routing for some reason - no change)
mx3560a#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
S 192.168.60.0/24 [2/0] via 10.0.1.1, FastEthernet0/3
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.80.0 is directly connected, Vlan80
172.26.0.0/24 is subnetted, 2 subnets
C 172.26.22.0 is directly connected, Vlan22
C 172.26.20.0 is directly connected, Vlan20
10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C 10.1.10.0/24 is directly connected, Vlan10
D 10.1.13.5/32 [90/3072] via 10.1.13.1, 4d02h, GigabitEthernet0/1
C 10.1.14.0/24 is directly connected, Vlan14
C 10.1.13.0/24 is directly connected, GigabitEthernet0/1
C 10.1.12.0/24 is directly connected, Vlan12
C 10.0.1.0/24 is directly connected, FastEthernet0/3
C 10.1.30.0/24 is directly connected, Vlan30
C 10.1.16.0/24 is directly connected, Vlan16
C 10.1.40.0/24 is directly connected, Vlan40
C 10.1.35.0/24 is directly connected, Vlan35
C 10.1.50.0/24 is directly connected, Vlan50
C 10.1.90.0/24 is directly connected, Vlan90
C 10.1.101.0/24 is directly connected, Vlan101
C 10.1.100.0/24 is directly connected, Vlan100
S* 0.0.0.0/0 [1/0] via 10.0.1.1, FastEthernet0/3
I have a C2911 for CME on G0/1 - using it only for that purpose at this time.
L2 3560 Config it connects to the ASA as a trunk on e0/5 of the ASA and port f0/3 of the switch - I am using L2 switching for the DMZ networks from the switches to the ASA and allowing the ASA to provide the DHCP and routing out of the network. DMZ networks: 172.26.20.0/24 and 172.26.22.0/24.
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560b
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
crypto pki trustpoint TP-self-signed-3877365632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3877365632
revocation-check none
rsakeypair TP-self-signed-3877365632
crypto pki certificate chain TP-self-signed-3877365632
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383737 33363536 3332301E 170D3933 30333031 30303031
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373733
36353633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DF81 DA515E0B 7FC760CF 2CC98400 42DCA007 215E4DDE D0C3FBF2 D974CE85
C46A8700 6AE44C2C 79D9BD2A A9297FA0 2D9C2BE4 B3941A2F 435AC4EA 17E89DFE
34EC8E93 63BD4CDF 784E91D7 2EE0093F 06CC97FD 83CB818B 1ED624E6 F0F5DA51
1DE4B8A7 169EED2B 40575B81 BADDE052 85BA9D19 4C206DCB 00878FF3 89E74028
B3F30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 086D7833 35363062 2E301F06 03551D23 04183016 80147125
78CE8540 DB95D852 3C0BD975 5D9C6EB7 58FC301D 0603551D 0E041604 14712578
CE8540DB 95D8523C 0BD9755D 9C6EB758 FC300D06 092A8648 86F70D01 01040500
03818100 94B98410 2D9CD602 4BD16181 BCB7C515 77C8F947 7C4AF5B8 281E3131
59298655 B12FAB1D A6AAA958 8473483C E993D896 5251770B 557803C0 531DEB62
A349C057 CB473F86 DCEBF8B8 7DDE5728 048A49D0 AB18CE8C 8257C00A C2E06A63
B91F872C 5F169FF9 77DC523B AB1E3965 C6B67FCC 84AE11E9 02DD10F0 C45EAFEA 41D7FA6C
quit
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/1
switchport access vlan 50
switchport mode access
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,22
switchport mode trunk
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
shutdown
power inline never
interface FastEthernet0/6
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
shutdown
power inline never
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/11
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/18
shutdown
power inline never
interface FastEthernet0/19
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
shutdown
power inline never
interface FastEthernet0/22
shutdown
power inline never
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/24
shutdown
power inline never
interface FastEthernet0/25
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/26
shutdown
power inline never
interface FastEthernet0/27
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/34
shutdown
power inline never
interface FastEthernet0/35
shutdown
power inline never
interface FastEthernet0/36
switchport mode access
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
shutdown
power inline never
interface FastEthernet0/38
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
shutdown
power inline never
interface FastEthernet0/42
shutdown
power inline never
interface FastEthernet0/43
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport access vlan 40
switchport mode access
shutdown
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2
switchport access vlan 40
switchport mode access
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
ip classless
ip http server
ip http secure-server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end -
The VPN will connect.
I can ping and connect to the ASA 5510 on it's LAN interface.
My problem is that I cannot ping or access anything on the LAN past the firewall. What am I doing wrong?
Here is my config.
Result of the command: "show config"
: Saved
: Written by enable_15 at 22:55:02.299 UTC Tue Jan 10 2012
ASA Version 8.2(5)
hostname ********
enable password UbBnTPKwu27ohfYB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network BC
network-object 10.0.3.0 255.255.255.0
network-object 10.0.4.0 255.255.255.0
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq 50000
access-list outside_access_in extended permit tcp any any eq 3390
access-list outside_access_in extended permit tcp any any eq 8066
access-list outside_access_in extended permit tcp any any eq 22225
access-list outside_access_in extended permit tcp any any eq 1600
access-list outside_access_in extended permit tcp any any eq 37260
access-list outside_access_in extended permit tcp any any eq 37261
access-list outside_access_in extended permit tcp any any eq 37262
access-list outside_access_in extended permit tcp any any eq 37263
access-list outside_access_in extended permit tcp any any eq 37264
access-list outside_access_in extended permit tcp any any eq 1435
access-list outside_access_in extended permit tcp any any eq 250
access-list outside_access_in extended permit tcp any any eq citrix-ica
access-list outside_access_in extended permit tcp any any eq 8080
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq 85
access-list outside_access_in extended permit tcp any any eq 8069
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 23032
access-list outside_access_in extended permit tcp any any eq 32023
access-list outside_access_in extended permit tcp any any eq 3399
access-list outside_access_in extended permit udp any any eq 250
access-list outside_access_in extended permit udp any any eq 5008
access-list outside_access_in extended permit icmp any any
access-list splittunn-ppso extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list splittunn-ppso extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn-pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list nonat
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 50000 10.0.4.58 50000 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.0.4.7 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 3390 10.0.3.249 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 8066 10.0.3.249 8066 netmask 255.255.255.255
static (inside,outside) tcp interface 22225 10.0.4.58 22225 netmask 255.255.255.255
static (inside,outside) tcp interface 1600 10.0.4.58 1600 netmask 255.255.255.255
static (inside,outside) tcp interface 37260 10.0.4.58 37260 netmask 255.255.255.255
static (inside,outside) tcp interface 37261 10.0.4.58 37261 netmask 255.255.255.255
static (inside,outside) tcp interface 37262 10.0.4.58 37262 netmask 255.255.255.255
static (inside,outside) tcp interface 37263 10.0.4.58 37263 netmask 255.255.255.255
static (inside,outside) tcp interface 37264 10.0.4.58 37264 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 10.0.4.240 1433 netmask 255.255.255.255
static (inside,outside) udp interface 5008 10.0.4.240 5008 netmask 255.255.255.255
static (inside,outside) udp interface 249 10.0.4.240 249 netmask 255.255.255.255
static (inside,outside) tcp interface 250 10.0.4.240 250 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.4.15 www netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 10.0.4.15 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.0.4.15 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 85 10.0.4.15 85 netmask 255.255.255.255
static (inside,outside) tcp interface 8069 10.0.4.236 8069 netmask 255.255.255.255
static (inside,outside) tcp interface 3399 10.0.4.236 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 23032 10.0.4.244 23032 netmask 255.255.255.255
static (inside,outside) tcp interface 32023 10.0.4.244 32023 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.3.0 255.255.255.0 10.0.4.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http x.x.x.x x.x.x.x outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet x.x.x.x 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ppso internal
group-policy ppso attributes
dns-server value 10.0.4.241 10.0.4.14
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunn-ppso
default-domain value ppso.local
split-dns value ppso.local
address-pools value vpn-pool
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool vpn-pool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:88a9b69fc3d718c3badfa99db2c7ce4fYeah, I figured out where my problem was.
My IP Local Pool range was the problem.
I was using 10.10.10.0 which conflicted with a point-to-point connection where the serial interfaces were numbered and using 10.10.10.1 and 10.10.10.2.
Traffic would leave the firewall, hit the intended host, go back through my core router, then off to the other network.
I changed my ip local pool to a different range (192.168.100.0) and my problem was solved. -
I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface. The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ. Without the client connected, they access the web servers via the external public IP. Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address.
Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.
I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface.
Share the configuration if you want help with the NAT exemption part. -
Multiple Apple TVs on the same network
I teach at a school and have used an Apple TV in conjunction with my iPad for presentations. I find it invaluable. Other teachers at my school would like to do the same, but I'm told by our tech support that multiple Apple TVs on the same network cause problems. When I ask them what problems, they aren't sure. They just tell me that other school have experienced problems. Other than a wifi bandwidth problem, I can't imagine what kind of problem it would be. A collegue of mine wants to jump onboard but desn't want to make waves. Does anyone know of any problems?
I have two Apple TV's, one in the living room and one in the bedroom... however, the living room is the only one that my iphone Remote APP is connecting with... I've named/tagged the two ATV's hoping that the Remote APP would provide me the option on which one to control, but it doesn't....
I've confirmed that home sharing is "on" with in all devices "settings"...
Any suggestions? -
Hi,
I can not access CRM from outside the office network - Access denied You do not have sufficient access rights or privileges to perform this action. I can access CRM with same user id and password from our office inside the network. I can get
the page to give login details once I have login details I got below error. Please help me to solve this issue. It was working before.
Access denied You do not have sufficient access rights or privileges to perform this action.
Regards,
Noushad
[email protected]On Premise system Configured with AD FS server for claims-based authentication you need to update your host file with server url to access it from outside office network.
Refer
this on how to update host file.
Regards, Saad
Maybe you are looking for
-
How do I set up my iphone 5 so that I can access my family account? Recently I purchased music from itunes using my apple id, and now I cannot find those songs in our cloud. I wanted to add those songs to my ipod. Do I have to buy them again using my
-
Can i make an external button to power up the computer using wake up on lan?
With the feature of Wake up on Lan I am assuming that the computer can be shutdown completly but via wake up on Lan? If this is the case I have my mac pro hidden from sight but obviously need to turn the computer still. I do not want to use the Sleep
-
Possible solution: Time Machine can not mount disk
Like many of you, my Time Machine started acting up after working fine for months. I have an external USB (Western Digital 500GB) drive connected to a Airport Extreme (N-speed) as an AirDisk. I have an iMac (iSight 160GB) connected via ethernet to th
-
How do I know how much storage I need to Have?
I have two iphone fives and one family ipad2. How much icloud storage do i need. I have been pay $40.00 a year. A lot of people are telling me I don't need it.
-
hi people, actually i ve installed a double stack(2004s) with pi 7.0 n i ve updated java with sp14 the sld was up and running till then after the upgrade the sld sever is stopped it throws an error when you press start server in administrator the err