Bandwith management ASA 5505
Dear All
i have 16MB internet speed, i want to give inside interface in my ASA only 2MB to use
could you please help me on how can i assign it ?
ASA Version 8.2(5)
hostname ConcordeASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 12
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
<--- More --->
<--- More --->
interface Ethernet0/7
<--- More --->
interface Vlan1
nameif inside
security-level 100
ip address 172.16.100.1 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 0.0.0.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 212.77.192.59
name-server 212.77.192.60
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside extended deny tcp host 172.16.100.197 any eq www
access-list inside extended permit ip any any
pager lines 24
<--- More --->
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 172.16.100.0 255.255.252.0 172.16.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.100.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
<--- More --->
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
<--- More --->
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
<--- More --->
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.100.5-172.16.101.4 inside
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
<--- More --->
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
<--- More --->
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:bf1a120dc577a777b78b98d9ee887b04
: end
Hi Bro
Can you try this out and let me know the outcome;
access-list TEST permit ip 172.16.100.0 255.255.255.0 any
class-map TEST
match access-list TEST
policy-map TEST
class TEST
police input 2000000
police output 2000000
no service-policy TEST in interface inside
service-policy TEST in interface outside
Similar Messages
-
Internet Connection Became Slow after Introduction of Cisco ASA 5505 to the Network
I configured a Cisco ASA 5505 (Version Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
in transparent firewall mode and inserted after Cisco 1700 router. However, the internet connection became very slow and users are compaining that they cannot load any pages.
My setup looks like:
Internet --> Cisco 1700 --> Cisco ASA 5505 --> LAN
The license information is:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
My running-config looks like:
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Vlan1
nameif inside
security-level 100
no shut
interface Vlan2
nameif outside
security-level 0
no shut
interface Ethernet0/0
switchport access vlan 2
no shut
interface Ethernet0/1
no shut
interface Ethernet0/2
no shut
interface Ethernet0/3
no shut
interface Ethernet0/4
no shut
interface Ethernet0/5
no shut
interface Ethernet0/6
no shut
interface Ethernet0/7
no shut
passwd 2KFQnbNIdI.2KYOU encrypted
regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.diretube\.com"
regex domainlist3 "\.youtube\.com"
regex domainlist4 "\.vimeo\.com"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_in extended permit ip any any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
match regex domainlist4
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map type regex match-any URLBlockList
match regex urllist1
match regex urllist2
match regex urllist3
match regex urllist4
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
class-map type inspect http match-all BlockURLsClass
match request uri regex class URLBlockList
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
class AppHeaderClass
drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log
class BlockURLsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:8ab1a53df6ae3c202aee236d6080edfd
: end
Could the slow internet connection be due to license limitations? Or is there something wrong with my configuration?
Please see the configuration and help.
ThanksI have re-configured the ASA 5505 yesterday and so far it's working fine. I am not sure if the problem will re-appear later on. Anyways here is my sh tech-support
ciscoasa# sh tech-support
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 14 hours 16 mins
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001f.9ee8.ffa2, irq 11
1: Ext: Ethernet0/0 : address is 001f.9ee8.ff9a, irq 255
2: Ext: Ethernet0/1 : address is 001f.9ee8.ff9b, irq 255
3: Ext: Ethernet0/2 : address is 001f.9ee8.ff9c, irq 255
4: Ext: Ethernet0/3 : address is 001f.9ee8.ff9d, irq 255
5: Ext: Ethernet0/4 : address is 001f.9ee8.ff9e, irq 255
6: Ext: Ethernet0/5 : address is 001f.9ee8.ff9f, irq 255
<--- More --->
7: Ext: Ethernet0/6 : address is 001f.9ee8.ffa0, irq 255
8: Ext: Ethernet0/7 : address is 001f.9ee8.ffa1, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Serial Number: JMX1211Z2N4
Running Activation Key: 0xaf0ed046 0xbcf18ebf 0x80b38508 0xba785cc0 0x05250493
Configuration register is 0x1
Configuration has not been modified since last system restart.
<--- More --->
------------------ show clock ------------------
18:32:58.254 UTC Tue Nov 26 2013
------------------ show memory ------------------
Free memory: 199837144 bytes (74%)
Used memory: 68598312 bytes (26%)
Total memory: 268435456 bytes (100%)
------------------ show conn count ------------------
1041 in use, 2469 most used
------------------ show xlate count ------------------
0 in use, 0 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
0 100 68 100
<--- More --->
4 300 299 299
80 100 92 100
256 100 94 100
1550 6174 6166 6174
2048 1124 551 612
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2136 bytes (default)
------------------ show interface ------------------
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is y88acs06, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 001f.9ee8.ffa2, MTU not set
IP address unassigned
18491855 packets input, 11769262614 bytes, 0 no buffer
Received 213772 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops, 0 demux drops
18185861 packets output, 11626494317 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
<--- More --->
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/55) software (0/0)
Control Point Interface States:
Interface number is unassigned
Interface Internal-Data0/1 "", is administratively down, line protocol is up
Hardware is 88E6095, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 0000.0003.0002, MTU not set
IP address unassigned
18184216 packets input, 11625360131 bytes, 0 no buffer
Received 206655 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 switch ingress policy drops
18490057 packets output, 11768078777 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Loopback0 "_internal_loopback", is up, line protocol is up
Hardware is VirtualMAC address 0000.0000.0000, MTU 1500
IP address 127.1.0.1, subnet mask 255.255.0.0
<--- More --->
Traffic Statistics for "_internal_loopback":
1 packets input, 28 bytes
1 packets output, 28 bytes
1 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 28
Interface config status is active
Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa2, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "inside":
7742275 packets input, 903584114 bytes
10645034 packets output, 10347291114 bytes
184883 packets dropped
1 minute input rate 320 pkts/sec, 35404 bytes/sec
1 minute output rate 325 pkts/sec, 313317 bytes/sec
<--- More --->
1 minute drop rate, 17 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa3, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "outside":
10750090 packets input, 10432619059 bytes
7541331 packets output, 870613684 bytes
109911 packets dropped
1 minute input rate 328 pkts/sec, 313770 bytes/sec
1 minute output rate 301 pkts/sec, 32459 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
Control Point Interface States:
Interface number is 2
<--- More --->
Interface config status is active
Interface state is active
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001f.9ee8.ff9a, MTU not set
IP address unassigned
10749794 packets input, 10630700889 bytes, 0 no buffer
Received 2506 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
3 switch ingress policy drops
7541070 packets output, 1028190148 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
<--- More --->
Available but not configured via nameif
MAC address 001f.9ee8.ff9b, MTU not set
IP address unassigned
7741977 packets input, 1064586806 bytes, 0 no buffer
Received 211282 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
10644663 packets output, 10543362751 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9c, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
<--- More --->
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9d, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
<--- More --->
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9e, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
<--- More --->
Interface number is unassigned
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9f, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
<--- More --->
MAC address 001f.9ee8.ffa0, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ffa1, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
<--- More --->
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 12%; 1 minute: 11%; 5 minutes: 11%
------------------ show cpu hogging process ------------------
Process: Dispatch Unit, NUMHOG: 1, MAXHOG: 133, LASTHOG: 140
LASTHOG At: 04:45:59 UTC Nov 26 2013
PC: 8be0f7
Traceback: 8bed19 8bf553 302b87 3030a5 2fad69 7674bf 75ca16
c6251d c62a4c c62f6c 75c653 767820 797f64 769c85
<--- More --->
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Mwe 00c9bb24 01bb8700 013e3250 0 01733fc8 15616/16384 emweb/cifs
Lwe 001072ac 0176f9c4 013e32d0 0 0176d9f0 8132/8192 block_diag
Mrd 00223a67 01783d5c 013e33b0 314854 0177be18 25752/32768 Dispatch Unit
Msi 00f82847 01b07b84 013e3250 229 01b05bc0 7984/8192 y88acs06 OneSec Thread
Mwe 0011b1a5 01b09cfc 013e3250 0 01b07d88 7864/8192 Reload Control Thread
Mwe 00120606 01b1260c 013e5258 0 01b10988 7256/8192 aaa
Mwe 001486aa 01b19404 013e5ae8 0 01b15450 16020/16384 CMGR Server Process
Mwe 0014c3c5 01b1b4d4 013e3250 0 01b19570 7968/8192 CMGR Timer Process
Lwe 002227a1 01b239b4 013ee360 0 01b219f0 7524/8192 dbgtrace
Mwe 004e1ba5 01b29c34 013e3250 157 01b27d50 6436/8192 eswilp_svi_init
Mwe 01064b1d 01b4a7f4 013e3250 0 01b48890 7848/8192 Chunk Manager
Msi 008b61b6 01b52d54 013e3250 230 01b50da0 7856/8192 PIX Garbage Collector
Lsi 00ecb6ac 01b54e94 013e3250 12 01b52ec0 7552/8192 route_process
Mwe 008a5ddc 01b5dc04 0133b430 0 01b5bc40 8116/8192 IP Address Assign
Mwe 00acb779 01b60604 01346e10 0 01b5e640 8116/8192 QoS Support Module
Mwe 0091eba9 01b6275c 0133c530 0 01b60798 8116/8192 Client Update Task
Lwe 01083c8e 01b656d4 013e3250 123088 01b63770 7840/8192 Checkheaps
Mwe 00acfd7d 01b6b824 013e3250 623 01b69ad0 3476/8192 Quack process
Mwe 00b2a260 01b6dad4 013e3250 22 01b6bbf0 7364/8192 Session Manager
Mwe 00c55efd 01b78564 031d0478 4 01b74a50 14768/16384 uauth
<--- More --->
Mwe 00be3c9e 01b7aaec 0135c010 0 01b78b28 7524/8192 Uauth_Proxy
Mwe 00c52759 01b80e0c 01361770 0 01b7ee88 7712/8192 SMTP
Mwe 00c3f7b9 01b82eec 01361710 0 01b80fa8 7412/8192 Logger
Mwe 00c3fd26 01b8502c 013e3250 0 01b830c8 7492/8192 Thread Logger
Mwe 00f62272 01b9596c 013ac520 0 01b939c8 7188/8192 vpnlb_thread
Msi 00b4097c 01c598c4 013e3250 190 01c578f0 8000/8192 emweb/cifs_timer
Msi 005bd338 017a909c 013e3250 25855 017a7108 7412/8192 arp_timer
Mwe 005c76bc 01b486e4 013fba50 20643 01b46770 7348/8192 arp_forward_thread
Mwe 00c5a919 023fa5fc 013619e0 0 023f8648 7968/8192 tcp_fast
Mwe 00c5a6e5 023fc624 013619e0 0 023fa670 7968/8192 tcp_slow
Mwe 00c754d1 0240d42c 013628a0 0 0240b478 8100/8192 udp_timer
Mwe 0019cb17 01b404a4 013e3250 0 01b3e530 7984/8192 CTCP Timer process
Mwe 00efe8b3 0308c15c 013e3250 0 0308a208 7952/8192 L2TP data daemon
Mwe 00efef23 0308e194 013e3250 0 0308c230 7968/8192 L2TP mgmt daemon
Mwe 00eea02b 030c62ac 013a5c10 43 030c2338 16244/16384 ppp_timer_thread
Msi 00f62d57 030c82f4 013e3250 264 030c6360 7924/8192 vpnlb_timer_thread
Mwe 001b96e6 01b7cbbc 01b1e9c8 1 01b7ac48 7728/8192 IPsec message handler
Msi 001c9bac 01b8d4dc 013e3250 2917 01b8b548 7648/8192 CTM message handler
Mwe 00af93b8 031465b4 013e3250 0 03144640 7984/8192 ICMP event handler
Mwe 00831003 0314a724 013e3250 387 031467b0 16100/16384 IP Background
Mwe 0021b267 031a83c4 013123c0 31 03188450 123488/131072 tmatch compile thread
Mwe 009f2405 03290044 013e3250 0 0328c0c0 16072/16384 Crypto PKI RECV
Mwe 009f305a 03294144 013e3250 0 032901e0 16040/16384 Crypto CA
Mwe 0064d4fd 01b3e24c 013e3250 8 01b3c2f8 7508/8192 ESW_MRVL switch interrupt service
<--- More --->
Msi 00646f5c 032c134c 013e3250 3059378 032bf448 7184/8192 esw_stats
Lsi 008cbb80 032dc704 013e3250 3 032da730 7908/8192 uauth_urlb clean
Lwe 008afee7 034a0914 013e3250 197 0349e9b0 6636/8192 pm_timer_thread
Mwe 0052f0bf 034a35ac 013e3250 0 034a1648 7968/8192 IKE Timekeeper
Mwe 00520f6b 034a8adc 0132e2b0 0 034a4e38 15448/16384 IKE Daemon
Mwe 00bf5c78 034ac7ac 01360680 0 034aa7f8 8100/8192 RADIUS Proxy Event Daemon
Mwe 00bc32de 034ae79c 034dcbe0 0 034ac918 7208/8192 RADIUS Proxy Listener
Mwe 00bf5e0f 034b099c 013e3250 0 034aea38 7968/8192 RADIUS Proxy Time Keeper
Mwe 005aac4c 034b3154 013fb980 0 034b1250 7492/8192 Integrity FW Task
M* 008550a5 0009fefc 013e33b0 3183 034e3b20 24896/32768 ci/console
Msi 008eb694 034ed9d4 013e3250 2370 034ebc40 6176/8192 update_cpu_usage
Msi 008e6415 034f7dac 013e3250 1096 034f5eb8 6124/8192 NIC status poll
Mwe 005b63e6 03517d1c 013fbd10 1963 03515d78 7636/8192 IP Thread
Mwe 005becbe 03519e4c 013fbcb0 3 03517e98 7384/8192 ARP Thread
Mwe 004c2b36 0351befc 013fbae0 0 03519fe8 7864/8192 icmp_thread
Mwe 00c7722e 0351e06c 013e3250 0 0351c108 7848/8192 udp_thread
Mwe 00c5d126 0352008c 013fbd00 0 0351e228 7688/8192 tcp_thread
Mwe 00bc32de 03a6982c 03a5ee18 0 03a679b8 7512/8192 EAPoUDP-sock
Mwe 00266c15 03a6b614 013e3250 0 03a699e0 7032/8192 EAPoUDP
Mwe 005a6728 01b27b94 013e3250 0 01b25c30 7968/8192 Integrity Fw Timer Thread
- - - - 47686621 - - scheduler
- - - - 51253819 - - total elapsed
------------------ show failover ------------------
<--- More --->
ERROR: Command requires failover license
------------------ show traffic ------------------
inside:
received (in 51429.740 secs):
7749585 packets905087345 bytes
67 pkts/sec17013 bytes/sec
transmitted (in 51429.740 secs):
10653162 packets10355908020 bytes
40 pkts/sec201026 bytes/sec
1 minute input rate 412 pkts/sec, 51803 bytes/sec
1 minute output rate 475 pkts/sec, 522952 bytes/sec
1 minute drop rate, 24 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
outside:
received (in 51430.240 secs):
10758403 packets10441440193 bytes
42 pkts/sec203021 bytes/sec
transmitted (in 51430.240 secs):
7548339 packets872053854 bytes
<--- More --->
63 pkts/sec16037 bytes/sec
1 minute input rate 479 pkts/sec, 523680 bytes/sec
1 minute output rate 387 pkts/sec, 46796 bytes/sec
1 minute drop rate, 3 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
_internal_loopback:
received (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Aggregated Traffic on Physical Interface
<--- More --->
Ethernet0/0:
received (in 51431.740 secs):
10758462 packets10640075825 bytes
42 pkts/sec206042 bytes/sec
transmitted (in 51431.740 secs):
7548383 packets1029818127 bytes
63 pkts/sec20023 bytes/sec
1 minute input rate 485 pkts/sec, 537048 bytes/sec
1 minute output rate 395 pkts/sec, 54546 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 485 pkts/sec, 511723 bytes/sec
5 minute output rate 387 pkts/sec, 65495 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 51433.570 secs):
7749780 packets1066328930 bytes
67 pkts/sec20064 bytes/sec
transmitted (in 51433.570 secs):
10653359 packets10552787020 bytes
40 pkts/sec205006 bytes/sec
1 minute input rate 419 pkts/sec, 59621 bytes/sec
1 minute output rate 480 pkts/sec, 533950 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 399 pkts/sec, 67618 bytes/sec
<--- More --->
5 minute output rate 482 pkts/sec, 511073 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
<--- More --->
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/4:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/5:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
<--- More --->
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/6:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/7:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
<--- More --->
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/0:
received (in 51435.510 secs):
18513901 packets11784250044 bytes
25 pkts/sec229023 bytes/sec
transmitted (in 51435.510 secs):
18207269 packets11641332179 bytes
19 pkts/sec226078 bytes/sec
1 minute input rate 891 pkts/sec, 595715 bytes/sec
1 minute output rate 863 pkts/sec, 588935 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 885 pkts/sec, 584035 bytes/sec
5 minute output rate 870 pkts/sec, 580393 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/1:
received (in 51436.010 secs):
18207323 packets11641364184 bytes
<--- More --->
19 pkts/sec226076 bytes/sec
transmitted (in 51436.010 secs):
18513954 packets11784281987 bytes
25 pkts/sec229022 bytes/sec
1 minute input rate 855 pkts/sec, 575808 bytes/sec
1 minute output rate 884 pkts/sec, 582339 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 869 pkts/sec, 578350 bytes/sec
5 minute output rate 883 pkts/sec, 581924 bytes/sec
5 minute drop rate, 0 pkts/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 17/s 6/s
TCP Conns 8/s 2/s
UDP Conns 7/s 2/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept 0/s 0/s
HTTP Fixup 0/s 0/s
<--- More --->
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show counters ------------------
Protocol Counter Value Context
IP IN_PKTS 168960 Summary
IP OUT_PKTS 169304 Summary
IP TO_ARP 61 Summary
------------------ show history ------------------
------------------ show firewall ------------------
Firewall mode: Transparent
------------------ show running-config ------------------
<--- More --->
: Saved
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
enable password
names
interface Vlan1
nameif inside
security-level 100
interface Vlan2
nameif outside
security-level 0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
<--- More --->
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd
regex domain1 ".facebook\.com"
regex domain2 ".fb\.com"
regex domain3 ".youtube\.com"
ftp mode passive
access-list ACL_IN extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
<--- More --->
arp timeout 14400
access-group ACL_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domain1
match regex domain2
match regex domain3
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
<--- More --->
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:bb5115ea1d14ee42e7961ef0c9aaed86
: end
<--- More --->
------------------ show startup-config errors ------------------
INFO: No configuration errors
------------------ console logs ------------------
Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
Total SSMs found: 0
Message #15 :
Total NICs found: 10
Message #16 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #17 : MAC: 0000.0003.0002
Message #18 : 88E6095 rev 2 Ethernet @ index 08Message #19 : MAC: 001f.9ee8.ffa1
Message #20 : 88E6095 rev 2 Ethernet @ index 07Message #21 : MAC: 001f.9ee8.ffa0
Message #22 : 88E6095 rev 2 Ethernet @ index 06Message #23 : MAC: 001f.9ee8.ff9f
Message #24 : 88E6095 rev 2 Ethernet @ index 05Message #25 : MAC: 001f.9ee8.ff9e
Message #26 : 88E6095 rev 2 Ethernet @ index 04Message #27 : MAC: 001f.9ee8.ff9d
Message #28 : 88E6095 rev 2 Ethernet @ index 03Message #29 : MAC: 001f.9ee8.ff9c
Message #30 : 88E6095 rev 2 Ethernet @ index 02Message #31 : MAC: 001f.9ee8.ff9b
Message #32 : 88E6095 rev 2 Ethernet @ index 01Message #33 : MAC: 001f.9ee8.ff9a
Message #34 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001f.9ee8.ffa2
Message #35 :
Licensed features for this platform:
Message #36 : Maximum Physical Interfaces : 8
<--- More --->
Message #37 : VLANs : 3, DMZ Restricted
Message #38 : Inside Hosts : Unlimited
Message #39 : Failover : Disabled
Message #40 : VPN-DES : Enabled
Message #41 : VPN-3DES-AES : Enabled
Message #42 : VPN Peers : 10
Message #43 : WebVPN Peers : 2
Message #44 : Dual ISPs : Disabled
Message #45 : VLAN Trunk Ports : 0
Message #46 :
This platform has a Base license.
Message #47 :
Message #48 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Message #49 : Boot microcode : CNlite-MC-Boot-Cisco-1.2
Message #50 : SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
Message #51 : IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Message #52 : --------------------------------------------------------------------------
Message #53 : . .
Message #54 : | |
Message #55 : ||| |||
Message #56 : .|| ||. .|| ||.
Message #57 : .:||| | |||:..:||| | |||:.
Message #58 : C i s c o S y s t e m s
Message #59 : --------------------------------------------------------------------------
<--- More --->
Message #60 :
Cisco Adaptive Security Appliance Software Version 7.2(3)
Message #61 :
Message #62 : ****************************** Warning *******************************
Message #63 : This product contains cryptographic features and is
Message #64 : subject to United States and local country laws
Message #65 : governing, import, export, transfer, and use.
Message #66 : Delivery of Cisco cryptographic products does not
Message #67 : imply third-party authority to import, export,
Message #68 : distribute, or use encryption. Importers, exporters,
Message #69 : distributors and users are responsible for compliance
Message #70 : with U.S. and local country laws. By using this
Message #71 : product you agree to comply with applicable laws and
Message #72 : regulations. If you are unable to comply with U.S.
Message #73 : and local laws, return the enclosed items immediately.
Message #74 :
Message #75 : A summary of U.S. laws governing Cisco cryptographic
Message #76 : products may be found at:
Message #77 : http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
Message #78 :
Message #79 : If you require further assistance please contact us by
Message #80 : sending email to [email protected].
Message #81 : ******************************* Warning *******************************
Message #82 :
<--- More --->
Message #83 : Copyright (c) 1996-2007 by Cisco Systems, Inc.
Message #84 : Restricted Rights Legend
Message #85 : Use, duplication, or disclosure by the Government is
Message #86 : subject to restrictions as set forth in subparagraph
Message #87 : (c) of the Commercial Computer Software - Restricted
Message #88 : Rights clause at FAR sec. 52.227-19 and subparagraph
Message #89 : (c) (1) (ii) of the Rights in Technical Data and Computer
Message #90 : Software clause at DFARS sec. 252.227-7013.
Message #91 : Cisco Systems, Inc.
Message #92 : 170 West Tasman Drive
Message #93 : San Jose, California 95134-1706
ciscoasa# -
Connect Inside to Outside in ASA 5505
Hi there,
I have a test ASA 5505 with the setting below:
How can I connect to the internet (Vlan 1 to VLan 11)
TestASA5505# show run
: Saved
ASA Version 8.2(4)
hostname TestASA5505
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 11
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.0
interface Vlan11
nameif outside
security-level 0
ip address 192.168.1.4 255.255.255.0
boot system disk0:/asa824-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 255.255.255.255 192.168.1.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.99.3-192.168.99.30 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5
webvpn
username admin password S1xyD1w.ZbjUT1yX encrypted privilege 15
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:096682b0996d6a1cad76597c01ffe5e2
: end
TestASA5505#
Thank you in Advance for your timeHi,
What device is in front of the ASA?
Is there some ADSL modem doing NAT and providing Internet connection or something?
One obvious problem in the above configuration is the route
route outside 0.0.0.0 255.255.255.255 192.168.1.4 1
Its not actually even a default route and furthermore its pointing to the ASA itself
It should be something like this
route outside 0.0.0.0 0.0.0.0 192.168.1.x
Where the 192.168.1.x is the IP of the device providing the Internet connectivity to the ASA (Since ASA "outside" interface is using private IP address range)
If there ASA doesnt need to do any NAT then you could also add this
access-list INSIDE-NAT0 permit ip 192.168.99.0 255.255.255.0 any
nat (inside) 0 access-list INSIDE-NAT0
Also your DHCP configurations dont have any DNS servers defined.
dhcpd dns
- Jouni -
Cisco ASA 5505 AnyConnect SSL VPN problem
Hi!
I have a small network, wiht ASA 5505, 8.4:
Inside network: 192.168.2.0/24
Outside: Static IP
I would like to deploy a SSL AnyConnect setup.
The state:
-I give the correct IP from my predefined VPN pool (10.10.10.0/24).
But, could not reach any resource, could not ping too. My host has given 10.10.10.1 IP, and I had a GW: 10.10.10.2. Where is this GW from?
Could you help me?
Here is my config (I omitted my PUBLIC IP, and GW):
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname valamiASA
domain-name valami.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address MY_STATIC_IP 255.255.255.248
interface Vlan12
description Vendegeknek a valamiHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
management-only
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name valami.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool valami_vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 MY_STATIC_GW 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_valami_VPN internal
group-policy GroupPolicy_valami_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value valami.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group valami_VPN type remote-access
tunnel-group valami_VPN general-attributes
address-pool valami_vpn_pool
default-group-policy GroupPolicy_valami_VPN
tunnel-group valami_VPN webvpn-attributes
group-alias valami_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d54de340bb6794d90a9ee52c69044753
: endFirst of all thanks your link.
I know your notes, but i don't understand 1 thing:
if i check nat exemption in the anyconnect wizad, why should i make nat exemption rule?
A tried creating a roule, but it is wrong.
My steps (on ASDM):
1: create network object (10.10.10.0/24), named VPN
2: create nat rule: source any, destination VPN, protocol any
Here is my config:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname companyASA
domain-name company.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address 77.111.103.106 255.255.255.248
interface Vlan12
description Vendegeknek a companyHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name company.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object network WEBSHOP
host 192.168.2.2
object network INSIDE_HOST
host 10.100.130.5
object network VOIP_management
host 192.168.2.215
object network Dev_1
host 192.168.2.2
object network Dev_2
host 192.168.2.2
object network RDP
host 192.168.2.2
object network Mediasa
host 192.168.2.17
object network VOIP_ePhone
host 192.168.2.215
object network NETWORK_OBJ_192.168.4.0_28
subnet 192.168.4.0 255.255.255.240
object network NETWORK_OBJ_10.10.10.8_29
subnet 10.10.10.8 255.255.255.248
object network VPN
subnet 10.10.10.0 255.255.255.0
object network VPN-internet
subnet 10.10.10.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool company_vpn_pool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static VPN VPN
nat (inside,outside) source static inside-net inside-net destination static VPN VPN
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 77.111.103.105 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_company_VPN internal
group-policy GroupPolicy_company_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelall
default-domain value company.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 62.112.192.4 195.70.35.66
vpn-tunnel-protocol ssl-client
default-domain value company.local
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group company_VPN type remote-access
tunnel-group company_VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_company_VPN
tunnel-group company_VPN webvpn-attributes
group-alias company_VPN enable
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:33ee37a3722f228f9be9b84ef43f731e
: end
Could you give me a CLI-code?
(or ASDM steps). -
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
Can't Access Internal Servers From Behind An ASA 5505
Hi all.
I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. https://citrixdr.xxx.co.uk) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuraiton or the firewall itself is not letting my requests through.
The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
My running configuration is below, if anyone could have a browse through it it would be much appreciated.
LM-DR-ASA5505# show run
: Saved
ASA Version 8.2(5)
hostname xxx
domain-name xxx.local
enable password 9tc.bMMQOdcEzWlK encrypted
passwd zh5kKKD1zRf47kwr encrypted
names
name 216.82.240.0 MLT1
name 67.219.240.0 MLT2
name 85.158.136.0 MLT3
name 95.131.104.0 MLT4
name 46.226.48.0 MLT5
name 117.120.16.0 MLT6
name 193.109.254.0 MLT7
name 194.106.220.0 MLT8
name 195.245.230.0 MLT9
name 103.3.96.0 MLT10
name xxx.xxx.xxx.xxx citrixdr.xxx.co.uk
name xxx.xxx.xxx.xxx maildr.xxx.co.uk
name xxx.xxx.xxx.xxx webmaildr.xxx.co.uk
name 192.168.4.23 LON-EXCH-03
name 192.168.4.30 Citrix-Access-Gateway
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM-INLINE-SERVICE
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group network VPN-REMOTE
network-object 192.168.1.0 255.255.255.0
object-group protocol PROTOCOL-LIST
protocol-object ip
protocol-object icmp
protocol-object pim
protocol-object pcp
protocol-object snp
protocol-object udp
protocol-object igmp
protocol-object ipinip
protocol-object gre
protocol-object esp
protocol-object ah
protocol-object tcp
protocol-object eigrp
protocol-object ospf
protocol-object igrp
protocol-object nos
object-group service DM-INLINE-TCP-1 tcp
port-object eq https
port-object eq smtp
object-group service DM-INLINE-TCP-2 tcp
port-object eq www
port-object eq https
object-group network MESSAGE-LABS-TOWERS
network-object MLT1 255.255.240.0
network-object MLT2 255.255.240.0
network-object MLT3 255.255.248.0
network-object MLT4 255.255.248.0
network-object MLT5 255.255.248.0
network-object MLT6 255.255.248.0
network-object MLT7 255.255.254.0
network-object MLT8 255.255.254.0
network-object MLT9 255.255.254.0
network-object MLT10 255.255.252.0
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-access-in extended permit ip any any
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 any
access-list inside-access-in extended permit icmp any any
access-list outside-access-in extended permit object-group DM-INLINE-SERVICE any any
access-list outside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit tcp any host webmaildr.xxx.co.uk object-group DM-INLINE-TCP-2
access-list outside-access-in extended permit tcp any host maildr.xxx.co.uk object-group DM-INLINE-TCP-1
access-list outside-access-in extended permit tcp any host citrixdr.xxx.co.uk eq https
access-list outside-access-in extended permit tcp object-group MESSAGE-LABS-TOWERS host LON-EXCH-03 eq smtp
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-nat0-outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list testcap extended permit icmp host 192.168.1.11 host 192.168.4.1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside-nat0-outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp citrixdr.xxx.co.uk https Citrix-Access-Gateway https netmask 255.255.255.255
static (inside,outside) tcp maildr.xxx.co.uk smtp LON-EXCH-03 smtp netmask 255.255.255.255
static (inside,outside) tcp webmaildr.xxx.co.uk https LON-EXCH-03 https netmask 255.255.255.255
access-group inside-access-in in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 outside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-map 1 match address outside-1-cryptomap
crypto map outside-map 1 set peer xxx.xxx.xxx.xxx
crypto map outside-map 1 set transform-set ESP-3DES-SHA
crypto map outside-map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.4.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.4.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxx password LUZB8j2zj03xvSeF encrypted
username xxx password RxEDmrZ7KCRzPu4T encrypted
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
class-map inspection_default
policy-map global_policy
class inspection_default
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:61e54b16fb87f1e6fa3b8d520e87ddc0
: endHi Jouni, thanks for your response.
Turns out that the Citrix Access Gateway wasn't set up until yesterday evening and by then I had stopped trying for the day. It is now set up and external access is available.
Further to this, my colleague forgot to inform me of the change of I.P. address of the Exchange server. This meant that Webmail requests were pointing to an I.P. address that didn't exist.
I have reconfigured the firewall this morning and external access for Webmail is also working correctly. -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
DNS Server problems with ASA 5505
Hi guys,
we setup a new ASA 5505 which is mainly used as our VPN gateway. The ASA is configured and controlled by our ISP (and this is where the problem starts )) and they somehow cannot manage to get the VPN settings really working.
So, here is our problem.
our machines(Windows 7) are configured to get the network settings through DHCP (Windows 2012 Server).
Before I connect with AnyConnect to our VPN gateway, the DNS Server setting in the network settings for the adapters(IPv4) are set to 'dynamic'
When I now connect, this setting is changes to a statc entry (which is our DNS server).
When disconnecting, it is not reverted back, which means I have to do this always manually.
What I do not understand is the fact, that the DNS server is set for all the adapters, shouldtn't it be only set to the anyconnect adapter?.
The interesting thing is, that when I connect to a different ASA, this does not happen. The ISP is now saying, that the machines are configured exactly the same and that they cannot reproduce, but I can't believe this.
This issue shows up at every machine which connects to our vpn, so it is not only a single machine which might be misconfigured.
Do you have any idea what might cause this issue?
btw, the second ASA (which works) is from our partner company, so we cannot simply copy the config
THanks in advance
PatrickNice to see someone from BT has addressed your issue
I have this exact same problem, seems completely bizarre, I'm pretty sure I had the same problem with the original home hub (i have the latest one now). Can you confirm whether the problem does affect anyone with a bt home hub and not just the one that the dyndns is pointing at? I'll try and confirm by hitting your domain from my home connection. -
Hello everyone,
First off, I apologize if this is something that I can google. My knowledge of network administration is all self-taught so if there is a guide to follow that I've missed please point me in the right direction, its often hard to Google terms for troubleshooting when your jargon isn't up to snuff.
The chief issue is that when pinging internal devices while connected to the results are very inconsistent.
Pinging 192.168.15.102 with 32 bytes of data:
Reply from 192.168.15.102: bytes=32 time=112ms TTL=128
Request timed out.
Request timed out.
Request timed out.
We've set up a IPSec VPN connection to a remote Cisco ASA 5505. There are no issues connecting, connection seems constant, packets good etc. At this point I can only assume I have configuration issues but I've been looking at this for so long, and coupled with my inexperience configuring these settings I have no clue where to start. My initial thoughts are that the LAN devices I am pinging are not sending their response back or the ASA doesn't know how to route packets back?
Here's a dump of the configuration:
Result of the command: "show config"
: Saved
: Written by enable_15 at 12:40:06.114 CDT Mon Sep 9 2013
ASA Version 8.2(5)
hostname VPN_Test
enable password D37rIydCZ/bnf1uj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.15.0 internal-network
ddns update method DDNS_Update
ddns both
interval maximum 0 4 0 0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description VLAN to inside hosts
nameif inside
security-level 100
ddns update hostname 0.0.0.0
ddns update DDNS_Update
dhcp client update dns server both
ip address 192.168.15.1 255.255.255.0
interface Vlan2
description External VLAN to internet
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
name-server 216.221.96.37
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny icmp interface outside interface inside
access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
access-list Remote_splitTunnelAcl standard permit internal-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip internal-network 255.255.255.0 192.168.15.192 255.255.255.192
access-list inside_access_in remark Block Internet Traffic
access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
access-list inside_access_in remark Block Internet Traffic
access-list inside_access_in extended permit ip interface inside interface inside
access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192
access-list inside_access_in remark Block Internet Traffic
access-list inside_nat0_outbound_1 extended permit ip 192.168.15.192 255.255.255.192 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 192.168.15.192 255.255.255.192
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http internal-network 255.255.255.0 inside
http yy.yy.yy.yy 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.15.200-192.168.15.250 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.15.101 source inside
ntp server 192.168.15.100 source inside prefer
webvpn
group-policy Remote internal
group-policy Remote attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_splitTunnelAcl
username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0
username StockUser attributes
vpn-group-policy Remote
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool VPN_IP_Pool
default-group-policy Remote
tunnel-group Remote ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3Hi Graham,
My first question is do you have a site to site VPN or Remote access client VPN.
After checking your configuration i see that you do not have any Site to SIte VPN configuration so i am assuming that you ara facing issue with the VPN client.
And if i understood correctly you are able to connect the VPN client but you not able to access the internal resources properly.
I would recommend you to tey and make teh following changes.
Remove the following configuration first:
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 192.168.15.192 255.255.255.192
You do not need the 1st one and i do not understand the reason of the second one
Second one is your pool IP subnet (192.168.15.200-192.168.15.250) and i am not sure why you have added this NAT.
If possible change your Pool subnet all together because we do not recommend to use th POOL ip which is simlar to your local LAN.
Try the above changes and let me know in case if you have any issue.
Thanks
Jeet Kumar -
ASA 5505, error in Access Rule
Hello.
Tha ASA 5505 is working, but I try to allow http and https from internet to a server running 2012 Essentials. The server has the internal IP 192.168.0.100. I have created an Object called SERVER with IP 192.168.0.100
The outside Interface is called ICE
I have configured NAT:
I have also configured Access Rules:
But when I test it With the Packet Tracer I get an error:
Whats wrong With the Access Rule?
I do prefer the ASDM :)
Best regards AndreasHello Jeevak.
This is the running config (Vlan 13 (Interface ICE) is the one in use:
domain-name DOMAIN.local
names
name 192.168.0.150 Server1 description SBS 2003 Server
name 192.168.10.10 IP_ICE
name x.x.x.0 outside-network
name x.x.x.7 IP_outside
name 192.168.0.100 SERVER description Hovedserver
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
description Direct Connect
backup interface Vlan13
nameif outside
security-level 0
pppoe client vpdn group PPPoE_DirectConnect
ip address pppoe
interface Vlan3
description Gjestenettet
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
interface Vlan13
description Backupnett ICE
nameif ICE
security-level 0
ip address IP_ICE 255.255.255.0
interface Vlan23
description
nameif USER
security-level 50
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
switchport access vlan 23
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup dmz
dns server-group DefaultDNS
domain-name DOMAIN.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host IP_outside eq https
access-list outside_access_in extended permit tcp any host IP_outside eq www
access-list outside_access_in extended permit icmp any host IP_outside echo-reply
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list DOMAINVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ICE_access_in extended permit tcp any host IP_ICE eq https
access-list ICE_access_in extended permit tcp any host IP_ICE eq www
access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
access-list ICE_access_in remark For RWW
access-list ICE_access_in remark For RWW
access-list USER_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu ICE 1500
mtu USER 1500
ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface ICE
monitor-interface USER
icmp unreachable rate-limit 1 burst-size 1
icmp permit outside-network 255.255.255.0 outside
icmp permit 192.168.10.0 255.255.255.0 ICE
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ICE) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.0.0.0 255.255.255.0
nat (USER) 1 10.1.1.0 255.255.255.0
static (inside,ICE) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,ICE) tcp interface https SERVER https netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ICE_access_in in interface ICE
access-group USER_access_in in interface USER
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 track 123
route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho x.x.x.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 123 rtr 1 reachability
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 10.0.0.10-10.0.0.39 dmz
dhcpd dns y.y.y.2 z.z.z.z interface dmz
dhcpd lease 6000 interface dmz
dhcpd enable dmz
dhcpd address 10.1.1.100-10.1.1.120 USER
dhcpd dns y.y.y.2 z.z.z.z interface USER
dhcpd lease 6000 interface USER
dhcpd domain USER interface USER
dhcpd enable USER
ntp server 64.0.0.2 source outside
group-policy DOMAIN_VPN internal
group-policy DOMAIN_VPN attributes
dns-server value 192.168.0.150
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
default-domain value DOMAIN.local
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_gnu-http-tunnel_arg
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location Server1 255.255.255.255 inside
asdm location IP_ICE 255.255.255.255 inside
asdm location outside-network 255.255.255.0 inside
asdm location SERVER 255.255.255.255 inside
no asdm history enable
What is wrong? Everything Works well except port forwarding.
Andreas -
ASA 5505 Failed to unzip the Anyconenct Package
There is ASA 5505:
- 8.4(2) IOS
- FLASH: 128 Mb
- DRAM: 256 Mb
Requirements for 8.4(2) are acomplished:
For the ASA 5505, only the Unlimited Hosts license and the Security Plus license with failover enabled require 512 MB; other licenses can use 256 MB.
Are installed latest AnyConnect packeges for linux, some smatphones (each 4-5 MB). But for Windoes it's 21 MB and we got error "Failed to unzip the Anyconenct Package". In prior IOS version there was command cache-fs limit, by default it was 20 Mb. As i understand ASA now dinamically determines amount of cache memory and it's not enough.
Because of the increased size of the AnyConnect package from 4MB in AnyConnect 2.5 to 21 MB in AnyConnect 3.0, you may need to upgrade the ASA flash and memory card first.
If your ASA has only the default internal flash memory size or the default DRAM size (for cache memory) you could have problems storing and loading multiple AnyConnect client packages on the ASA. Even if you have enough space on the flash to hold the package files, the ASA could run out of cache memory when it unzips and loads the client images.
So there is a question, after DRAM upgrade to 512 MB will be there enough cache memory for Anyconnect packeges with total size 35-40 Mb?I have having the same issue on an ASA-5510 with 256MB DRAM 256MB Flash. I do not have this issue on an ASA-5550 with 4GB DRAM 256MB Flash, so I'm guessing the issue is with the memory size.
Also, from: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html
Flash and DRAM Requirements for Upgrade
Check for the space available before proceeding with the AnyConnect 3.0 upgrade. You can use one of the following methods to do so:
•CLI—Enter the show memory command.
asa3# show memory
Free memory: 304701712 bytes (57%)
Used memory: 232169200 bytes (43%)
Total memory: 536870912 bytes (100%)
•ASDM—Choose Tools > File Management. The File Management window displays flash space.
Because of the increased size of the AnyConnect package from 4MB in AnyConnect 2.5 to 21 MB in AnyConnect 3.0, you may need to upgrade the ASA flash and memory card first.
Caution The minimum flash memory required is 128MB for an ASA 5505; however, we strongly recommend 256 or preferably 512 MB. To support multiple endpoint operating systems and enable logging and debugging on the ASA, you will most likely need 512 MB of flash memory.
If your ASA has only the default internal flash memory size or the default DRAM size (for cache memory) you could have problems storing and loading multiple AnyConnect client packages on the ASA. Even if you have enough space on the flash to hold the package files, the ASA could run out of cache memory when it unzips and loads the client images. For internal memory requirements for each ASA model, see Memory Requirements for the Cisco ASA Adaptive Security Appliances Software Version 8.3 and Later. For additional information about the ASA memory requirements and upgrading ASA memory, see the latest release notes for the Cisco ASA 5500 series. -
ASA 5505 -Can I use outside dynamic IP for webserver DMZ?
SETUP
ASA 5505
ASA Version 9.1(2)
ASDM Version 7.1(3)
I have basic license, using only three vlans (outside, inside, DMZ).
QUESTION:
I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ? I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125).
So far, every setup option I have tried does not make it past the implicit deny acl's (on the outside interface) to the web-server (DMZ).
I understand that the VLAN1 (inside) had to be disabled. I understand that objects now replace some of the older NAT'd components.
CONFIG:
object network webserver-external-ip
host <X.X.X.X>
! I had set this to match my ISP DHCP address
object network webserver
host 172.16.0.2
nat (DMZ,outside) static webserver-external-ip service tcp www www
nat (DMZ,outside) static webserver-external-ip service tcp 443 443
nat (DMZ,outside) static webserver-external-ip service tcp 4125 4125
access-list outside_acl extended permit tcp any object webserver eq www
access-list outside_acl_https extended permit tcp any object webserver eq 443
access-list outside_acl_rww extended permit tcp any object webserver eq 4125
access-group outside_acl in interface outside
access-group outside_acl_https in interface outside
access-group outside_acl_rww in interface outside
! added the dns statements below because the cisco doc (below) says it's required or dmz traffic can't get out despite default rule allowing it to do so.
! (ctrl-F) ... "all traffic would be blocked from the dmz to hosts on the internet"
! http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml
object network dns-server
host 8.8.8.8
exit
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended permit ip any any
access-group dmz_acl in interface DMZ
SUMMARY:
I just want to allow my WHS-2011 (server) to talk to microsoft's free DDNS service where my domain name is hosted (ports 80,443,4125).
I want to find a way (if possible) to use the single DYNAMIC IP (dhcp'd from ISP) on the "outside" interface, as a means to setup a web-server on the DMZ?
Other:
As an interim alternative, I have been able to setup & connect to the ASA using clientless vpn (web-ssl), and from there getting over to my WHS2011 server...-but the problem is, I have no way of knowing, or updating my DDNS once that IP changes since the ASA keeps blocking the return traffic to theh outside interface. My only assumption is that becasue I am using a single dynamic IP (outside interface) that it has nothing to re-direct the traffic to....???
Thank You for any help you can provide!!
k/rHi,
I cant really help with the DDNS portion but I would imagine you already have that sorted out.
The ASA configurations however seem a bit off to me.
Here is what you should configure
STATIC PAT TO HOST SERVICES
There are some changes that need to be done to both ACL and NAT configurations. First of the NAT configurations for each port require their own "object network" to be configured.
Also since you are using a DHCP address from the ISP to act as the NAT address then you can use the keyword/parameter "interface" in the actual "nat" command. This basically tells the ASA that it should use whatever IP address is currently on the "outside" interface of the ASA. So you wont have to configure any separate "object network" for the public IP address every time it changes.
Also, with regards to the ACL configurations. You should only configure one ACL per interface in the "in" direction. So all the rules you need to configure for traffic inbound from the Internet need to be in the same ACL that you then attach to the "outside" interface with the command "access-group"
object network WEBSERVER-TCP80
host 172.16.0.2
nat (DMZ,outside) static interface service tcp www www
object network WEBSERVER-TCP443
host 172.16.0.2
nat (DMZ,outside) static interface service tcp 443 443
object network WEBSERVER-TCP4125
host 172.16.0.2
nat (DMZ,outside) static interface service tcp 4125 4125
access-list outside_acl extended permit tcp any object WEBSERVER-TCP80 eq www
access-list outside_acl extended permit tcp any object WEBSERVER-TCP443 eq https
access-list outside_acl extended permit tcp any object WEBSERVER-TCP4125 eq 4125
access-group outside_acl in interface outside
DYNAMIC PAT FOR LANs and DMZs
The above NAT configurations only handles the NAT for situations where the remote hosts on the Internet contact your DMZ server.
If you want to configure Dynamic PAT for all your LAN and DMZ users which basically enable them to use the "outside" interface public IP address for Internet traffic, then you could configure this single "nat" configuration
nat (any,outside) after-auto source dynamic any interface
This would enable Dynamic PAT for all users behind the ASA
I am not sure if you will run into problems since you are using a single public IP address and trying to forward TCP/443. This port is both used for SSL VPN and ASDM management of the ASA.
If you want to change the default port of the ASDM management you can use this command
http server enable
If you want to change the default port of SSL VPN you can use these commands
webvpn
port
Naturally before doing either of the above changes, make sure that you are not relying to them for management purposes if something was to go wrong. If you have SSH management access to the ASA then it should naturally be ok.
I am not sure if all of the above are enough to get your setup working but it should be the basics. Naturally if there is still problems after the above suggestions it might be helpfull to see the current ASA configurations. For example NAT might not work if the ordering of NAT rules is wrong even though the actual configurations are otherwise valid.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
Internet connexion problem for remote site in Site to site VPN asa 5505
Hi all
I'm configuring a site to site Ipsec VPN in 2 sites using ASA 5505 V 8.2, The VPN is working fine i can ping machine in the 2 sides but the problem is the remote site dont' have internet.
The architecture is, we 2 site Site1 is the main site and Site2 is secondary site there will be Site3, ...
The internet connection is based in Site1 and site2 and site 3 will have internet connection through Site1. Site1, Site2 and Site 3 is interconnected by Ipsec VPN.
Here is my ASA 5505 Configuration :
SITE 1:
ASA Version 8.2(5)
hostname test-malabo
domain-name test.mg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd ta.qizy4R//ChqQH encrypted
names
interface Ethernet0/0
description "Sortie Internet"
switchport access vlan 2
interface Ethernet0/1
description "Interconnexion"
switchport access vlan 171
interface Ethernet0/2
description "management"
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 41.79.49.42 255.255.255.192
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.100 255.255.0.0
interface Vlan171
nameif interco
security-level 0
ip address 10.22.19.254 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.mg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list interco_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
mtu interco 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any interco
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (interco) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 41.79.49.1 1
route interco 192.168.3.0 255.255.255.0 10.22.19.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map interco_map0 1 match address interco_1_cryptomap
crypto map interco_map0 1 set pfs group1
crypto map interco_map0 1 set peer 10.22.19.5
crypto map interco_map0 1 set transform-set ESP-3DES-SHA
crypto map interco_map0 interface interco
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable interco
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access interco
dhcpd option 3 ip 192.168.1.1
dhcpd address 192.168.1.100-192.168.1.254 inside
dhcpd dns 41.79.48.66 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.5 type ipsec-l2l
tunnel-group 10.22.19.5 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect snmp
inspect icmp
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5aa0d27f15e49ea597c8097cfdb755b8
: end
SITE2:
ASA Version 8.2(5)
hostname test-luba
domain-name test.eg
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description "Sortie Interco-Internet"
switchport access vlan 2
interface Ethernet0/1
description "management"
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.22.19.5 255.255.255.0
interface Vlan10
nameif mgmt
security-level 0
ip address 10.12.1.101 255.255.0.0
ftp mode passive
dns server-group DefaultDNS
domain-name test.eg
object-group network LAN-MALABO
description LAN DE MALABO
network-object 192.168.1.0 255.255.255.0
object-group network LAN-BATA
description LAN DE BATA
network-object 192.168.2.0 255.255.255.0
object-group network LAN-LUBA
description LAN DE LUBA
network-object 192.168.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 10.22.19.254 1
route outside 192.168.1.0 255.255.255.0 10.22.19.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs group1
crypto map outside_map0 1 set peer 10.22.19.254
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.12.0.0 255.255.0.0 mgmt
telnet timeout 30
ssh 192.168.3.0 255.255.255.0 inside
ssh 10.12.0.0 255.255.0.0 mgmt
ssh timeout 30
console timeout 0
management-access outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group 10.22.19.254 type ipsec-l2l
tunnel-group 10.22.19.254 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 60 retry 5
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:185bd689118ba24f9a0ef2f7e80494f6
Can anybody help why my remote site can't connect to Internet.
REgards,
RaitsarevoHi Carv,
Thanks for your reply. i have done finally
i used no crypto ipsec nat-transparency udp-encapsulation in my end router only.
and in remote access VPN i have enabled UDP for client configuration. the most imprtant is i have given IP add of same LAN pool to VPN user,
Regards,
Satya.M -
ASA 5505 ver 8.4 DMZ to Outside not working
I have an ASA 5505 ver 8.4. The configuration is provided below. My INSIDE hosts are able to get to the internet via the Outside interface. The DHCP for my INSIDE hosts are handled by my L3 3560 switch. My DMZ hosts DHCP is handled by the ASA 5505. I've included packet-tracer results for both from the DMZ to the Outside address (DNS server) and a return packet tracer from the Outside interface to the DMZ host address. I see that the return is failing, however everything I have tried so far hasn't worked. Thank you in advance for any assistance.
***************************************8
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password (removed)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Generic_All_Network interface
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: end
Packet Tracer from DMZ to Outside
mxfw# packet-tracer input dmz icmp 172.26.20.22 8 0 208.67.222.222 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac5bdb90, priority=0, domain=inspect-ip-options, deny=true
hits=22, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=dmz, output_ifc=any
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacff7ee0, priority=70, domain=inspect-icmp, deny=false
hits=8, user_data=0xad253a68, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=dmz, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac5bd768, priority=66, domain=inspect-icmp-error, deny=false
hits=8, user_data=0xac5bcd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=dmz, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz,outside) source dynamic Generic_All_Network interface
Additional Information:
Dynamic translate 172.26.20.22/0 to 192.168.1.231/23136
Forward Flow based lookup yields rule:
in id=0xac63c0e8, priority=6, domain=nat, deny=false
hits=7, user_data=0xac6209f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=dmz, output_ifc=outside
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac578bf0, priority=0, domain=inspect-ip-options, deny=true
hits=7510, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7561, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Packet Tracer for return from Outside:
mxfw(config)# packet-tracer input outside icmp 207.67.222.222 0 0 172.26.20.22$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.26.20.0 255.255.255.0 dmz
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacea45d8, priority=11, domain=permit, deny=true
hits=0, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Settings of PC and PING & tracert results
C:\Users>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MXW8DT01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Wireless LAN adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 68-94-23-20-FA-C5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Ralink RT5390R 802.11bgn Wi-Fi Adapter
Physical Address. . . . . . . . . : 68-94-23-20-FA-C3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 08-9E-01-3D-64-39
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.26.20.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 6, 2013 3:28:48 PM
Lease Expires . . . . . . . . . . : Sunday, October 6, 2013 4:28:48 PM
Default Gateway . . . . . . . . . : 172.26.20.1
DHCP Server . . . . . . . . . . . : 172.26.20.1
DNS Servers . . . . . . . . . . . : 208.67.222.222
208.67.220.220
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3497:208a:53e5:ebe9(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::3497:208a:53e5:ebe9%16(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Users>ping 208.67.222.222
Pinging 208.67.222.222 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 208.67.222.222:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users>tracert 208.67.222.222
Tracing route to 208.67.222.222 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 172.26.20.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.Naveen & Julio,
The version is below along with the captures. The show cap asp | include 208.67.222.222 is fairly long.
Thank you again for your assistance.
Jerry
mxfw(config)# sho ver
Cisco Adaptive Security Appliance Software Version 8.4(4)
Device Manager Version 6.4(9)
Compiled on Mon 21-May-12 10:48 by builders
System image file is "disk0:/asa844-k8.bin"
Config file at boot was "startup-config"
mxfw up 23 hours 47 mins
Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 32768MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 2c54.2df4.9c93, irq 11
1: Ext: Ethernet0/0 : address is 2c54.2df4.9c8b, irq 255
2: Ext: Ethernet0/1 : address is 2c54.2df4.9c8c, irq 255
3: Ext: Ethernet0/2 : address is 2c54.2df4.9c8d, irq 255
4: Ext: Ethernet0/3 : address is 2c54.2df4.9c8e, irq 255
5: Ext: Ethernet0/4 : address is 2c54.2df4.9c8f, irq 255
6: Ext: Ethernet0/5 : address is 2c54.2df4.9c90, irq 255
7: Ext: Ethernet0/6 : address is 2c54.2df4.9c91, irq 255
8: Ext: Ethernet0/7 : address is 2c54.2df4.9c92, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 24 perpetual
Total UC Proxy Sessions : 24 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Serial Number: JMX1617Z2B0
Running Permanent Activation Key: 0x112dd960 0x68ba556a 0x9160b8f4 0xc4f49064 0x822ae087
Configuration register is 0x1
mxfw(config)# sho cap asp | include 208.67.222.222
1: 08:14:03.444953 802.1Q vlan#2 P0 192.168.60.20.50815 > 208.67.222.222.53: udp 38
4: 08:14:04.613920 802.1Q vlan#2 P0 192.168.60.20.49379 > 208.67.222.222.53: udp 36 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
9: 08:14:05.456168 802.1Q vlan#2 P0 192.168.60.20.50815 > 208.67.222.222.53: udp 38 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
19: 08:14:07.874283 802.1Q vlan#2 P0 192.168.60.20.52778 > 208.67.222.222.53: udp 39 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
26: 08:14:09.464407 802.1Q vlan#2 P0 192.168.60.20.50815 > 208.67.222.222.53: udp 38 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
31: 08:14:09.885559 802.1Q vlan#2 P0 192.168.60.20.52778 > 208.67.222.222.53: udp 39 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
36: 08:14:11.228427 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36
37: 08:14:12.240847 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
38: 08:14:13.254533 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
44: 08:14:13.893889 802.1Q vlan#2 P0 192.168.60.20.52778 > 208.67.222.222.53: udp 39 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
51: 08:14:15.266374 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36
63: 08:14:19.274750 802.1Q vlan#2 P0 192.168.60.20.57817 > 208.67.222.222.53: udp 36
68: 08:14:20.509312 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
69: 08:14:21.520816 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
70: 08:14:22.534548 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
76: 08:14:24.547228 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
83: 08:14:28.554826 802.1Q vlan#2 P0 192.168.60.20.50543 > 208.67.222.222.53: udp 39
89: 08:14:29.803150 802.1Q vlan#2 P0 192.168.60.20.54948 > 208.67.222.222.53: udp 38
91: 08:14:31.816089 802.1Q vlan#2 P0 192.168.60.20.54948 > 208.67.222.222.53: udp 38
102: 08:14:35.822894 802.1Q vlan#2 P0 192.168.60.20.54948 > 208.67.222.222.53: udp 38
116: 08:14:42.885604 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
118: 08:14:43.883926 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
123: 08:14:44.884491 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
127: 08:14:46.884521 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
133: 08:14:48.882721 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
135: 08:14:49.881942 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
138: 08:14:50.882858 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
140: 08:14:50.885620 802.1Q vlan#2 P0 192.168.60.20.62505 > 208.67.222.222.53: udp 34
145: 08:14:52.883590 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
149: 08:14:53.983790 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
151: 08:14:54.982981 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
156: 08:14:55.982844 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
161: 08:14:56.884811 802.1Q vlan#2 P0 192.168.60.20.52421 > 208.67.222.222.53: udp 34
180: 08:14:57.983408 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
197: 08:14:59.441017 802.1Q vlan#2 P0 192.168.60.20.55495 > 208.67.222.222.53: udp 34
198: 08:14:59.441764 802.1Q vlan#2 P0 192.168.60.20.52091 > 208.67.222.222.53: udp 42
199: 08:14:59.442756 802.1Q vlan#2 P0 192.168.60.20.52233 > 208.67.222.222.53: udp 40
200: 08:14:59.442985 802.1Q vlan#2 P0 192.168.60.20.57413 > 208.67.222.222.53: udp 40
201: 08:14:59.443794 802.1Q vlan#2 P0 192.168.60.20.65042 > 208.67.222.222.53: udp 40
202: 08:14:59.448753 802.1Q vlan#2 P0 192.168.60.20.62151 > 208.67.222.222.53: udp 34
204: 08:14:59.504978 802.1Q vlan#2 P0 192.168.60.20.60528 > 208.67.222.222.53: udp 33
206: 08:14:59.524234 802.1Q vlan#2 P0 192.168.60.20.54032 > 208.67.222.222.53: udp 34
213: 08:15:00.505161 802.1Q vlan#2 P0 192.168.60.20.60528 > 208.67.222.222.53: udp 33
214: 08:15:00.524066 802.1Q vlan#2 P0 192.168.60.20.54032 > 208.67.222.222.53: udp 34
225: 08:15:01.441124 802.1Q vlan#2 P0 192.168.60.20.55495 > 208.67.222.222.53: udp 34
229: 08:15:01.442893 802.1Q vlan#2 P0 192.168.60.20.57413 > 208.67.222.222.53: udp 40
230: 08:15:01.443168 802.1Q vlan#2 P0 192.168.60.20.52233 > 208.67.222.222.53: udp 40
235: 08:15:01.444663 802.1Q vlan#2 P0 192.168.60.20.65042 > 208.67.222.222.53: udp 40
241: 08:15:01.563584 802.1Q vlan#2 P0 192.168.60.20.49326 > 208.67.222.222.53: udp 32
242: 08:15:01.582458 802.1Q vlan#2 P0 192.168.60.20.64011 > 208.67.222.222.53: udp 33
244: 08:15:01.598983 802.1Q vlan#2 P0 192.168.60.20.55971 > 208.67.222.222.53: udp 33
246: 08:15:01.628278 802.1Q vlan#2 P0 192.168.60.20.54709 > 208.67.222.222.53: udp 37
248: 08:15:01.982920 802.1Q vlan#2 P0 192.168.60.20.56343 > 208.67.222.222.53: udp 38
254: 08:15:02.598861 802.1Q vlan#2 P0 192.168.60.20.55971 > 208.67.222.222.53: udp 33
256: 08:15:02.622785 802.1Q vlan#2 P0 192.168.60.20.54709 > 208.67.222.222.53: udp 37
266: 08:15:04.438301 802.1Q vlan#2 P0 192.168.60.20.57642 > 208.67.222.222.53: udp 34
267: 08:15:04.440040 802.1Q vlan#2 P0 192.168.60.20.49886 > 208.67.222.222.53: udp 40
268: 08:15:04.440284 802.1Q vlan#2 P0 192.168.60.20.64655 > 208.67.222.222.53: udp 40
269: 08:15:04.441078 802.1Q vlan#2 P0 192.168.60.20.57383 > 208.67.222.222.53: udp 40
279: 08:15:05.441551 802.1Q vlan#2 P0 192.168.60.20.55495 > 208.67.222.222.53: udp 34
285: 08:15:05.443168 802.1Q vlan#2 P0 192.168.60.20.52233 > 208.67.222.222.53: udp 40
286: 08:15:05.443443 802.1Q vlan#2 P0 192.168.60.20.57413 > 208.67.222.222.53: udp 40
293: 08:15:05.445396 802.1Q vlan#2 P0 192.168.60.20.65042 > 208.67.222.222.53: udp 40
314: 08:15:07.438911 802.1Q vlan#2 P0 192.168.60.20.57642 > 208.67.222.222.53: udp 34
318: 08:15:07.440040 802.1Q vlan#2 P0 192.168.60.20.49886 > 208.67.222.222.53: udp 40
322: 08:15:07.441322 802.1Q vlan#2 P0 192.168.60.20.64655 > 208.67.222.222.53: udp 40
326: 08:15:07.443412 802.1Q vlan#2 P0 192.168.60.20.57383 > 208.67.222.222.53: udp 40
335: 08:15:09.374400 802.1Q vlan#2 P0 192.168.60.20.59105 > 208.67.222.222.53: udp 38
362: 08:15:11.439399 802.1Q vlan#2 P0 192.168.60.20.57642 > 208.67.222.222.53: udp 34
363: 08:15:11.440101 802.1Q vlan#2 P0 192.168.60.20.49886 > 208.67.222.222.53: udp 40
370: 08:15:11.441627 802.1Q vlan#2 P0 192.168.60.20.64655 > 208.67.222.222.53: udp 40
374: 08:15:11.442543 802.1Q vlan#2 P0 192.168.60.20.57383 > 208.67.222.222.53: udp 40
381: 08:15:11.995279 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
382: 08:15:12.003127 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
383: 08:15:12.003356 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
384: 08:15:12.003585 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
387: 08:15:12.994989 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
388: 08:15:13.001922 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
389: 08:15:13.004455 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
390: 08:15:13.004974 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
391: 08:15:13.005660 802.1Q vlan#2 P0 192.168.60.20.59092 > 208.67.222.222.53: udp 33
392: 08:15:13.995065 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
394: 08:15:14.001922 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
396: 08:15:14.002868 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
397: 08:15:14.003082 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
400: 08:15:14.004104 802.1Q vlan#2 P0 192.168.60.20.59092 > 208.67.222.222.53: udp 33
418: 08:15:15.995416 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
422: 08:15:16.002334 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
426: 08:15:16.003570 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
427: 08:15:16.003738 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
446: 08:15:17.302062 802.1Q vlan#2 P0 192.168.60.20.63130 > 208.67.222.222.53: udp 34
451: 08:15:18.172003 802.1Q vlan#2 P0 192.168.60.20.63438 > 208.67.222.222.53: udp 39
466: 08:15:18.993829 802.1Q vlan#2 P0 192.168.60.20.62143 > 208.67.222.222.53: udp 34
467: 08:15:19.000717 802.1Q vlan#2 P0 192.168.60.20.62168 > 208.67.222.222.53: udp 40
468: 08:15:19.000945 802.1Q vlan#2 P0 192.168.60.20.53798 > 208.67.222.222.53: udp 40
469: 08:15:19.002670 802.1Q vlan#2 P0 192.168.60.20.49384 > 208.67.222.222.53: udp 40
474: 08:15:19.695703 802.1Q vlan#2 P0 192.168.60.20.60662 > 208.67.222.222.53: udp 45
478: 08:15:19.994882 802.1Q vlan#2 P0 192.168.60.20.58440 > 208.67.222.222.53: udp 34
486: 08:15:20.002120 802.1Q vlan#2 P0 192.168.60.20.63442 > 208.67.222.222.53: udp 40
490: 08:15:20.003066 802.1Q vlan#2 P0 192.168.60.20.62373 > 208.67.222.222.53: udp 40
492: 08:15:20.003539 802.1Q vlan#2 P0 192.168.60.20.65017 > 208.67.222.222.53: udp 40
500: 08:15:20.303008 802.1Q vlan#2 P0 192.168.60.20.63130 > 208.67.222.222.53: udp 34
504: 08:15:20.411660 802.1Q vlan#2 P0 192.168.60.20.55911 > 208.67.222.222.53: udp 38
510: 08:15:20.984369 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
511: 08:15:21.171850 802.1Q vlan#2 P0 192.168.60.20.63438 > 208.67.222.222.53: udp 39
525: 08:15:21.983744 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
526: 08:15:21.993555 802.1Q vlan#2 P0 192.168.60.20.62143 > 208.67.222.222.53: udp 34
530: 08:15:22.000366 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
531: 08:15:22.001602 802.1Q vlan#2 P0 192.168.60.20.62168 > 208.67.222.222.53: udp 40
532: 08:15:22.001846 802.1Q vlan#2 P0 192.168.60.20.53798 > 208.67.222.222.53: udp 40
539: 08:15:22.004150 802.1Q vlan#2 P0 192.168.60.20.49384 > 208.67.222.222.53: udp 40
547: 08:15:22.986216 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
549: 08:15:22.999444 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
565: 08:15:23.999170 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
576: 08:15:24.303252 802.1Q vlan#2 P0 192.168.60.20.63130 > 208.67.222.222.53: udp 34
584: 08:15:24.985254 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
592: 08:15:25.172186 802.1Q vlan#2 P0 192.168.60.20.63438 > 208.67.222.222.53: udp 39
604: 08:15:25.994012 802.1Q vlan#2 P0 192.168.60.20.62143 > 208.67.222.222.53: udp 34
608: 08:15:25.998926 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
610: 08:15:26.001953 802.1Q vlan#2 P0 192.168.60.20.62168 > 208.67.222.222.53: udp 40
611: 08:15:26.002441 802.1Q vlan#2 P0 192.168.60.20.53798 > 208.67.222.222.53: udp 40
618: 08:15:26.004226 802.1Q vlan#2 P0 192.168.60.20.49384 > 208.67.222.222.53: udp 40
643: 08:15:28.986582 802.1Q vlan#2 P0 192.168.60.20.50215 > 208.67.222.222.53: udp 38
657: 08:15:29.999307 802.1Q vlan#2 P0 192.168.60.20.54586 > 208.67.222.222.53: udp 34
681: 08:15:31.458914 802.1Q vlan#2 P0 192.168.60.20.63467 > 208.67.222.222.53: udp 37
685: 08:15:31.724190 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
691: 08:15:31.875671 802.1Q vlan#2 P0 192.168.60.20.54302 > 208.67.222.222.53: udp 37
700: 08:15:32.723961 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
706: 08:15:33.724877 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
712: 08:15:35.725670 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
724: 08:15:39.726814 802.1Q vlan#2 P0 192.168.60.20.53683 > 208.67.222.222.53: udp 39
732: 08:15:41.453269 802.1Q vlan#2 P0 192.168.60.20.64218 > 208.67.222.222.53: udp 34
754: 08:15:43.453315 802.1Q vlan#2 P0 192.168.60.20.64218 > 208.67.222.222.53: udp 34
764: 08:15:43.995737 802.1Q vlan#2 P0 192.168.60.20.53749 > 208.67.222.222.53: udp 34
786: 08:15:45.994760 802.1Q vlan#2 P0 192.168.60.20.53749 > 208.67.222.222.53: udp 34
795: 08:15:47.451194 802.1Q vlan#2 P0 192.168.60.20.64429 > 208.67.222.222.53: udp 34
797: 08:15:47.454276 802.1Q vlan#2 P0 192.168.60.20.64218 > 208.67.222.222.53: udp 34
806: 08:15:48.285110 802.1Q vlan#2 P0 192.168.60.20.55170 > 208.67.222.222.53: udp 39
821: 08:15:49.451209 802.1Q vlan#2 P0 192.168.60.20.64429 > 208.67.222.222.53: udp 34
826: 08:15:49.979868 802.1Q vlan#2 P0 192.168.60.20.53423 > 208.67.222.222.53: udp 38
828: 08:15:49.994058 802.1Q vlan#2 P0 192.168.60.20.53749 > 208.67.222.222.53: udp 34
830: 08:15:50.285217 802.1Q vlan#2 P0 192.168.60.20.55170 > 208.67.222.222.53: udp 39
845: 08:15:51.979777 802.1Q vlan#2 P0 192.168.60.20.53423 > 208.67.222.222.53: udp 38
856: 08:15:53.450660 802.1Q vlan#2 P0 192.168.60.20.64429 > 208.67.222.222.53: udp 34
864: 08:15:54.008330 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
865: 08:15:54.285507 802.1Q vlan#2 P0 192.168.60.20.55170 > 208.67.222.222.53: udp 39
872: 08:15:55.008437 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
876: 08:15:55.980250 802.1Q vlan#2 P0 192.168.60.20.53423 > 208.67.222.222.53: udp 38
880: 08:15:56.009185 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
886: 08:15:58.009902 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
902: 08:16:00.006957 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
908: 08:16:00.837679 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
910: 08:16:01.006377 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
914: 08:16:01.837221 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
915: 08:16:01.991724 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
916: 08:16:02.007217 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
918: 08:16:02.010161 802.1Q vlan#2 P0 192.168.60.20.58160 > 208.67.222.222.53: udp 34
923: 08:16:02.838182 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
925: 08:16:02.991007 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
931: 08:16:03.990885 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
932: 08:16:04.007842 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
938: 08:16:04.838823 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
945: 08:16:05.990610 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
957: 08:16:08.009215 802.1Q vlan#2 P0 192.168.60.20.58798 > 208.67.222.222.53: udp 34
964: 08:16:08.840425 802.1Q vlan#2 P0 192.168.60.20.58163 > 208.67.222.222.53: udp 39
970: 08:16:09.991052 802.1Q vlan#2 P0 192.168.60.20.55645 > 208.67.222.222.53: udp 34
1005: 08:16:16.981287 802.1Q vlan#2 P0 192.168.60.20.53038 > 208.67.222.222.53: udp 38
1008: 08:16:17.391352 802.1Q vlan#2 P0 192.168.60.20.49778 > 208.67.222.222.53: udp 39
1010: 08:16:18.981348 802.1Q vlan#2 P0 192.168.60.20.53038 > 208.67.222.222.53: udp 38
1015: 08:16:19.391428 802.1Q vlan#2 P0 192.168.60.20.49778 > 208.67.222.222.53: udp 39
1022: 08:16:22.982645 802.1Q vlan#2 P0 192.168.60.20.53038 > 208.67.222.222.53: udp 38
1027: 08:16:23.403650 802.1Q vlan#2 P0 192.168.60.20.49778 > 208.67.222.222.53: udp 39
1032: 08:16:24.014434 802.1Q vlan#2 P0 192.168.60.20.54274 > 208.67.222.222.53: udp 34
1059: 08:16:26.014113 802.1Q vlan#2 P0 192.168.60.20.54274 > 208.67.222.222.53: udp 34
1096: 08:16:29.956737 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1097: 08:16:30.013381 802.1Q vlan#2 P0 192.168.60.20.54274 > 208.67.222.222.53: udp 34
1099: 08:16:30.939343 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1100: 08:16:30.939572 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1101: 08:16:30.939801 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1102: 08:16:30.956081 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1106: 08:16:31.938870 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1107: 08:16:31.939099 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1108: 08:16:31.939785 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1109: 08:16:31.956890 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1112: 08:16:32.938916 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1113: 08:16:32.939145 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1116: 08:16:32.940075 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1140: 08:16:33.956401 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1148: 08:16:34.939740 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1149: 08:16:34.939999 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1150: 08:16:34.940228 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1161: 08:16:36.936810 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1162: 08:16:36.937970 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1163: 08:16:36.938244 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1168: 08:16:37.936002 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1169: 08:16:37.936948 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1170: 08:16:37.938046 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1171: 08:16:37.955883 802.1Q vlan#2 P0 192.168.60.20.61328 > 208.67.222.222.53: udp 39
1175: 08:16:38.936948 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1177: 08:16:38.937817 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1179: 08:16:38.938763 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1181: 08:16:38.939709 802.1Q vlan#2 P0 192.168.60.20.58681 > 208.67.222.222.53: udp 40
1185: 08:16:38.941006 802.1Q vlan#2 P0 192.168.60.20.51180 > 208.67.222.222.53: udp 40
1186: 08:16:38.941220 802.1Q vlan#2 P0 192.168.60.20.53388 > 208.67.222.222.53: udp 40
1195: 08:16:40.937512 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1196: 08:16:40.937741 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1199: 08:16:40.939602 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1208: 08:16:42.005874 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1216: 08:16:43.005202 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1229: 08:16:44.006026 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1237: 08:16:44.939419 802.1Q vlan#2 P0 192.168.60.20.59595 > 208.67.222.222.53: udp 40
1238: 08:16:44.939908 802.1Q vlan#2 P0 192.168.60.20.59578 > 208.67.222.222.53: udp 40
1245: 08:16:44.941494 802.1Q vlan#2 P0 192.168.60.20.64549 > 208.67.222.222.53: udp 40
1275: 08:16:46.006011 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1321: 08:16:50.007079 802.1Q vlan#2 P0 192.168.60.20.61007 > 208.67.222.222.53: udp 38
1398: 08:17:10.994073 802.1Q vlan#2 P0 192.168.60.20.63745 > 208.67.222.222.53: udp 38
1401: 08:17:12.992517 802.1Q vlan#2 P0 192.168.60.20.63745 > 208.67.222.222.53: udp 38
1426: 08:17:15.766638 802.1Q vlan#2 P0 192.168.60.20.64128 > 208.67.222.222.53: udp 39
1429: 08:17:16.992761 802.1Q vlan#2 P0 192.168.60.20.63745 > 208.67.222.222.53: udp 38
1433: 08:17:17.766729 802.1Q vlan#2 P0 192.168.60.20.64128 > 208.67.222.222.53: udp 39
1441: 08:17:21.767050 802.1Q vlan#2 P0 192.168.60.20.64128 > 208.67.222.222.53: udp 39
1452: 08:17:26.504170 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1463: 08:17:27.504032 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1465: 08:17:28.318953 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1466: 08:17:28.504887 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1468: 08:17:29.319212 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1475: 08:17:30.319746 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1479: 08:17:30.505512 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1484: 08:17:32.320356 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1493: 08:17:34.507297 802.1Q vlan#2 P0 192.168.60.20.51346 > 208.67.222.222.53: udp 39
1498: 08:17:35.987299 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1504: 08:17:36.321623 802.1Q vlan#2 P0 192.168.60.20.49753 > 208.67.222.222.53: udp 39
1512: 08:17:36.986475 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1513: 08:17:37.987406 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1521: 08:17:39.988001 802.1Q vlan#2 P0 192.168.60.20.50211 > 208.67.222.222.53: udp 38
1940: 08:19:32.749732 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65521: udp 91
2126: 08:19:46.482335 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61347: udp 50
2169: 08:19:50.479681 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61347: udp 50
2200: 08:19:54.485921 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61347: udp 50
2235: 08:19:58.700113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57408: udp 50
2275: 08:20:02.700113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57408: udp 50
2300: 08:20:06.380931 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61124: udp 139
2303: 08:20:06.697321 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57408: udp 50
2310: 08:20:07.624113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59656: udp 184
2313: 08:20:08.222202 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63181: udp 112
2314: 08:20:08.222263 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50007: udp 70
2335: 08:20:09.764441 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51040: udp 91
2345: 08:20:10.380839 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61124: udp 139
2354: 08:20:11.624235 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59656: udp 184
2361: 08:20:12.093821 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56090: udp 131
2362: 08:20:12.202458 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63181: udp 112
2363: 08:20:12.206364 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50007: udp 70
2373: 08:20:12.696466 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51948: udp 50
2384: 08:20:14.200886 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64562: udp 112
2385: 08:20:14.205311 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63143: udp 70
2387: 08:20:14.378062 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61124: udp 139
2399: 08:20:22.627012 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50607: udp 108
2407: 08:20:23.801136 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51512: udp 195
2417: 08:20:24.940777 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62374: udp 184
2423: 08:20:25.811771 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61821: udp 91
2432: 08:20:26.646801 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60226: udp 108
2433: 08:20:26.692606 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54228: udp 50
2452: 08:20:27.801167 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51512: udp 195
2461: 08:20:28.941510 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62374: udp 184
2463: 08:20:29.230990 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52123: udp 139
2465: 08:20:29.912260 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61877: udp 65
2467: 08:20:30.000976 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57311: udp 112
2474: 08:20:30.646664 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60226: udp 108
2476: 08:20:30.689737 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54228: udp 50
2491: 08:20:31.800678 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51512: udp 195
2500: 08:20:32.938428 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62374: udp 184
2503: 08:20:33.229037 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52123: udp 139
2507: 08:20:33.444541 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51060: udp 70
2512: 08:20:33.909590 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61877: udp 65
2514: 08:20:34.001296 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57311: udp 112
2522: 08:20:34.646511 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60226: udp 108
2524: 08:20:34.690027 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54228: udp 50
2530: 08:20:35.997705 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52341: udp 112
2538: 08:20:37.228656 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52123: udp 139
2540: 08:20:37.441886 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51060: udp 70
2544: 08:20:37.909926 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61877: udp 65
2548: 08:20:38.001113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57311: udp 112
2555: 08:20:38.651318 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56407: udp 108
2561: 08:20:39.440818 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53603: udp 70
2569: 08:20:39.997857 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52341: udp 112
2575: 08:20:41.228519 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63240: udp 185
2578: 08:20:41.446708 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51060: udp 70
2589: 08:20:42.646664 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56407: udp 108
2598: 08:20:43.440666 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53603: udp 70
2604: 08:20:43.997354 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52341: udp 112
2618: 08:20:45.163275 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63149: udp 65
2619: 08:20:45.227817 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63240: udp 185
2621: 08:20:45.251924 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57764: udp 112
2626: 08:20:46.130547 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61026: udp 195
2632: 08:20:46.643567 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56407: udp 108
2638: 08:20:47.440742 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53603: udp 70
2644: 08:20:48.162879 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63149: udp 65
2646: 08:20:48.251512 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57764: udp 112
2648: 08:20:48.694986 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49312: udp 70
2652: 08:20:49.130867 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61026: udp 195
2654: 08:20:49.228625 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63240: udp 185
2663: 08:20:51.251146 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61384: udp 112
2666: 08:20:51.647091 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52622: udp 108
2667: 08:20:51.694589 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49312: udp 70
2670: 08:20:52.160193 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63149: udp 65
2674: 08:20:52.251360 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57764: udp 112
2679: 08:20:53.100306 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56042: udp 131
2680: 08:20:53.129448 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61026: udp 195
2685: 08:20:54.250765 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61384: udp 112
2687: 08:20:54.646161 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52622: udp 108
2689: 08:20:54.696726 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52496: udp 70
2691: 08:20:55.697412 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49312: udp 70
2693: 08:20:56.097971 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56042: udp 131
2700: 08:20:57.693369 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52496: udp 70
2703: 08:20:58.250109 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61384: udp 112
2705: 08:20:58.646008 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52622: udp 108
2708: 08:21:00.097819 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56042: udp 131
2713: 08:21:01.693308 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52496: udp 70
2718: 08:21:02.823626 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63251: udp 91
2719: 08:21:02.948177 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51292: udp 70
2722: 08:21:03.646023 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63250: udp 108
2729: 08:21:05.947399 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51292: udp 70
2734: 08:21:06.648678 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63250: udp 108
2743: 08:21:08.911467 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61647: udp 195
2744: 08:21:08.946865 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60298: udp 70
2748: 08:21:09.950069 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51292: udp 70
2751: 08:21:10.643521 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63250: udp 108
2754: 08:21:11.910627 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61647: udp 195
2756: 08:21:11.946530 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60298: udp 70
2767: 08:21:15.130623 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61338: udp 117
2770: 08:21:15.646527 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51375: udp 108
2774: 08:21:15.909453 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61647: udp 195
2776: 08:21:15.943844 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60298: udp 70
2783: 08:21:17.200947 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64763: udp 70
2787: 08:21:18.130104 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61338: udp 117
2790: 08:21:18.645565 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51375: udp 108
2793: 08:21:20.198033 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64763: udp 70
2799: 08:21:22.127434 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61338: udp 117
2802: 08:21:22.513309 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51759: udp 70
2803: 08:21:22.643460 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51375: udp 108
2805: 08:21:23.197652 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49516: udp 70
2811: 08:21:24.202885 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64763: udp 70
2814: 08:21:24.904906 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60682: udp 236
2817: 08:21:25.510471 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51759: udp 70
2821: 08:21:26.196797 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49516: udp 70
2825: 08:21:27.646023 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59714: udp 108
2827: 08:21:27.883941 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60682: udp 236
2833: 08:21:29.407174 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60724: udp 65
2834: 08:21:29.510273 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51759: udp 70
2838: 08:21:30.196629 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49516: udp 70
2843: 08:21:30.645703 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59714: udp 108
2844: 08:21:30.883072 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53426: udp 236
2846: 08:21:31.451636 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62205: udp 70
2848: 08:21:31.886230 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60682: udp 236
2851: 08:21:32.406946 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60724: udp 65
2858: 08:21:33.882171 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53426: udp 236
2862: 08:21:34.451209 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62205: udp 70
2864: 08:21:34.642941 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59714: udp 108
2871: 08:21:35.948116 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60127: udp 195
2872: 08:21:36.406595 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60724: udp 65
2875: 08:21:36.909331 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65140: udp 222
2877: 08:21:37.449866 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59320: udp 70
2878: 08:21:37.880005 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53426: udp 236
2883: 08:21:38.456137 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62205: udp 70
2884: 08:21:38.944699 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60127: udp 195
2886: 08:21:39.888427 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65140: udp 222
2890: 08:21:40.449485 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59320: udp 70
2893: 08:21:41.321714 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62421: udp 237
2899: 08:21:42.885528 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60796: udp 222
2900: 08:21:42.945065 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60127: udp 195
2904: 08:21:43.657345 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50140: udp 65
2906: 08:21:43.890731 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65140: udp 222
2909: 08:21:44.298278 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62421: udp 237
2912: 08:21:44.449531 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59320: udp 70
2919: 08:21:45.704828 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50687: udp 70
2920: 08:21:45.884658 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60796: udp 222
2925: 08:21:46.657497 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50140: udp 65
2928: 08:21:47.297958 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57907: udp 237
2930: 08:21:48.300582 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62421: udp 237
2934: 08:21:48.703653 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50687: udp 70
2937: 08:21:49.831789 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57908: udp 91
2938: 08:21:49.884491 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60796: udp 222
2942: 08:21:50.297714 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57907: udp 237
2943: 08:21:50.657299 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50140: udp 65
2946: 08:21:51.703119 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55290: udp 70
2950: 08:21:52.706308 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50687: udp 70
2951: 08:21:53.303741 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53899: udp 237
2952: 08:21:54.297363 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57907: udp 237
2956: 08:21:54.702402 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55290: udp 70
2960: 08:21:56.302810 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53899: udp 237
2965: 08:21:57.908095 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60934: udp 117
2968: 08:21:58.702035 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55290: udp 70
2972: 08:21:59.302428 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63799: udp 237
2975: 08:21:59.977564 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51380: udp 76
2979: 08:22:00.307631 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53899: udp 237
2984: 08:22:00.907667 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60934: udp 117
2986: 08:22:01.284164 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51226: udp 108
2990: 08:22:02.302688 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63799: udp 237
2993: 08:22:02.956646 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51380: udp 76
2995: 08:22:02.987848 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55596: udp 195
3001: 08:22:04.283783 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51226: udp 108
3004: 08:22:04.907072 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60934: udp 117
3009: 08:22:05.955822 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64295: udp 76
3010: 08:22:05.984934 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55596: udp 195
3012: 08:22:06.301864 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63799: udp 237
3016: 08:22:06.958934 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51380: udp 76
3022: 08:22:08.280640 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51226: udp 108
3029: 08:22:08.955440 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64295: udp 76
3032: 08:22:09.910627 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57632: udp 117
3033: 08:22:09.987238 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55596: udp 195
3035: 08:22:10.246538 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60678: udp 131
3042: 08:22:11.959514 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62946: udp 76
3044: 08:22:12.909758 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57632: udp 117
3046: 08:22:12.952709 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64295: udp 76
3049: 08:22:13.245653 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60678: udp 131
3056: 08:22:14.956554 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62946: udp 76
3062: 08:22:16.906996 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57632: udp 117
3065: 08:22:17.248507 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60678: udp 131
3068: 08:22:17.957820 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57216: udp 76
3071: 08:22:18.956493 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.62946: udp 76
3077: 08:22:20.958004 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57216: udp 76
3083: 08:22:23.961543 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64402: udp 76
3086: 08:22:24.957271 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57216: udp 76
3089: 08:22:25.054562 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60597: udp 237
3092: 08:22:26.958675 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64402: udp 76
3096: 08:22:28.046246 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60597: udp 237
3100: 08:22:29.960353 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51515: udp 76
3102: 08:22:30.029570 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51928: udp 195
3105: 08:22:30.958049 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64402: udp 76
3108: 08:22:31.020689 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54204: udp 70
3110: 08:22:31.032819 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64172: udp 237
3113: 08:22:32.036069 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60597: udp 237
3115: 08:22:32.960002 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51515: udp 76
3117: 08:22:33.024214 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51928: udp 195
3120: 08:22:34.019850 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54204: udp 70
3122: 08:22:34.032392 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64172: udp 237
3126: 08:22:35.963649 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58593: udp 76
3127: 08:22:36.918943 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52177: udp 117
3128: 08:22:36.957302 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51515: udp 76
3131: 08:22:37.024031 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51928: udp 195
3134: 08:22:38.020155 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54204: udp 70
3137: 08:22:38.034971 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64172: udp 237
3138: 08:22:38.963451 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58593: udp 76
3141: 08:22:39.916075 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52177: udp 117
3144: 08:22:41.962337 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55848: udp 76
3147: 08:22:42.905608 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54153: udp 260
3149: 08:22:42.965037 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58593: udp 76
3153: 08:22:43.915739 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52177: udp 117
3159: 08:22:44.961498 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55848: udp 76
3162: 08:22:45.904860 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54153: udp 260
3165: 08:22:46.842790 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54154: udp 91
3169: 08:22:47.966121 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50849: udp 76
3170: 08:22:48.894881 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55040: udp 236
3171: 08:22:48.918317 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63098: udp 117
3172: 08:22:48.959026 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55848: udp 76
3177: 08:22:49.905165 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54153: udp 260
3180: 08:22:50.965282 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50849: udp 76
3182: 08:22:51.894179 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55040: udp 236
3183: 08:22:51.917417 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63098: udp 117
3188: 08:22:53.964839 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64023: udp 76
3192: 08:22:54.893157 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57213: udp 236
3193: 08:22:54.963039 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50849: udp 76
3199: 08:22:55.898970 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55040: udp 236
3200: 08:22:55.917707 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63098: udp 117
3205: 08:22:56.963954 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64023: udp 76
3207: 08:22:57.064953 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56311: udp 195
3211: 08:22:57.892760 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57213: udp 236
3219: 08:22:59.968089 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63271: udp 76
3220: 08:23:00.064877 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56311: udp 195
3223: 08:23:00.899382 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52883: udp 222
3224: 08:23:00.918241 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63492: udp 65
3225: 08:23:00.964015 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64023: udp 76
3228: 08:23:01.892562 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57213: udp 236
3233: 08:23:02.967235 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63271: udp 76
3237: 08:23:03.898650 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52883: udp 222
3240: 08:23:03.917433 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63492: udp 65
3242: 08:23:04.061871 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.56311: udp 195
3248: 08:23:05.966853 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49426: udp 76
3249: 08:23:06.105661 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3250: 08:23:06.897582 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54348: udp 222
3253: 08:23:06.969966 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63271: udp 76
3254: 08:23:07.104395 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3256: 08:23:07.900817 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52883: udp 222
3258: 08:23:07.917188 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63492: udp 65
3260: 08:23:08.121102 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3262: 08:23:08.965968 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49426: udp 76
3267: 08:23:09.894790 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54348: udp 222
3269: 08:23:10.103510 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3273: 08:23:12.966594 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.49426: udp 76
3276: 08:23:13.894591 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54348: udp 222
3278: 08:23:14.105325 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59421: udp 260
3283: 08:23:15.168524 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64971: udp 65
3290: 08:23:18.168692 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64971: udp 65
3297: 08:23:22.167975 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64971: udp 65
3300: 08:23:24.102426 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59518: udp 195
3304: 08:23:25.966487 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63456: udp 70
3311: 08:23:27.101526 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59518: udp 195
3317: 08:23:28.965602 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63456: udp 70
3320: 08:23:29.418755 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63330: udp 117
3326: 08:23:31.101343 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59518: udp 195
3329: 08:23:31.919706 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52792: udp 108
3330: 08:23:31.962825 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51619: udp 70
3331: 08:23:32.415872 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63330: udp 117
3337: 08:23:32.968532 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63456: udp 70
3342: 08:23:34.921384 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52792: udp 108
3343: 08:23:34.962093 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51619: udp 70
3347: 08:23:36.416161 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.63330: udp 117
3355: 08:23:38.918653 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52792: udp 108
3357: 08:23:38.961681 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51619: udp 70
3362: 08:23:40.219242 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52373: udp 70
3367: 08:23:41.420983 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60196: udp 117
3368: 08:23:41.426140 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52680: udp 70
3374: 08:23:43.218341 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52373: udp 70
3378: 08:23:44.417840 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60196: udp 117
3381: 08:23:44.422967 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52680: udp 70
3391: 08:23:46.217991 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51938: udp 70
3398: 08:23:47.220706 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52373: udp 70
3403: 08:23:48.418160 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60196: udp 117
3406: 08:23:48.423058 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52680: udp 70
3411: 08:23:49.217655 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51938: udp 70
3422: 08:23:51.141533 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55883: udp 195
3433: 08:23:53.214939 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51938: udp 70
3440: 08:23:54.145637 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55883: udp 195
3441: 08:23:54.469442 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53554: udp 70
3450: 08:23:57.469061 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53554: udp 70
3455: 08:23:58.140999 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55883: udp 195
3461: 08:24:00.468695 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58757: udp 70
3464: 08:24:01.468969 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53554: udp 70
3469: 08:24:03.467810 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58757: udp 70
3480: 08:24:07.427132 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51241: udp 117
3483: 08:24:07.467733 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58757: udp 70
3487: 08:24:08.722130 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53884: udp 70
3491: 08:24:10.430275 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51241: udp 117
3496: 08:24:11.722237 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53884: udp 70
3505: 08:24:14.426064 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.51241: udp 117
3507: 08:24:14.720864 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59532: udp 70
3511: 08:24:14.906035 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3515: 08:24:15.724068 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.53884: udp 70
3521: 08:24:17.720498 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59532: udp 70
3523: 08:24:18.181677 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52120: udp 195
3526: 08:24:19.428612 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58045: udp 117
3528: 08:24:19.887054 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3531: 08:24:21.178304 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52120: udp 195
3535: 08:24:21.720299 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59532: udp 70
3538: 08:24:22.428231 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58045: udp 117
3540: 08:24:22.975321 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55981: udp 70
3542: 08:24:24.885620 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3544: 08:24:25.178777 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52120: udp 195
3549: 08:24:25.977915 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55981: udp 70
3550: 08:24:26.428093 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.58045: udp 117
3553: 08:24:26.571671 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54072: udp 108
3557: 08:24:28.974055 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61441: udp 70
3558: 08:24:29.571351 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54072: udp 108
3560: 08:24:29.885864 802.1Q vlan#2 P0 208.67.222.222 > 172.26.20.22: icmp: echo reply
3562: 08:24:29.979273 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.55981: udp 70
3564: 08:24:31.973139 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61441: udp 70
3566: 08:24:33.573639 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54072: udp 108
3572: 08:24:35.973963 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61441: udp 70
3575: 08:24:37.225574 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54778: udp 70
3578: 08:24:40.227695 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54778: udp 70
3586: 08:24:43.224780 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61415: udp 70
3588: 08:24:44.225009 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.54778: udp 70
3594: 08:24:45.218357 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59345: udp 195
3599: 08:24:46.225909 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61415: udp 70
3603: 08:24:48.217472 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59345: udp 195
3605: 08:24:48.437309 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64239: udp 117
3609: 08:24:50.223697 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.61415: udp 70
3612: 08:24:51.435310 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64239: udp 117
3614: 08:24:51.478262 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60625: udp 76
3616: 08:24:52.217807 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59345: udp 195
3619: 08:24:52.798359 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57029: udp 70
3622: 08:24:54.477926 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60625: udp 76
3625: 08:24:55.433113 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.64239: udp 117
3629: 08:24:55.798222 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57029: udp 70
3634: 08:24:57.477499 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65124: udp 76
3638: 08:24:58.483281 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.60625: udp 76
3642: 08:24:59.797306 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57029: udp 70
3645: 08:25:00.438408 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50075: udp 117
3646: 08:25:00.478857 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65124: udp 76
3651: 08:25:03.435371 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50075: udp 117
3652: 08:25:03.480749 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57210: udp 76
3654: 08:25:04.474020 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.65124: udp 76
3660: 08:25:06.480352 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57210: udp 76
3662: 08:25:07.435066 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.50075: udp 117
3667: 08:25:09.479497 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52037: udp 76
3670: 08:25:10.487187 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.57210: udp 76
3673: 08:25:12.258485 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.59263: udp 195
3674: 08:25:12.478612 802.1Q vlan#2 P0 208.67.222.222.53 > 172.26.20.22.52037: udp 76
mxfw(config)# sho cap capo
16 packets captured
1: 08:49:55.933347 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
2: 08:49:55.961345 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
3: 08:50:00.697122 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
4: 08:50:00.723915 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
5: 08:50:05.696283 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
6: 08:50:05.721947 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
7: 08:50:10.695474 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
8: 08:50:10.722466 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
9: 08:24:14.880508 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
10: 08:24:14.906004 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
11: 08:24:19.860780 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
12: 08:24:19.887023 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
13: 08:24:24.859971 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
14: 08:24:24.885574 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
15: 08:24:29.859147 802.1Q vlan#2 P0 192.168.1.231 > 208.67.222.222: icmp: echo request
16: 08:24:29.885833 802.1Q vlan#2 P0 208.67.222.222 > 192.168.1.231: icmp: echo reply
16 packets shown
mxfw(config)# sho cap capdmz
ERROR: Capture does not exist
mxfw(config)# sho cap capd
0 packet captured
0 packet shown
mxfw(config)# -
How can I map SSH from an outside network range to an internal host (ASA 5505)
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
- External network range that needs SSH access: 8.8.8.0/24
- Outside interface: 10.1.10.2 (NAT'd from 7.7.7.7)
- Inside Network: 192.168.100.0/24
- Inside host to redirect external SSH to: 192.168.100.98
Hi All,
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought.
Can anyone help with this? What commands should I enter to accomplish mapping SSH from an outside network range to an internal host?
Many thanks,
TarranThis may or may not work depending on how your modem handles the natting. On your firewall try this -
static (inside,outside) tcp interface 22 192.168.100.98 22
then add this to your acl on the outside interface of your ASA -
access-list outside_in permit tcp 8.8.8.0 255.255.255.0 host 10.1.10.2 eq 22
if you don't have an acl applied then add this extra step -
access-group outside_in in interface outside
Jon
Maybe you are looking for
-
Apple's Pages 5.0 is an unmitigated disaster
If I was not already in too deep in the Apple ecosystem I would leave after this terrible experience.
-
Can't edit photos in my MobileMe gallery in iPhoto '11
Hi, I have all my photos in my MobileMe gallery. Everything sync very well with iPhoto '11. But I'm surprised by the fact that I can't edit those photos. It keeps saying that the element I selected can't be modified in iPhoto '11. Is this because I d
-
How do I make a new tab open with my home page
I would like new tabs to open to my home page. How do I do this?
-
How to fill areas with Fireworks CS4?
How can I fill areas created with a pen tablet in more than one layer with Fireworks CS4? I need to fill areas created with vector path tool divided in more layers like a raster image but without converting strokes to a raster image. For example hair
-
Resource Bundle Issue in BackingBean
Hi, JDeveloper 11.1.1.3.0 I am getting null, when I am trying to retrieve the ResourceBundle using the below code. Please help. FacesContext fc = null; ResourceBundle rb = null; fc = FacesContext.getCurrentInstance(); rb = fc.getApplication().getReso