Basic configuration on ASA 5520

i am runnig ASA in GNS3
am confused a little bit....by default ip traffic is allowed from higher to lower security level....i had just configured interfaces with security level, name and ip address and no shutdown....the traffic will pass throught the asa or not....no NAT , ACL or  Routes are configured....

I am not sure I understand your question correctly.  Do you mean that you have configured the interfaces and traffic is not passing?
If you configure one interface with security level 100 and another with a security level lower than 100 (lets say 0 for simplicity) then, as of version 8.3, traffic will pass through the ASA from the higher security level to the lower security level without the need of further configuration.  That is assuming that on the lower security level interface is not connected to the internet where private IP address range is not routable.  In this case traffic will pass through the ASA, you will just not get any return traffic.
Prior to 8.2 you had to configure a NAT statement or issue the no nat-control command in order for traffic to be allowed through the ASA but as of 8.2 that feature was disabled by default and in 8.3 (or perhaps 8.4) it was removed completely.
If you add an ACL to the ASA interface then the security levels have nothing to say in the way traffic flows.  The security levels only come into play if there are no ACLs configured on the interface.
Please remember to rate and select a correct answer

Similar Messages

  • Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

    I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
    home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

    Hi,
    Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

  • Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

    Hi,
    I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
    The scanario:
    Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
    Any help or advice is much appreciated.
    Thanks.

    Hello Bernard,
    What you are looking for is a Remote Ipsec VPN mode not a L2L.
    Here is the link you should use to make this happen:)
    https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
    Regards,
    Julio

  • Security Manager traceroute ASA 5520

    How can I use Security Manager (3.2) to configure a ASA 5520 to show up in a traceroute, have found a doc on how to do this from the cmd line but would prefer to keep everything in CSM.
    Mike

    There used to be a similar bug in IDM.
    The sensor itself does not declare an interface as promiscuous.
    SO CSM has to intepret the configuration to determine if the interface is promiscuous.
    On an Appliance an Interface is InLine only if it is configured as part of an InLine Interface Pair, or has InLine Vlan Pairs assigned.
    So CSM makes the assumption that if it is not part of an InLine Interface Pair and does not have InLine Vlan Pairs created, but is active and being monitored by a virtual sensor then it must be Promiscuous.
    And the above is True for Appliances.
    What the CSM developers may not have realized is that this is NOT true for Modules.
    For most modules like the AIP-SSMs, the sensor is configured to monitor the interface, but there is nothing in the module configuration itself that tells you whether it is inline or promiscuous.
    That knowledge is only within the configuration of the ASA chassis itself.
    CSM is simply incorrectly using the rules for Appliances against the SSMs.
    This was corrected in IDM by always just marking the SSM port as "monitored" if I remember right and not trying to specify whether it is promiscuous or inline.
    CSM would likely have to make the same change, and just then just tell the user they need to check ASA configuration to determine whether or not the ASA is configured to send packets to the SSM promiscuously or inline.
    Marco

  • ASA 5520: Configuring Active/Standby High Availability

    Hi,
    I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.
    I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).
    I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
    I tried this using a crossover cable to connect the interfaces directly with the same result.
    Any ideas?
    Thanks.
    Dan

    The command Varun is right.
    Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.
    In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".
    For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.
    Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.
    You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.
    This is the configuration
    failover lan unit primary
    failover lan interface failover gig0/3
    failover link failover gig0/3
    failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
    failover lan unit secondary
    failover lan interface failover gig0/3
    failover link failover gig0/3
    failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
    Make sure that you can ping each other secondary/primary IP and then put the command
    failover first on the primary and then on the secondary.
    That would fine.
    Let me know if you have further doubts.
    Link for reference
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
    Mike

  • ASA 5520 IPS configuration

    Dear boss
    I have a ASA 5520  with IPS in my Data center. i am using it for routing and access list.  it is running and my all 80 branches running on it.
    now i want to enable IPS.
    How i start it ?
    when i click on IPS on graphic mood an it asking an IP. what it should be ?
    what is the procedure  ?
    Is there any risk to enable it during business hour ?
    please tell me details
    Thanking You
    shahid

    Hi,
    To know more details for configuring IPS in ASA Firewall the below URL will help you
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
    Regards,
    MK

  • ASA 5520 Upgrade From 8.2 to 9.1

    To All Pro's Out There,
    I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
    In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
    I appreciate all the help in advance.

    Hi,
    My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
    In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
    What you can basically do is
    Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
    You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
    So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
    If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
    If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
    https://supportforums.cisco.com/docs/DOC-31116
    My personal approach when starting to convert NAT configurations for the upgrade is
    Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
    Divide NAT configurations based on type   
    Dynamic NAT/PAT
    Static NAT
    Static PAT
    NAT0
    All Policy Dynamic/Static NAT/PAT
    Learn the basic configuration format for each type of NAT configuration
    Start by converting the easiest NAT configurations   
    Dynamic NAT/PAT
    Static NAT/PAT
    Next convert the NAT0 configurations
    And finally go through the Policy NAT/PAT configurations
    Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
    The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
    One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
    For example
    static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
    In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
    Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
    So to summarize
    Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
    Learn the new NAT configuration format
    Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
    Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
    Convert the configurations manually
    Lab/test the configurations on an test ASA
    During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
    Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
    Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
    Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
    Will add more later if anything comes to mind as its getting quite late here
    Hope this helps
    - Jouni

  • ASA 5520 intervlan routing at low speed

    I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
    ASA Version 8.4(2)
    hostname ***
    domain-name ***
    enable password *** encrypted
    passwd *** encrypted
    multicast-routing
    names
    dns-guard
    interface GigabitEthernet0/0
    nameif DMZ
    security-level 50
    ip address 10.2.5.1 255.255.255.0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    no ip address
    interface GigabitEthernet0/1.100
    vlan 100
    nameif Devices
    security-level 100
    ip address 10.2.0.1 255.255.255.0
    interface GigabitEthernet0/1.101
    vlan 101
    nameif Common
    security-level 100
    ip address 10.2.1.1 255.255.255.0
    interface GigabitEthernet0/1.102
    vlan 102
    nameif Design
    security-level 100
    ip address 10.2.2.1 255.255.255.0
    interface GigabitEthernet0/1.103
    vlan 103
    nameif Ruhlamat
    security-level 90
    ip address 10.2.3.1 255.255.255.0
    interface GigabitEthernet0/2
    no nameif
    security-level 100
    no ip address
    interface GigabitEthernet0/2.10
    vlan 10
    nameif HOLOGR
    security-level 40
    ip address 10.1.2.4 255.255.0.0
    interface GigabitEthernet0/3
    nameif outside
    security-level 0
    ip address ***
    interface Management0/0
    nameif management
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    management-only
    boot system disk0:/asa842-k8.bin
    no ftp mode passive
    clock timezone EEST 2
    clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    dns server-group DefaultDNS
    domain-name ***
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network WWW
    host 10.2.1.6
    object network MAIL
    host 10.2.5.5
    object network TEST
    host 10.2.1.85
    object-group network DM_INLINE_NETWORK_1
    network-object host 10.1.0.88
    network-object host 10.1.6.1
    network-object host 10.1.6.5
    network-object host 10.1.0.57
    network-object 10.2.0.0 255.255.255.0
    network-object host 10.1.6.4
    network-object host 10.1.1.57
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq 2080
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_6
    network-object host 10.1.4.42
    network-object host 10.1.4.234
    network-object host 10.1.4.175
    network-object host 10.1.4.217
    object-group protocol DM_INLINE_PROTOCOL_5
    protocol-object udp
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_3
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.6
    network-object host 10.2.1.14
    network-object host 10.2.1.91
    object-group network DM_INLINE_NETWORK_4
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.6
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_5
    network-object host 10.2.1.14
    network-object host 10.2.1.39
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.6
    network-object host 10.2.1.85
    network-object host 10.2.1.31
    network-object host 10.2.1.32
    network-object host 10.2.1.40
    network-object host 10.2.1.55
    network-object host 10.2.1.35
    network-object host 10.2.1.3
    network-object host 10.2.1.2
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_7
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    object-group network DM_INLINE_NETWORK_9
    network-object host 10.2.1.4
    network-object host 10.2.1.3
    object-group network DM_INLINE_NETWORK_2
    network-object host 10.1.1.101
    network-object host 10.1.6.1
    network-object host 10.1.6.4
    network-object host 10.1.6.5
    network-object host 10.1.0.57
    network-object host 10.1.1.57
    object-group network DM_INLINE_NETWORK_10
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.3
    network-object host 10.2.1.2
    object-group service DM_INLINE_TCP_4 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_12
    network-object host 10.2.0.11
    network-object host 10.2.0.14
    object-group service DM_INLINE_TCP_5 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_13
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    object-group network DM_INLINE_NETWORK_14
    network-object host 8.8.4.4
    network-object host 8.8.8.8
    network-object host 10.1.1.1
    object-group network DM_INLINE_NETWORK_15
    network-object host 10.2.1.39
    network-object host 10.2.1.57
    object-group network DM_INLINE_NETWORK_16
    network-object host 10.2.1.14
    network-object host 10.2.1.6
    access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
    access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
    access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
    access-list Common_access_in extended permit icmp any any
    access-list Common_access_in extended permit ip host 10.2.1.76 host ***
    access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
    access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
    access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
    access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
    access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
    access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
    access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
    access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
    access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
    access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
    access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
    access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
    access-list HOLOGR_access_in extended permit icmp any any log disable
    access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
    access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
    access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
    access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
    access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
    access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
    access-list test extended permit tcp any host 10.2.5.1 eq telnet
    access-list test extended permit tcp any host 10.2.5.1 eq https
    access-list test extended permit tcp host 10.2.5.1 any eq https
    access-list test extended permit tcp host 10.2.5.1 any eq telnet
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 8192
    logging buffered critical
    logging trap warnings
    logging asdm informational
    logging from-address ***
    logging recipient-address *** level critical
    logging host Common 10.2.1.2
    logging flash-bufferwrap
    logging flash-maximum-allocation 8192
    logging permit-hostdown
    no logging message 106014
    no logging message 313005
    no logging message 313001
    no logging message 106023
    no logging message 305006
    no logging message 733101
    no logging message 733100
    no logging message 304001
    logging message 313001 level critical
    logging message 106023 level errors
    mtu DMZ 1500
    mtu inside 1500
    mtu Devices 1500
    mtu Common 1500
    mtu Design 1500
    mtu Ruhlamat 1500
    mtu HOLOGR 1500
    mtu outside 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any DMZ
    icmp permit any Common
    icmp permit any HOLOGR
    icmp permit any outside
    asdm image disk0:/asdm-645-206.bin
    asdm history enable
    arp timeout 14400
    object network WWW
    nat (Common,outside) static interface service tcp *** ***
    object network MAIL
    nat (DMZ,outside) static interface service tcp smtp smtp
    nat (DMZ,outside) after-auto source dynamic any interface
    nat (Common,outside) after-auto source dynamic any interface
    nat (Devices,outside) after-auto source dynamic any interface
    access-group Common_access_in in interface Common
    access-group Design_access_in in interface Design
    access-group Ruhlamat_access_in in interface Ruhlamat
    access-group HOLOGR_access_in in interface HOLOGR
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 *** 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    no user-identity enable
    user-identity default-domain LOCAL
    http server enable
    http 10.2.1.6 255.255.255.255 Common
    snmp-server host Common 10.2.1.6 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt noproxyarp DMZ
    sysopt noproxyarp inside
    sysopt noproxyarp Devices
    sysopt noproxyarp Common
    sysopt noproxyarp Design
    sysopt noproxyarp Ruhlamat
    sysopt noproxyarp HOLOGR
    sysopt noproxyarp outside
    sysopt noproxyarp management
    service resetoutside
    telnet 10.2.1.0 255.255.255.0 Common
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access Common
    dhcprelay setroute Common
    threat-detection basic-threat
    threat-detection scanning-threat
    no threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 10.2.1.4 source Common prefer
    webvpn
    smtp-server 10.2.5.5
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD
    CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
    : end

    Hi Philip,
    I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
    https://supportforums.cisco.com/docs/DOC-1222
    -Mike

  • ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    This topic has been beat to death, but I did not see a real answer. Here is configuration:
    1) 2 x ASA 5520, running 8.2
    2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
    3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
    4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
    This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
    Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
    The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
    In any case, any experts out there that can answer question? TIA!

    Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
    Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
    Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
    Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
    Thanks much,
    Mike

  • ASA 5520 : IP address for CSC SSM

    Hi All,
    I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
    There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
    My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
    Thanks and Regards.
    Sonu

    Hi
    put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
    for EX
    your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
    Hopes this helps
    regs
    S.Mohana sundaram

  • ASA 5520 High Availability

    I have two ASA 5520s.  One has an IDS card and one doesn't. This makes the high availability wizard fail.  Can I manually setup the high availability.  I don't really need two ASA-SSM-20s.  I just want to have one ASA in Standby mode.  Is this possible.  Anybody have a configuration similar to this?
    Thanks,
    Alex Pfeil                  

    Hi,
    Let me first say that I have not configure a Failover pair where the units dont have matching hardware. So I kind of wonder even if the ASA accepts the configurations, will the failover act normally.
    Usually if I configure basic configurations for some ASA Failover pair I first configure all the basic configurations on the ASA and make sure that each interface on the ASA has the "ip address x.x.x.1 255.255.255.0 standby x.x.x.2" configuration under the interfaces
    I then configure the existing ASA with a basic Failover configuration such as
    failover
    failover replication http
    failover lan unit primary
    failover lan interface failover Management0/0
    failover key
    failover link failover Management0/0
    failover interface ip failover 255.255.255.0 standby
    I then prepare a blank ASA and finally configure its Failover too
    failover
    failover replication http
    failover lan unit secondary
    failover lan interface failover Management0/0
    failover key
    failover link failover Management0/0
    failover interface ip failover 255.255.255.0 standby
    I will then attach the Secondary unit to the network and finally attach the Failover link between the ASAs and let the Primary unit replicate all the configurations to the Secondary unit.
    Naturally this is something that would probably be best done during a separate scheduled maintanance break along with configuration backups etc just to be on the safe side.
    - Jouni

  • Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

    Recently i have installed ASA 5520 firewall, Below is the detail for my network
    ASA 5520 inside ip: 10.12.10.2/24
    Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
    Cisco Call Manager 3825 IP: 10.12.110.2/24
    The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
    the Default Gateway for Data user is 10.12.10.2/24 and
    for the voice users is 10.12.110.2/24
    now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

    Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
    ASA Version 8.2(1)
    name x.x.x.x Mobily
    interface GigabitEthernet0/0
     nameif inside
     security-level 99
     ip address 10.12.10.2 255.255.255.0
    interface GigabitEthernet0/1
     nameif outside
     security-level 0
     ip address x.x.x.x 255.255.255.252
    object-group service DM_INLINE_SERVICE_1
     service-object tcp-udp
     service-object ip
     service-object icmp
     service-object udp
     service-object tcp eq ftp
     service-object tcp eq www
     service-object tcp eq https
     service-object tcp eq ssh
     service-object tcp eq telnet
    access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
    access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
    ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-641.bin
    asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 1 Inside-Network 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 Mobily 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Mgmt-Network 255.255.255.0 mgmt
    http Inside-Network 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    telnet Inside-Network 255.255.255.0 inside
    telnet timeout 5
    ssh Inside-Network 255.255.255.255 inside
    <--- More --->              ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy RA_VPN internal
    group-policy RA_VPN attributes
     dns-server value 86.51.34.17 8.8.8.8
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value RA_VPN_splitTunnelAcl
    username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
    tunnel-group RA_VPN type remote-access
    tunnel-group RA_VPN general-attributes
     address-pool VPN-Users
     default-group-policy RA_VPN
    tunnel-group RA_VPN ipsec-attributes
     pre-shared-key *
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
    : end

  • Cisco ASA 5520 traffic between interfaces

    Hello,
    I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
    ciscoasa# ping esx_management 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ciscoasa# ping home_network 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Thank you in advance.

    Hi,
    Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
    I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
    packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
    I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
    I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
    Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
    Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
    Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
    Static Identity NAT
    static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    OR
    NAT0
    access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
    nat (home_network) 0 access-list HOMENETWORK-NAT0
    Hope this helps
    - Jouni

  • Inter VLAN Routing with ASA 5520 and Cat 2960

    Hi there,
    I am a complete novice at networking, but I was tasked to have an ASA 5520 do inter VLAN routing (since my shop doesn't have a layer 3 router).
    As a basic setup, I am trying to have three workstations on three different VLANs communicate with each other.  The attached screenshot shows the topology.
    I am unable to ping from a PC to the ASA...therefore I can't ping to other VLANs.  Any assistance would be greatly appreciated.
    ROUTER CONFIG:
    ciscoasa#
    ciscoasa# show run
    : Saved
    ASA Version 8.3(1)
    hostname ciscoasa
    domain-name null
    enable password ###### encrypted
    passwd ###### encrypted
    names
    dns-guard
    interface GigabitEthernet0/0
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/1
    no nameif
    security-level 100
    ip address 10.10.1.1 255.255.255.0
    interface GigabitEthernet0/1.10
    vlan 10
    nameif vlan10
    security-level 100
    ip address 10.10.10.1 255.255.255.0
    interface GigabitEthernet0/1.20
    vlan 20
    nameif vlan20
    security-level 100
    ip address 10.10.20.1 255.255.255.0
    interface GigabitEthernet0/1.30
    vlan 30
    nameif vlan30
    security-level 100
    ip address 10.10.30.1 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    boot system disk0:/asa831-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name null
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list global_access extended permit icmp any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu vlan10 1500
    mtu vlan20 1500
    mtu vlan30 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    access-group global_access global
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.5 inside
    dhcpd enable inside
    dhcpd address 10.10.10.101-10.10.10.253 vlan10
    dhcpd enable vlan10
    dhcpd address 10.10.20.101-10.10.20.253 vlan20
    dhcpd enable vlan20
    dhcpd address 10.10.30.101-10.10.30.253 vlan30
    dhcpd enable vlan30
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DD
    CEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:4ad1bba72f1f51b2a47e8cacb9d3606a
    : end
    SWITCH CONFIG
    Switch#show run
    Building configuration...
    Current configuration : 2543 bytes
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Switch
    boot-start-marker
    boot-end-marker
    no aaa new-model
    system mtu routing 1500
    ip subnet-zero
    spanning-tree mode pvst
    spanning-tree extend system-id
    no spanning-tree vlan 1
    vlan internal allocation policy ascending
    interface GigabitEthernet0/1
    description Port Configured As Trunk
    switchport trunk allowed vlan 1,10,20,30,1002-1005
    switchport mode trunk
    interface GigabitEthernet0/2
    switchport access vlan 10
    switchport mode access
    interface GigabitEthernet0/3
    switchport access vlan 20
    switchport mode access
    interface GigabitEthernet0/4
    switchport access vlan 30
    switchport mode access
    interface GigabitEthernet0/5
    interface GigabitEthernet0/6
    interface GigabitEthernet0/7
    interface GigabitEthernet0/8
    interface GigabitEthernet0/9
    interface GigabitEthernet0/10
    interface GigabitEthernet0/11
    interface GigabitEthernet0/12
    interface GigabitEthernet0/13
    interface GigabitEthernet0/14
    interface GigabitEthernet0/15
    interface GigabitEthernet0/16
    interface GigabitEthernet0/17
    interface GigabitEthernet0/18
    interface GigabitEthernet0/19
    interface GigabitEthernet0/20
    interface GigabitEthernet0/21
    interface GigabitEthernet0/22
    interface GigabitEthernet0/23
    interface GigabitEthernet0/24
    interface GigabitEthernet0/25
    interface GigabitEthernet0/26
    interface GigabitEthernet0/27
    interface GigabitEthernet0/28
    interface GigabitEthernet0/29
    interface GigabitEthernet0/30
    interface GigabitEthernet0/31
    interface GigabitEthernet0/32
    interface GigabitEthernet0/33
    interface GigabitEthernet0/34
    interface GigabitEthernet0/35
    interface GigabitEthernet0/36
    interface GigabitEthernet0/37
    interface GigabitEthernet0/38
    interface GigabitEthernet0/39
    interface GigabitEthernet0/40
    interface GigabitEthernet0/41
    interface GigabitEthernet0/42
    interface GigabitEthernet0/43
    interface GigabitEthernet0/44
    interface GigabitEthernet0/45
    interface GigabitEthernet0/46
    interface GigabitEthernet0/47
    interface GigabitEthernet0/48
    interface Vlan1
    ip address 10.10.1.2 255.255.255.0
    no ip route-cache
    interface Vlan10
    no ip address
    no ip route-cache
    interface Vlan20
    no ip address
    no ip route-cache
    interface Vlan30
    no ip address
    no ip route-cache
    ip default-gateway 10.10.1.1
    ip http server
    ip http secure-server
    control-plane
    line con 0
    line vty 5 15
    end

    ciscoasa# capture cap10 interface vlan10
    ciscoasa# capture cap20 interface vlan20
    ciscoasa# show cap cap10
    97 packets captured
       1: 17:32:32.541262 802.1Q vlan#10 P0 10.10.10.101.2461 > 10.10.10.1.8905:  ud
    p 96
       2: 17:32:36.741294 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
       3: 17:32:36.741523 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
       4: 17:32:37.539217 802.1Q vlan#10 P0 10.10.10.101.2462 > 10.10.10.1.8905:  ud
    p 98
       5: 17:32:39.104914 802.1Q vlan#10 P0 10.10.10.101.2463 > 10.12.5.64.8906:  ud
    p 95
       6: 17:32:41.738914 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
       7: 17:32:41.739143 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
       8: 17:32:42.544023 802.1Q vlan#10 P0 10.10.10.101.2464 > 10.10.10.1.8905:  ud
    p 93
       9: 17:32:46.747352 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      10: 17:32:46.747580 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      11: 17:32:47.546633 802.1Q vlan#10 P0 10.10.10.101.2465 > 10.10.10.1.8905:  ud
    p 98
      12: 17:32:51.739921 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      13: 17:32:51.740150 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      14: 17:32:52.544100 802.1Q vlan#10 P0 10.10.10.101.2466 > 10.10.10.1.8905:  ud
    p 98
      15: 17:32:56.741859 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      16: 17:32:56.742088 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      17: 17:32:57.547396 802.1Q vlan#10 P0 10.10.10.101.2467 > 10.10.10.1.8905:  ud
    p 98
      18: 17:33:01.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      19: 17:33:01.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      20: 17:33:02.547609 802.1Q vlan#10 P0 10.10.10.101.2468 > 10.10.10.1.8905:  ud
    p 97
      21: 17:33:06.742774 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      22: 17:33:06.743018 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      23: 17:33:07.543337 802.1Q vlan#10 P0 10.10.10.101.2469 > 10.10.10.1.8905:  ud
    p 93
      24: 17:33:10.375514 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
    p 50
      25: 17:33:11.114679 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
    p 50
      26: 17:33:11.742728 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      27: 17:33:11.742957 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      28: 17:33:11.864731 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
    p 50
      29: 17:33:12.546266 802.1Q vlan#10 P0 10.10.10.101.2470 > 10.10.10.1.8905:  ud
    p 98
      30: 17:33:16.746497 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      31: 17:33:16.746726 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      32: 17:33:17.548403 802.1Q vlan#10 P0 10.10.10.101.2471 > 10.10.10.1.8905:  ud
    p 97
      33: 17:33:21.744880 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      34: 17:33:21.745109 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      35: 17:33:22.545351 802.1Q vlan#10 P0 10.10.10.101.2472 > 10.10.10.1.8905:  ud
    p 95
      36: 17:33:23.785558 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
    p 50
      37: 17:33:24.522464 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
    p 50
      38: 17:33:25.272568 802.1Q vlan#10 P0 10.10.10.101.137 > 10.10.10.255.137:  ud
    p 50
      39: 17:33:26.744926 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      40: 17:33:26.745154 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      41: 17:33:27.548708 802.1Q vlan#10 P0 10.10.10.101.2473 > 10.10.10.1.8905:  ud
    p 96
      42: 17:33:31.749625 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      43: 17:33:31.749854 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      44: 17:33:32.550096 802.1Q vlan#10 P0 10.10.10.101.2474 > 10.10.10.1.8905:  ud
    p 97
      45: 17:33:36.748343 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      46: 17:33:36.748572 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      47: 17:33:37.546251 802.1Q vlan#10 P0 10.10.10.101.2475 > 10.10.10.1.8905:  ud
    p 95
      48: 17:33:41.745566 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      49: 17:33:41.745795 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      50: 17:33:42.547975 802.1Q vlan#10 P0 10.10.10.101.2476 > 10.10.10.1.8905:  ud
    p 97
      51: 17:33:46.747855 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      52: 17:33:46.748084 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      53: 17:33:47.548403 802.1Q vlan#10 P0 10.10.10.101.2477 > 10.10.10.1.8905:  ud
    p 94
      54: 17:33:51.747718 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      55: 17:33:51.747931 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      56: 17:33:52.547670 802.1Q vlan#10 P0 10.10.10.101.2478 > 10.10.10.1.8905:  ud
    p 97
      57: 17:33:54.134239 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      58: 17:33:56.750678 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      59: 17:33:56.750891 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      60: 17:33:57.563035 802.1Q vlan#10 P0 10.10.10.101.2479 > 10.10.10.1.8905:  ud
    p 97
      61: 17:33:59.245272 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      62: 17:34:01.752188 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      63: 17:34:01.752402 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      64: 17:34:01.995737 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 49
      65: 17:34:01.995813 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 34
      66: 17:34:01.995950 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 49
      67: 17:34:01.996011 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 34
      68: 17:34:01.996118 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 49
      69: 17:34:01.996179 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 34
      70: 17:34:02.551836 802.1Q vlan#10 P0 10.10.10.101.2480 > 10.10.10.1.8905:  ud
    p 98
      71: 17:34:03.011306 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 49
      72: 17:34:03.011367 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 34
      73: 17:34:03.011443 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 49
      74: 17:34:03.011489 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 34
      75: 17:34:03.011550 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 49
      76: 17:34:03.011596 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 34
      77: 17:34:04.027037 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 49
      78: 17:34:04.027082 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 34
      79: 17:34:04.027174 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 49
      80: 17:34:04.027250 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 34
      81: 17:34:04.027311 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 49
      82: 17:34:04.027357 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 34
      83: 17:34:04.745811 802.1Q vlan#10 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      84: 17:34:06.058514 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 49
      85: 17:34:06.058605 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.23.427:  u
    dp 34
      86: 17:34:06.058651 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 49
      87: 17:34:06.058712 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.16.22.427:  u
    dp 34
      88: 17:34:06.058758 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 49
      89: 17:34:06.058819 802.1Q vlan#10 P0 10.10.10.101.2263 > 156.80.200.40.427:
    udp 34
      90: 17:34:06.750907 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      91: 17:34:06.751151 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      92: 17:34:07.552751 802.1Q vlan#10 P0 10.10.10.101.2481 > 10.10.10.1.8905:  ud
    p 96
      93: 17:34:11.752082 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      94: 17:34:11.752326 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      95: 17:34:12.553392 802.1Q vlan#10 P0 10.10.10.101.2482 > 10.10.10.1.8905:  ud
    p 96
      96: 17:34:16.755438 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
      97: 17:34:16.755682 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
      98: 17:34:17.554811 802.1Q vlan#10 P0 10.10.10.101.2483 > 10.10.10.1.8905:  ud
    p 97
      99: 17:34:21.751303 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
    100: 17:34:21.751563 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
    101: 17:34:22.552034 802.1Q vlan#10 P0 10.10.10.101.2484 > 10.10.10.1.8905:  ud
    p 95
    102: 17:34:26.753989 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
    103: 17:34:26.754218 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
    104: 17:34:27.560334 802.1Q vlan#10 P0 10.10.10.101.2485 > 10.10.10.1.8905:  ud
    p 98
    105: 17:34:31.755499 802.1Q vlan#10 P0 10.10.10.101 > 10.10.10.1: icmp: echo re
    quest
    106: 17:34:31.755728 802.1Q vlan#10 P0 10.10.10.1 > 10.10.10.101: icmp: echo re
    ply
    107: 17:34:32.563950 802.1Q vlan#10 P0 10.10.10.101.2486 > 10.10.10.1.8905:  ud
    p 95
    107 packets shown
    ciscoasa# show cap cap20
    92 packets captured
       1: 17:26:53.653378 802.1Q vlan#20 P0 10.10.20.101.1187 > 216.49.94.13.80: S 8
    20343450:820343450(0) win 65535
       2: 17:27:12.019133 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
       3: 17:27:17.214481 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
       4: 17:27:55.593688 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
    499891746:1499891746(0) win 65535
       5: 17:27:58.555284 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
    499891746:1499891746(0) win 65535
       6: 17:28:04.564790 802.1Q vlan#20 P0 10.10.20.101.1188 > 216.49.94.13.80: S 1
    499891746:1499891746(0) win 65535
       7: 17:29:06.504856 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
       8: 17:29:06.504917 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
    6:bb
       9: 17:29:06.505222 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
    7080594:47080594(0) win 65535
      10: 17:29:09.467032 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
    7080594:47080594(0) win 65535
      11: 17:29:15.476537 802.1Q vlan#20 P0 10.10.20.101.1189 > 216.49.94.13.80: S 4
    7080594:47080594(0) win 65535
      12: 17:30:17.417245 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
    445997597:1445997597(0) win 65535
      13: 17:30:18.156043 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      14: 17:30:20.378688 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
    445997597:1445997597(0) win 65535
      15: 17:30:23.220356 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      16: 17:30:26.388102 802.1Q vlan#20 P0 10.10.20.101.1190 > 216.49.94.13.80: S 1
    445997597:1445997597(0) win 65535
      17: 17:30:28.721047 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      18: 17:30:34.222507 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      19: 17:33:43.156928 802.1Q vlan#20 P0 arp who-has 10.10.20.101 tell 10.10.20.1
    01
      20: 17:33:44.187002 802.1Q vlan#20 P0 arp who-has 10.10.20.1 tell 10.10.20.101
      21: 17:33:44.187047 802.1Q vlan#20 P0 arp reply 10.10.20.1 is-at 54:75:d0:ba:4
    6:bb
      22: 17:33:44.187261 802.1Q vlan#20 P0 10.10.20.101 > 10.10.20.1: icmp: echo re
    quest
      23: 17:33:44.187520 802.1Q vlan#20 P0 10.10.20.1 > 10.10.20.101: icmp: echo re
    ply
      24: 17:33:44.239016 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      25: 17:33:44.327360 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
    udp 34
      26: 17:33:44.989740 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      27: 17:33:45.150611 802.1Q vlan#20 P0 10.10.20.101.6646 > 10.10.20.255.6646:
    udp 236
      28: 17:33:45.331312 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
    udp 34
      29: 17:33:45.740943 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      30: 17:33:46.331892 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
    udp 34
      31: 17:33:46.492131 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      32: 17:33:47.243502 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      33: 17:33:47.994501 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      34: 17:33:48.335050 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
    udp 34
      35: 17:33:48.335141 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
    udp 34
      36: 17:33:48.745658 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      37: 17:33:49.496861 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      38: 17:33:50.248812 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      39: 17:33:50.249300 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      40: 17:33:50.999170 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      41: 17:33:50.999246 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      42: 17:33:51.750342 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      43: 17:33:51.750418 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      44: 17:33:52.341336 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.26.53:
    udp 34
      45: 17:33:52.341474 802.1Q vlan#20 P0 10.10.20.101.53835 > 208.231.55.27.53:
    udp 34
      46: 17:33:52.501576 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      47: 17:33:52.501652 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      48: 17:33:53.254183 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 174
      49: 17:33:53.254320 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 204
      50: 17:33:54.134361 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      51: 17:33:54.755118 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 174
      52: 17:33:54.823535 802.1Q vlan#20 P0 10.120.2.198.1261 > 161.69.12.13.443: R
    250934743:250934743(0) ack 2427374744 win 0
      53: 17:33:54.823901 802.1Q vlan#20 P0 10.120.2.198.1262 > 161.69.12.13.443: R
    3313764765:3313764765(0) ack 1397588942 win 0
      54: 17:33:54.824618 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
    2860571026:2860571026(0) win 65535
      55: 17:33:56.257448 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 174
      56: 17:33:57.759833 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 174
      57: 17:33:57.779729 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
    2860571026:2860571026(0) win 65535
      58: 17:33:59.245394 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      59: 17:33:59.262178 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 186
      60: 17:34:00.263780 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 186
      61: 17:34:01.265382 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 186
      62: 17:34:02.266908 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 186
      63: 17:34:03.268540 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      64: 17:34:03.789189 802.1Q vlan#20 P0 10.10.20.101.1269 > 161.69.12.13.443: S
    2860571026:2860571026(0) win 65535
      65: 17:34:04.019591 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      66: 17:34:04.745933 802.1Q vlan#20 P0 10.10.10.101 > 10.10.20.101: icmp: echo
    request
      67: 17:34:04.770757 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      68: 17:34:05.521991 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      69: 17:34:06.273209 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      70: 17:34:07.024367 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      71: 17:34:07.775518 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      72: 17:34:08.526706 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 68
      73: 17:34:09.277939 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 174
      74: 17:34:09.278061 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 174
      75: 17:34:09.278702 802.1Q vlan#20 P0 10.10.20.101.138 > 10.10.20.255.138:  ud
    p 204
      76: 17:34:15.810489 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
    udp 31
      77: 17:34:16.809726 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
    udp 31
      78: 17:34:17.811222 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
    udp 31
      79: 17:34:19.814349 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
    udp 31
      80: 17:34:19.814380 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
    udp 31
      81: 17:34:23.820682 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.26.53:
    udp 31
      82: 17:34:23.820788 802.1Q vlan#20 P0 10.10.20.101.49796 > 208.231.55.27.53:
    udp 31
      83: 17:34:30.822924 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 50
      84: 17:34:31.572892 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 50
      85: 17:34:32.324079 802.1Q vlan#20 P0 10.10.20.101.137 > 10.10.20.255.137:  ud
    p 50
      86: 17:34:33.083079 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
    udp 44
      87: 17:34:34.077007 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
    udp 44
      88: 17:34:35.078639 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
    udp 44
      89: 17:34:37.081584 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
    udp 44
      90: 17:34:37.081706 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
    udp 44
      91: 17:34:41.087809 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.26.53:
    udp 44
      92: 17:34:41.087840 802.1Q vlan#20 P0 10.10.20.101.61089 > 208.231.55.27.53:
    udp 44
    92 packets shown

  • Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

    Hi,
    i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
    I have installed 50 Site-to-Site VPN tunnels, and they work fine.
    but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
    it happens when there is no TRAFIC on, i suspect.
    in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
    this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
    in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
    i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
    Any idea?
    Thanks,
    Daniel

    What is the lifetime value configured for in your crypto policies?
    For example:
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400

Maybe you are looking for

  • IPhone 4 and iPhoto 9 import issue

    I just bought an iPhone 4 to replace my iPhone 3GS a few days ago. I finally had a chance to try its camera this weekend. Much to my surprise, all the photos I imported into iPhoto 9 on my MacBook Pro lost their XIF and geotag data once they landed i

  • Flash Player 11 temporarily hangs IE and Chrome

    I work for an IT consulting company and I've got an unusual situation that I'm trying to help a client with.  My client has had slow internet problems for several weeks.  She is the only one on the network having the issue.  I traced the issue back t

  • Iphoto automator workflow

    Hi, I'm trying to write a workflow that captures photos taken from a certain date on and and making a PDF contact sheet and finally print it. I managed to do all this, but what I would like and cant make happend, is to have also the description (or n

  • Having trouble changing master password as i have forgotten it and can not get it to reset please help

    I have tried to remember what the first pass word was and can not get it done. i can not send out emails on both of my email accounts [email protected] or [email protected] as both request password. when i have tried to reset master password it will

  • Issue using Flash IDE with Mac OS and Windows Web Service using NTLM authentication?

    I have an existing application that I developed on a Windows machine using CS5.  It uses a local intranet web service written in .NET using NTLM authentication.  The web service does multiple things such as read data from an SQL database, provide the