Can't ping ASA 5510 inside interface
Hello, everyone,
I ran into a very strange icmp ping issue that I could not seem to undersatand, hope someone can provide a troubleshooting tip on this. The network has been working fine other than the issue listed below, L2L VPN works
fine and all three data centers can access each other via L2L VPN.
I have three ASA5510:
asa10
Location: datacenter10
Inside IP: 10.10.10.254
L2LVPN: asa10TOasa20, asa10TOasa30
asa20
Location: datacenter20
Inside IP: 10.20.20.254
L2LVPN: asa10TOasa20, asa10TOasa30
asa30
Location: datacenter30
Inside IP: 10.30.30.254
L2LVPN: asa10TOasa20, asa10TOasa30
Other than, global IP addresses, subnet IP addresses, the run configs are pretty much the same.
Problems:
From network 10.10.10.0, can ping 10.10.10.254, 10.20.20.254
Can't ping 10.30.30.254
From network 10.20.20.0, can ping 10.10.10.254, 10.20.20.254
Can't ping 10.30.30.254
From network 10.30.30.0, can ping 10.20.20.254, 10.30.30.254
Can't ping 10.10.10.254,
Please help by providing your insights or troubleshooting tips. My customer would not allow me to post configs.
Thanks.
Hi Bin,
I have spent hours trying to resolve it first time...
In my case the issue was with dynamic nat. When you use object definition for PAT, please use range (excluding ip of the firewall) as opposed to subnet.
Let me know if that helps.
Kind Regards,
Paul Preston
Proxar IT Ltd. Registered in England and Wales: 6744401- VAT: 942985479
Tubs Hill House, London Road, Sevenoaks, Kent, TN13 1BL
Tel: (+44) 0844 809 4335
Fax: (+44) 01732 468 574
Mob: (+44) 077 9509 3450
Web: www.proxar.co.uk
Email: [email protected]
Similar Messages
-
I have configured redundant interface on ASA 5510
interface Redundant1
description *** INSIDES NETWORK ***
member-interface Ethernet0/1 (This is a 1000Mbps Port)
member-interface Ethernet0/2 (This one is 100Mbps)
no nameif
no security-level
no ip address
interface Redundant1.10
vlan 10
nameif inside
security-level 100
ip address 192.168.1.168 255.255.255.0
redundant-interface redundant 1 active-member ethernet 0/1
Interface Ethernet0/1 ---- Connected to --- Primary Core Switch Interface Gi0/30
Interface Ethernet0/1 ---- Connected to --- Secondary Core Switch Interface Gi0/30
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: *** INSIDES NETWORK ***
Available but not configured via nameif
MAC address 7081.0570.e37d, MTU not set
IP address unassigned
8200483 packets input, 2109574889 bytes, 0 no buffer
Received 99254 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
11878 L2 decode drops
10309739 packets output, 9085407428 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 7 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/249)
output queue (blocks free curr/low): hardware (510/244)
Topology Information:
This interface, a , is connected
with Ethernet0/0, a .
Control Point Interface States:
Interface number is 8
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/2
Last switchover at 13:54:02 IST Aug 15 2012
Then i have shutdown Primary core switch Gi0/30 Interface and Issued above command again
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
Description: *** INSIDES NETWORK ***
Available but not configured via nameif
MAC address 7081.0570.e37d, MTU not set
IP address unassigned
8176236 packets input, 2102449428 bytes, 0 no buffer
Received 98539 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
11682 L2 decode drops
10278568 packets output, 9060503327 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 4 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/255)
Topology Information:
This interface, a , is connected
with Ethernet0/0, a .
Control Point Interface States:
Interface number is 8
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/2(Active), Ethernet0/1
Last switchover at 13:45:10 IST Aug 15 2012
It's tranferd corectly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back.
I issued this command again BW remain 100Mbps
ASA5510# show interface redundant 1 detail
Interface Redundant1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
Description: *** INSIDES NETWORK ***
Available but not configured via nameif
MAC address 7081.0570.e37d, MTU not set
IP address unassigned
8176236 packets input, 2102449428 bytes, 0 no buffer
Received 98539 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
11682 L2 decode drops
10278568 packets output, 9060503327 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 4 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/255)
Topology Information:
This interface, a , is connected
with Ethernet0/0, a .
Control Point Interface States:
Interface number is 8
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/2(Active), Ethernet0/1
Last switchover at 13:45:10 IST Aug 15 2012
I did manualy shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
pls tell some one why it's not automatically transer active interface and speed ???I remember that being there by design. Fail back or Preempt was not supported in case of Redundant interfaces and is actually not a good idea in terms of stability. You dont want the interface failover to happen again when the active interface comes back up. In order to force the 1000Mbps interface to be active, you can manually do so by the command 'redundant-interface 1 active
Hope that Helps
Zubair -
ASA 5510: Flapping interface
Hi all,
Yesterday one of the interfaces on my firewall started flapping causing havoc to live services. It has now resolved itself and hasn't done it again but my questions is; is this start of something and what can I do to pre-empt it happening again?
The syslog output is:
2012-07-05 14:41:15 Local4.Alert 1.*.*.* Jul 05 2012 14:41:14: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface DMZ-DB
2012-07-05 14:41:15 Local4.Alert 1.*.*.* Jul 05 2012 14:41:14: %ASA-1-105008: (Primary) Testing Interface DMZ-DB
2012-07-05 14:41:16 Local4.Alert 1.*.*.* Jul 05 2012 14:41:15: %ASA-1-105009: (Primary) Testing on interface DMZ-DB Passed
2012-07-05 14:41:16 Local4.Alert 1.*.*.* Jul 05 2012 14:41:15: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface DMZ-DB
2012-07-05 14:41:16 Local4.Alert 1.*.*.* Jul 05 2012 14:41:15: %ASA-1-105008: (Secondary) Testing Interface DMZ-DB
2012-07-05 14:41:16 Local4.Alert 1.*.*.* Jul 05 2012 14:41:15: %ASA-1-105009: (Secondary) Testing on interface DMZ-DB Passed
This carries on until:
2012-07-05 15:15:26 Local4.Alert 1.*.*.* Jul 05 2012 15:15:25: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface DMZ-DB
2012-07-05 15:15:26 Local4.Alert 1.*.*.* Jul 05 2012 15:15:25: %ASA-1-105008: (Secondary) Testing Interface DMZ-DB
2012-07-05 15:15:26 Local4.Alert 1.*.*.* Jul 05 2012 15:15:26: %ASA-1-105009: (Secondary) Testing on interface DMZ-DB Passed
2012-07-05 15:15:45 Local4.Alert 1.*.*.* Jul 05 2012 15:15:44: %ASA-1-105005: (Primary) Lost Failover communications with mate on interface DMZ-DB
2012-07-05 15:15:45 Local4.Alert 1.*.*.* Jul 05 2012 15:15:44: %ASA-1-105008: (Primary) Testing Interface DMZ-DB
2012-07-05 15:15:49 Local4.Alert 1.*.*.* Jul 05 2012 15:15:48: %ASA-1-105009: (Primary) Testing on interface DMZ-DB Failed
15:15:55 Local4.Alert 1.*.*.* Jul 05 2012 15:15:54: %ASA-1-104004: (Primary) Switching to OK.
2012-07-05 15:16:26 Local4.Alert 1.*.*.* Jul 05 2012 15:16:25: %ASA-1-105005: (Secondary) Lost Failover communications with mate on interface DMZ-DB
2012-07-05 15:16:26 Local4.Alert 1.*.*.* Jul 05 2012 15:16:25: %ASA-1-105008: (Secondary) Testing Interface DMZ-DB
2012-07-05 15:16:26 Local4.Alert 1.*.*.* Jul 05 2012 15:16:26: %ASA-1-105009: (Secondary) Testing on interface DMZ-DB Passed
2012-07-05 15:16:35 Local4.Alert 1.*.*.* Jul 05 2012 15:16:34: %ASA-1-105004: (Primary) Monitoring on interface DMZ-DB normal
And
DC-ASA(config)# sh fail state
State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Standby Ready Ifc Failure 15:15:52 GMT/BDT Jul 5 2012
DMZ-DB: Failed
====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set
DC-ASA(config)#
Any light shed on this would be appreciated.
Regards, Damian.Please go through
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1051759
hope this helps you. -
Cisco ASA 5510 Backup Interface configuration
Hi Experts,
I am a newbie with Cisco Firewalls, pls help.
We have a BSNL Leased Line of 2MBPS with few Static IP's of Which 2 IP's are configured in Firewall 1 For the Outside Interface and one for publishing the DMZ server. Most of the times due to some reasons or the other the BSNL line is going down. so now I need to configure one another TATA Broadband 1MBPS Dialup Line as a Backup for the BSNL Line so as to provide a uninterupted Internet to our users.
Pls guide me the Steps
Thank in Advance.
Anish NHi Anish,
Check the below mentioned link for configuration.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml -
Can't Ping or access via SNMP Inside interface of 5505
I have a remote site I'm trying to setup monitoring on and I can't get the inside interface to respond to a ping or SNMP requests. I have tried everything I can find in the forums and on the web but this location will not cooperate. I have full access to the ASA and to the inside network behind it. IPSEC VPN tunnel is working perfectly. I see the ping requests in the log on the ASA. I turned on ICMP debugging and only see the echo request.. never an echo reply. Below is a partial configuration. If you need any more information, let me know.
names
name 192.168.0.0 Domain
name 1.1.1.2 MCCC_Outside
name 172.31.10.0 VLAN10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
boot system disk0:/asa847-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mtcomp.org
object network obj-192.168.23.0
subnet 192.168.23.0 255.255.255.0
object network Domain
subnet 192.168.0.0 255.255.0.0
object network 172.31.0.0
subnet 172.31.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 object Domain
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 object Domain
access-list Outside_NAT0_inbound extended permit ip object Domain 192.168.23.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 any
access-list inside_access_in extended permit ip any 192.168.23.0 255.255.255.0 inactive
no pager
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 192.168.x.x 17/1514
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.23.0 obj-192.168.23.0 destination static Domain Domain no-proxy-arp route-lookup
route outside MCCC_Outside 255.255.255.255 1.1.1.1 1
route outside 172.31.0.0 255.255.0.0 192.168.1.1 1
route outside VLAN10 255.255.255.0 MCCC_Outside 1
route outside Domain 255.255.0.0 192.168.1.1 1
route outside 192.168.1.0 255.255.255.0 MCCC_Outside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.81 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.23.0 255.255.255.0 inside
snmp-server host inside 172.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer MCCC_Outside
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map global-policy
service-policy global_policy global
prompt hostname contextHi,
First of all let me clarify your trial.
Where is your monitoring server?
Is it behind inside or outside interface (please share ip adress)?
From config it seems, it can be reach via outside interface. Then you have to make snmp check on outside interface, not on inside (cannot make a snmp/ping check on inside interface with request comming through outside inteface - it simply won't work).
From the first check of routing table, I would suggest:
delete : route outside MCCC_Outside 255.255.255.255 1.1.1.1 1 - doesn't make a sense route host address, when it's directly connected network (and more, route 1.1.1.2 to 1.1.1.1, when 1.1.1.1 is vlan2 interface)
change : route outside 172.31.0.0 255.255.0.0 192.168.1.1 1; route outside Domain 255.255.0.0 192.168.1.1 1 - you should consider route it to 1.1.1.2 (if this is your next hop address at WAN).
route outside VLAN10 255.255.255.0 MCCC_Outside 1 - why?
I would use default route to somewhere at 1.1.1.0/24 range - next hop (router).
HTH,
Pavel -
Can not access ASAs inside interface via VPN tunnels
Hi there,
I have a funny problem.
I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
All tunnels and the RAS VPN access are working fine.
I use the tunnels for Voip, terminal server access and a few other services.
The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
No problem when I connect to the interface via a host inside the network.
All telnet statments in the config are ending with the INSIDE command.
On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
For the RAS client access I use the Cisco 5.1 VPN client.
Did anybody have any suggestions?
Regards
MarcelMarcel,
Simply add on the asas you want to administer through the tunnels
management-access
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
for asa5505
management-access inside
for all others if you have management interface management0/0 defined then:
management-access management
then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
telnet 10.20.20.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
same principle for l2l vpns
Regards -
ASA 5510 Configuration. how to configure 2 outside interface.
Hi
I Have Cisco 5510 ASA and from workstation I want create a new route to another Router (Outside) facing my ISP.
From Workstation I can Ping ASA E0/2 interface but I cant ping ISP B router inside and outside interface.
I based all my configuration on the existing config. which until now is working
interface Ethernet0/0
description outside interface
nameif outside
security-level 0
ip address 122.55.71.138 255.255.255.2
interface Ethernet0/1
description inside interface
nameif inside
security-level 100
ip address 10.34.63.252 255.255.240.0
interface Ethernet0/2
description outside interface
nameif outsides
security-level 0
ip address 121.97.64.178 255.255.255.240
global (outside) 1 interface
global (outsides) 2 interface ( I created this for E0/2)
nat (inside) 0 access-list nonat
nat (inside) 1 10.34.48.11 255.255.255.255 (Working: To E0/0 to Router ISP A inside and outside interface)
nat (inside) 2 10.34.48.32 255.255.255.255 (Working: To E0/2 to Router ISP A inside interface only but outside cant ping).
route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (Working)
route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (Test For New Route)
ISP Router A working Can ping and I can access the internet
interface FastEthernet0/0
description Connection to ASA5510
ip address 122.55.71.139 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
duplex auto
speed auto
interface S0/0
ip address 111.54.29.122 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip nat inside source static 122.55.71.139 111.54.29.122
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ISP 2
interface FastEthernet0/0 ( ASA Can ping this interface)
description Connection to ASA5510
ip address 121.97.64.179 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
duplex auto
speed auto
interface E0/0 ( ASA Can 't ping this interface)
ip address 121.97.69.122 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip nat inside source static 121.97.64.179 121.97.69.122
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 E0/0
CABLES
ASA to ISP Router B ( Straight through Cable)
ISP Router to IDU ( Straight through Cable)
Hope you could give some tips and solution for this kind of problem thanksHi,
You can only use a single Default route on the ASA device.
Now , as per your requirement ,
route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (Test For New Route)
(Why do you have this route on the ASA device ?) I see this in the Inside interface Subnet.
Route lookup would be Destination based.
Are you looking to route specific traffic out thru the "outsides" interface ?
If yes , this configuration would not work unless you use some workaround configuration on the ASA device.
Refer:-
https://supportforums.cisco.com/document/59986/loadbalancing-dual-isp-asa
https://supportforums.cisco.com/document/49756/asapix-load-balancing-between-two-isp-options
Thanks and Regards,
Vibhor Amrodia -
How can I hold the public IP on a specific profile on the asa 5510
Hi Guys
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510
inside is 172.10.20.86
public 166.245.192.90
Did I need to call my ISP?
thankssorry
I willl like to lock or reserve the public IP address from a NAT session on the ASA vpn.
that way a sepcific profile and public IP can be use all the time. I know how on the inside IP but not on the public IP.
it make sense -
SSH does not work in inside interface in ASA
I am able to run ASM but I can't run SSH from inside interface. Does anyone know how can I start to debug the problem? I checked all the setting for enable ssh, I setup it the same way as an instruction.
aaa authentication ssh console LOCAL
ssh 192.168.0.0 255.255.255.0 inside
crypto key generate rsa modulus 1024
What I am missing here? I also have username and password for admin.
ThanksHere is the show ver
Result of the command: "show ver"
Cisco Adaptive Security Appliance Software Version 8.2(3)3
Device Manager Version 6.2(5)53
Compiled on Wed 25-Aug-10 21:43 by builders
System image file is "disk0:/asa823-3-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 207 days 6 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 5475.d050.7f46, irq 9
1: Ext: Ethernet0/1 : address is 5475.d050.7f47, irq 9
2: Ext: Ethernet0/2 : address is 5475.d050.7f48, irq 9
3: Ext: Ethernet0/3 : address is 5475.d050.7f49, irq 9
4: Ext: Management0/0 : address is 5475.d050.7f45, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1420L3JW
Running Activation Key: 0x8b0edb7c 0x4cee2474 0x34813190 0x90e01484 0x0d2211b2
Configuration register is 0x1
Configuration last modified by cdinh at 15:36:53.519 PDT Mon Jul 29 2013 -
ASA 5510 - how many concurrent VOIP calls can pass through?
Hi all,
I wonder how many concurrent VOIP calls can handle Cisco ASA 5510, any idea?
Geghamhi Gegham,
Basically what the values of 50,000 and 130000 connections indicate are lab values tested with 80% TCP and 20% udp traffic. (according to table a-2 in the doc below)
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1170941
RTP is udp traffic but in case of an asa and considering a customer scenario what happens is...
1 voip call = 1 control connection (h323,sip,sccp) + 2 or 4 rtp connections
-so a call will in total easily consume 5 or more connections depending on control connections you have set up .
-also this number differs depending on if the call is voice only or video.
So to simply answer your questions...
1>the number of connections that a call consumes depends on the above factors.
2>Also there is no hard number on the number of calls an asa can handle because this depends on the controls you use ...including nat and inspections.
Thanks,
Karthik -
ASA5505 Can't pass traffic between inside (private) & outside (private)
10.15.50.0/24 <---> 10.15.50.254 (inside / ASA5505 \ outside) 10.60.15.253 <---> 10.60.15.254 <--- (cloud) ---> (eventual destination 10.15.60.0/24)
Goal:
10.15.50.0/24 traffic will communicate with 10.15.60.0/24 while block all other. Current config is any/any for troubleshooting.
Example:
10.15.50.249 pings 10.60.15.253 (inside of ASA) and fails. Running it thru ASDM Packet Tracer shows the Outside ASA interface blocking but I have any/any on that interface.
Question:
What am I doing wrong?
: Saved
ASA Version 8.2(5)
hostname SJ-HostB-ASA
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.15.50.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.60.15.253 255.255.255.252
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.60.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 30
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.15.50.243 source inside
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-645.bin
no asdm history enableHi,
You can only PING / ICMP an ASA interface from behind that same interface.
So users behind "inside" can PING / ICMP the "inside" interface IP address and users behind "outside" can PING / ICMP the "outside" interface IP address. Users can't PING / ICMP the remote interface from their perspective. The only exception is when users are coming through VPN connection and you use the "management-access " command. But this doesnt apply to your situation.
You seem to be simulating an ICMP send from behind "inside" to the "outside" interface IP address if what you say is true.
So attempt the Packet Tracer using some remote network IP address in the 10.15.60.0/24 network.
You dont seem to have "nat-control" enabled so all traffic should be able to pass through the ASA without translation. So NAT shouldnt be a problem.
You can also add the following configurations
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
- Jouni -
Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops
Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
Here is the Cisco switch port facing the ASA 5510 configuration:
interface FastEthernet2/0/6
description Trunk to ASA 5510
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 131,500
switchport mode trunk
switchport nonegotiate
And here is the ASA 5510 port configuration:
interface Ethernet0/3
speed 100
no nameif
no security-level
no ip address
interface Ethernet0/3.500
vlan 500
nameif outside
security-level 0
ip address X.X.X.69 255.255.255.0
There is a default route on ASA to X.X.X.1.
When I try to ping from ASA X.X.X.1 i get:
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
I have also changed the ports on the Switch and ASA but the same error stays.
Any thoughts?I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
Maybe you should adjust the "speed 100"? In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch. Alternatively, have both sides set
speed 100
duplex full
and see if things improve.
-- Jim Leinweber, WI State Lab of Hygiene -
Can't ping or get printer web page or print via hostname
Ok, this has me stupped on my iMac running Mavericks. I just added my Kyocera printer as an IP printer but used the host name instead of an IP address, sounds simple so far.
Before doing this, I change the default host name in the Kyocera printer to "Kyocera" (without quotations). Add printer found the device and came up with the correct PPD for the model number and all was good at this point. I sent a printer test page which again worked fine.
I then opened Safari and entered the printers IP address to make sure I could bring up the configuration web page for the device and this indeed works fine, at this point I retype the address in the address bar as Kyocera.local and again the page refreshed and came up fine, Yippee!! so I added it to Safari's Favourites Bar, all good!
Since then, I can still get to the devices home config page via the IP address, but it will no longer find the page via the save Kyocera.local link in the favorites bar or retyping it in the address bar.
I have tried network utility and pinging the device, IP address ping works fine but Kyocera.local says unknown host. Tried the next obvious step and that was to see if printing fails now as well and indeed it too fails as it was still configured to print to the host name as it was when I successfully printed the inbuilt printer test page. I deleted the printer and added the IP printer via the IP address not the hostname and printer now prints fine.
Does anyone know why printing via the host name and bringing up the printers config web page both worked for the first time but fails from there on in????
DNS settings were set to Auto from ISP, I also tried google's 8.8.8.8 and 8.8.4.4 and even just adding the local bob router address in as an option but nothing works, but it did initially.
I install and repair printers for a living and have come across this when installing scan to FTP on a mac and rarely if ever can I get it to work scanning to FTP via the Mac's name for example, Jims-imac.local, just won't find it with or without the .local, but change it to the Mac's IP address and scan to FTP works great. Problem is that if the customer has their Mac getting IP address via DHCP, I have to advise the customer that if scan to FTP stops working, to check that the IP address on the Mac has not changed, and if it has, then change the scan to FTP settings on the scanner to the new IP address that the Mac has now been given from the DHCP server.
Not the best way to go about it. Why can't Mac's just find devices and devices find Mac's? Windows is so straight forward, what am I missing?
Any help would be appreciated.
Regards,
DamoHi,
First of all let me clarify your trial.
Where is your monitoring server?
Is it behind inside or outside interface (please share ip adress)?
From config it seems, it can be reach via outside interface. Then you have to make snmp check on outside interface, not on inside (cannot make a snmp/ping check on inside interface with request comming through outside inteface - it simply won't work).
From the first check of routing table, I would suggest:
delete : route outside MCCC_Outside 255.255.255.255 1.1.1.1 1 - doesn't make a sense route host address, when it's directly connected network (and more, route 1.1.1.2 to 1.1.1.1, when 1.1.1.1 is vlan2 interface)
change : route outside 172.31.0.0 255.255.0.0 192.168.1.1 1; route outside Domain 255.255.0.0 192.168.1.1 1 - you should consider route it to 1.1.1.2 (if this is your next hop address at WAN).
route outside VLAN10 255.255.255.0 MCCC_Outside 1 - why?
I would use default route to somewhere at 1.1.1.0/24 range - next hop (router).
HTH,
Pavel -
Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!
Hi,
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
Config
ciscoasa# sh run
: Saved
ASA Version 8.0(3)
hostname ciscoasa
enable password 5QB4svsHoIHxXpF/ encrypted
names
name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
name xxx.xxx.xxx.xxx Mail_Server
name xxx.xxx.xxx.xxx IncomingIP
name xxx.xxx.xxx.xxx SAP
name xxx.xxx.xxx.xxx WebServer
name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
name 192.168.2.2 isa_server_outside
interface Ethernet0/0
nameif outside
security-level 0
ip address IncomingIP 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.253 255.255.255.0
management-only
passwd 123
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group service TCP_8081 tcp
port-object eq 8081
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
port-object eq 50000
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
port-object eq 587
port-object eq 993
port-object eq 8000
port-object eq 8443
port-object eq telnet
port-object eq 3901
group-object TCP_8081
port-object eq 1433
port-object eq 3391
port-object eq 3399
port-object eq 8080
port-object eq 3128
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
port-object eq 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
port-object eq 8181
port-object eq 7778
port-object eq 8180
port-object eq 22222
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP tcp
port-object eq 3389
object-group service 3901 tcp
description 3901
port-object eq 3901
object-group service 50000 tcp
description 50000
port-object eq 50000
object-group service Enable_Transparent_Tunneling_UDP udp
port-object eq 4500
access-list inside_access_in remark connection to SAP
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in remark VPN Outgoing - PPTP
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in remark VPN Outgoing - GRE
access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
access-list inside_access_in remark VPN - GRE
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark VPN Outgoing - IKE Client
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in remark Outoing Ports
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre any host Mail_Server
access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit ah any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
access-list VPN standard permit 192.168.2.0 255.255.255.0
access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 Mail_Server netmask 255.0.0.0
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list corp_vpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
static (inside,outside) 192.168.2.0 access-list corp_vpn
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain domain.local interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
tftp-server management 192.168.1.123 /
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
username vpdn password 123
username vpdn attributes
vpn-group-policy mypolicy
service-type remote-access
tunnel-group mypolicy type remote-access
tunnel-group mypolicy general-attributes
address-pool POOL
default-group-policy mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.Here is the output:
ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 140
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
Can't SSH to inside interface on ASA
Hi there
I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
TIA
Sent from Cisco Technical Support iPhone AppHi there,
Here it is -
asa01(config)# sh cap capin
4 packets captured
1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4 packets shown
asa01(config)#
asa01(config)# sh cap asp
0 packet captured
0 packet shown
asa01(config)#
Can you ping the Switch interface from the ASA? - Yes
Can you ping the ASA from the switch? - Yes
Maybe you are looking for
-
How can I stop Acrobat from reordering files when importing files to create a PDF?
To all those more knowledgable than I, I am converting a larger amount of tiff files into one PDF. The TIFF files are numbered 1-100. When I "add files" in the diaologe window they reorder because Acrobat does not look at the third number so then I h
-
Apple Raid Card panic on Mac Pro Early 2008 after installing SSD as an enhanced JBOD.
I recently installed a SSD drive in my Mac Pro to replace an aging, original boot drive. I have an Apple raid card with 3 other hds attached - all in an enhanced JBOD configuration. After installing the SSD from OWC (3G Electra SATA II Compatible)
-
Adapter module to check header and footer
Hello All, Is there any standard/custom adapter module to check the presence of header and footer in the Incoming flat file? Thanks, Regards, Moorthy
-
Converting date format MM/DD/YYYY to DD/MM/YYYY in ISA B2B App
Hi All, We have implemented CRM ISA 5.0 (B2B) application. Is it possible to change the date format to DD/MM/YYYY in ISA B2B web application. Now currently it is showing MM/DD/YYYY in all the pages. We need to change this format to DD/MM/YYYY, where
-
Hello! I am running Nokia PC Suite version 6.80.21 with my Nokia 6111. The phone needs sending away to be mended. So I am trying to back up everything to the PC. Contacts etc will synch fine. The problem is my "saved message" folders, of which there