Can't save Cisco ASA configuration in GNS3 via write memory command
Hi all,
I’m having a problem to save Cisco ASA configuration in GNS3 via write memory command.
ciscoasa(config)# wr mem
Building configuration…
Cryptochecksum: c066a7ab b5b9071e bb5ee1f6 2d93be53
%Error copying system:/running-config (Not enough space on device)
Error executing command
[FAILED]
ciscoasa(config)#
Here are the details of the lab setup.
PC DETAILS:
Windows 7 Enterprise SP1 64bit
GNS3 v0.8.6 all-in-one (installer for 32-bit and 64-bit which includes Dynamips, Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark)
ASA DETAILS:
13,279,888 asa802-k8.bin.unpacked.initrd
1,095,856 asa802-k8.bin.unpacked.vmlinuz
Please advise. Thanks in advance.
http://firewallengineer.wordpress.com/2014/02/19/problem-cisco-asa-in-gns3-error-copying-systemrunning-config-not-enough-space-on-device/
instead of this:
To create a flash file
cd "C:\Program Files\GNS3\qemu-2.1.0"
qemu-img.exe create c:\FLASH 256M
try this:
To create a flash file
cd "C:\Program Files\GNS3\qemu-2.1.0"
qemu-img.exe create c:\User\usuario\GNS3\FLASH 256M
Let me know if is helpfull.
Similar Messages
-
How can you save videos from an iPad to an external memory?
How can you save videos from an ipad to an external memory?
There are some wireless external hard drives that can be used with the iPad.
Best iPad External Hard Drive Storage Options
http://www.unlocktips.com/2012/11/best-ipad-mini-external-hard-drive-memory-stor age-options/
iPad Storage Solutions
http://www.ipadstoragesolutions.com/iPadWirelessStorage.php
SanDisk Connect Wireless Media Drive http://www.sandisk.com/products/wireless/media-drive/
Another option:
Expand your iPad's storage capacity with HyperDrive
http://www.macworld.com/article/1153935/hyperdrive.html
On the road with a camera, an iPad, and a Hyperdrive
http://www.macworld.com/article/1160231/ipadhyperdrive.html
Cheers, Tom -
Cisco ASA configuration changed messages
Hi Team,
What are the configuration changed messages except 111008 message id for Cisco ASA.Any syslog message is there which shows who and what has been changed?
Regards,
ShalendraHi,
Yes , these are the ones that are going to show you all the information about the user changes on the ASA device.
You can also use AAA Accounting , User Identity firewall etc on the ASA device for the same.
Thanks and Regards,
Vibhor Amrodia -
Can you save a GUI configuration??
Hi everyone,
I am learning java and have a question.
I have a jdesktop pane and it has multiple internal frames in it. Now I open a bunch of frames and place it the way I want.
Now can I do something like save this configuration in any file say for example an XML file and then when i open the program again I can just load the configuration file and everything comes back the same way it was when i had saved it.
Is this possible if yes then how will I be able to do it???
Here is the code which I using to display my internal frames.
//Import files
public class InternalFrameDemo extends JFrame implements ActionListener {
JDesktopPane desktop;
public InternalFrameDemo() {
super("DashBoard");
//Make the big window be indented 50 pixels from each edge
//of the screen.
int inset =250;
Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize();
setBounds(inset, inset,
screenSize.width - inset*2,
screenSize.height - inset*2);
//Set up the GUI.
desktop = new JDesktopPane(); //a specialized layered pane
setContentPane(desktop);
setJMenuBar(createMenuBar());
desktop.setBackground(Color.lightGray);
//Make dragging a little faster but perhaps uglier.
desktop.setDragMode(JDesktopPane.OUTLINE_DRAG_MODE);
protected JMenuBar createMenuBar() {
JMenuBar menuBar = new JMenuBar();
//Set up the lone menu.
JMenu menu = new JMenu("NEW");
menu.setMnemonic(KeyEvent.VK_D);
menuBar.add(menu);
//Set up the first menu item.
JMenuItem menuItem = new JMenuItem("LED Panel");
menuItem.setMnemonic(KeyEvent.VK_L);
menuItem.setAccelerator(KeyStroke.getKeyStroke(
KeyEvent.VK_L, ActionEvent.ALT_MASK));
menuItem.setActionCommand("new");
menuItem.addActionListener(this);
menu.add(menuItem);
//Set up the second menu item.
JMenuItem menuItem2 = new JMenuItem("Digital Clock");
menuItem2.setMnemonic(KeyEvent.VK_D);
menuItem2.setAccelerator(KeyStroke.getKeyStroke(
KeyEvent.VK_D, ActionEvent.ALT_MASK));
menuItem2.setActionCommand("new2");
menuItem2.addActionListener(this);
menu.add(menuItem2);
//Set up the Third menu item.
JMenuItem menuItem3 = new JMenuItem("Analog Clock");
menuItem3.setMnemonic(KeyEvent.VK_A);
menuItem3.setAccelerator(KeyStroke.getKeyStroke(
KeyEvent.VK_A, ActionEvent.ALT_MASK));
menuItem3.setActionCommand("new3");
menuItem3.addActionListener(this);
menu.add(menuItem3);
//Set up the Fourth menu item.
JMenuItem menuItem4 = new JMenuItem("Signal Levels");
menuItem4.setMnemonic(KeyEvent.VK_S);
menuItem4.setAccelerator(KeyStroke.getKeyStroke(
KeyEvent.VK_S, ActionEvent.ALT_MASK));
menuItem4.setActionCommand("new4");
menuItem4.addActionListener(this);
menu.add(menuItem4);
//Set up the fifth menu item.
JMenuItem menuItem5 = new JMenuItem("GPS Status");
menuItem5.setMnemonic(KeyEvent.VK_G);
menuItem5.setAccelerator(KeyStroke.getKeyStroke(
KeyEvent.VK_G, ActionEvent.ALT_MASK));
menuItem5.setActionCommand("new5");
menuItem5.addActionListener(this);
menu.add(menuItem5);
//Set up the Quit menu item.
menuItem = new JMenuItem("Quit");
menuItem.setMnemonic(KeyEvent.VK_Q);
menuItem.setAccelerator(KeyStroke.getKeyStroke(
KeyEvent.VK_Q, ActionEvent.ALT_MASK));
menuItem.setActionCommand("quit");
menuItem.addActionListener(this);
menu.add(menuItem);
return menuBar;
//React to menu selections.
public void actionPerformed(ActionEvent e) {
if ("new".equals(e.getActionCommand())) { //new
createFrame();
} else if("new2".equals(e.getActionCommand())) {
createButtons();
}else if ("new3".equals(e.getActionCommand())){
createAnalog();
}else if ("new4".equals(e.getActionCommand())){
createBoxes();
}else if ("new5".equals(e.getActionCommand())){
createGPS();
else{
quit();
protected void createFrame() {
MyInternalFrame frame = new MyInternalFrame();
TestApplet clock = new TestApplet();
clock.init();
frame.getContentPane().add(clock);
frame.setSize(150, 150);
frame.setVisible(true); //necessary as of 1.3
desktop.add(frame);
try {
frame.setSelected(true);
} catch (java.beans.PropertyVetoException e) {}
protected void createAnalog() {
MyInternalFrame frame = new MyInternalFrame();
AnalogClock clock = new AnalogClock();
frame.getContentPane().add(clock);
frame.setSize(180, 200);
frame.setVisible(true); //necessary as of 1.3
desktop.add(frame);
try {
frame.setSelected(true);
} catch (java.beans.PropertyVetoException e) {}
protected void createBoxes() {
//Code
protected void createButtons(){
MyInternalFrame frame = new MyInternalFrame();
final DigitalClock dc = new DigitalClock();
dc.setBackground(Color.black);
frame.getContentPane().add(dc);
frame.setSize(290, 120);
frame.setVisible(true); //necessary as of 1.3
desktop.add(frame);
class Task extends TimerTask {
public void run() {
dc.repaint();
java.util.Timer timer = new java.util.Timer();
timer.schedule(new Task(),0L,250L);
try {
frame.setSelected(true);
} catch(java.beans.PropertyVetoException e) {}
protected void createGPS() {
MyInternalFrame frame = new MyInternalFrame();
gpsstatus clock = new gpsstatus();
frame.getContentPane().add(clock);
frame.setSize(300, 190);
frame.setVisible(true); //necessary as of 1.3
desktop.add(frame);
try {
frame.setSelected(true);
} catch (java.beans.PropertyVetoException e) {}
//Quit the application.
protected void quit() {
System.exit(0);
private static void createAndShowGUI() {
//Make sure we have nice window decorations.
JFrame.setDefaultLookAndFeelDecorated(true);
//Create and set up the window.
InternalFrameDemo frame = new InternalFrameDemo();
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
//Display the window.
frame.setVisible(true);
public static void main(String[] args) {
//Schedule a job for the event-dispatching thread:
//creating and showing this application's GUI.
javax.swing.SwingUtilities.invokeLater(new Runnable() {
public void run() {
createAndShowGUI();
}FanJava wrote:
Hi everyone,
I am learning java and have a question.
I have a jdesktop pane and it has multiple internal frames in it. Now I open a bunch of frames and place it the way I want.
Now can I do something like save this configuration in any file say for example an XML file and then when i open the program again I can just load the configuration file and everything comes back the same way it was when i had saved it.yes.
Is this possible if yes then how will I be able to do it???you need to design your GUI using absolute layout--null layout manager, that way you can specify how big and exactly where you want all of your components. -
How can i save my settings configuration
is there a way to save the browser config. so i can try the updated version & revert to the older if i decide without having to redo all the pref.settings/addons/plugins etc...
(or is there a "config" file i can copy? where would it be located?)
thx for ur time & replies
RayIf you want to backup your preferences, you have to look in a hidden folder in your profile for prefs.js
In windows try ->Documents and Settings -> Mozilla -> Firefox -> Profiles
copy this to your backup location or a USB memory device if you want to put it into a different computer -
I get a window popping up that says "The library iTunes file cannot be saved. There is not enough memory available.". I have 980GB free, I don't understand how to change a setting or what ever is causing it.
Hello Wyodor,
thanks for your reply on my question.
You are wright the index file is 308 KB.
And offcourse that I delete my files and documents is not an Iweb problem, but because my English is not that good, that I thougt I try to tell the whole story, and hope people can read trough the lines.
Why I didn't use Iweb to upload to the server is because the server company recommanded to use file zilla. And I am a nobody with this kind of things, so I did exactly what they tell me to do.
No, i did not make a backup of Iweb and the domain file, but reading other messages on this forum showed me that I can maybe try to make empty the cashfile (?)
and otherwise I have bad luck and have to make my website again. Offcourse I have a lot of examples from all the pages (copied from the local map to my USB stick) and my website is aprox. 15 Mb, (not so big) so it will cost me a few nigths.
But I'm still hoping on a miracle :-)
greetings Lasource -
When I try to perform this function of saving an email to file using Windows 7 XPS Writer. I receive a message stating that Firefox is not responding. XPS Writer is working using Internet Explorer?
I've seen this error with Chrome. Are you using IE and is it updated?
I'm a self-taught noob amateur. Please take this into account when responding to my posts or when taking advice from me. -
How can I save/backup my server configuration ?
Hi,
I'm new to OS X Server.
I have my server configured and running as planed.
But how can I save the server configurations?
So in case I have to reinstall, I can just reload the configuration.
Thanks,
JOYou can also run the the Server Assistant (/Applications/Server/Server Assistant.app) and save the resulting configuration to a file or as a directory record.
If that file is present at the root level of any local drive, or present on a directory server, when a new copy of Mac OS X Server boots up for the first time (Think USB pen drive) it will automatically configure itself and reboot.
This can be very useful if you need to setup many servers at once. However, you are only storing the serial number and a few basic settings (time zone, which services to turn on by default, etc) so this feature isn't really all that great for disaster recovery purposes. It can, however, save you a few minutes dealing with serial numbers when you need to rebuild a server NOW.
Also, since none of your services will be configured yet, it's usually best practice to setup a server without any services turned on (except maybe remote desktop) and then turn them on after you get things setup. This is where those "tear" sheet .plist backup files from Server Admin come in handy.
Matt Bryant
ACTC
Husson College and the New England School of Communications -
Cisco ASA, skipping real source port number with PAT.
Hi Experts,
Cisco ASA configuration guide says:
"PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. "
Is it possible to skip this ? I do not want to use real source port number. The issue is, when I have a PAT entry with real source port (port 5060), - SIP session doesn't work. With all the other ports numbers,- everything works.Hi,
Notice that the configuration you try does not modify the real source port at all.
Since you are using the same "object" for the real/mapped service then the configuration above matches traffic where the connections destination is "any" and the destination is "udp 6000 65535" and only when the source is "udp sip" and in that event it keeps the exact same "udp sip" source port as you are using the same "object".
I am not sure if its a software or configuration related issue but I have not gotten this to work reliably on my ASA. I might have to try some other software level.
I guess you would want to match the SIP source port in the Dynamic PAT and avoid using the SIP port as the mapped port?. With that in mind I was thinking something like this
object service UDP-SIP
service udp source eq sip
object service UDP-SIP-MAPPED
service udp source range 30000 31000
nat (VoiP,outside) source dynamic <source network object> interface service UDP-SIP UDP-SIP-MAPPED
Though it seems the above configuration seems to be bypassed by the ASA completely and it seems to use the identical source port as the mapped port even though it matches the configuration.
If I were to change the above configuration from "dynamic" to "static" then the configuration matches but it uses only the first mapped "source" port of "30000". I guess it would only use a different mapped port if you used multiple real source ports also instead of the current single source port "sip".
nat (VoiP,outside) source static <source network object> interface service UDP-SIP UDP-SIP-MAPPED unidirectional
Example from my own ASA.
DYNAMIC
- Matches the configuration but doesnt map the port at all
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source dynamic LAN-NETWORK interface service SIP SIP-MAPPED
Additional Information:
Dynamic translate 10.0.0.123/5060 to <my pat ip>/5060
STATIC
- Matches the configuration and maps the source port but only uses the first mapped port from the range
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static LAN-NETWORK interface service SIP SIP-MAPPED unidirectional
Additional Information:
Static translate 10.0.0.123/5060 to <my pat ip>/30000
I am not really sure if this configuration is reliable at all but its the only thing I can think of at the moment.
Hope this helps :)
- Jouni -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Cisco Aironet Configuration Manual
I am new to Cisco Wireless Configuration. Anyone know please is there any website I can surf for Cisco Wireless Configuration Manual. Thanks to anyone who drops me a response.
Try this:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/legacy/scg/
Shawn -
Hi,
we want to access our mail server (Lotus Domino) with an iPhone through a Cisco ASA configured as a IMAP-SSL proxy.
I have no problem accessing the server with Apple Mail, but not with the iPhone!
After the successful SSL handshake and AAA authetification the SSL connection is terminated with "client channel close"
Any ideas?hello Vinish
recommending you to place this question to Security -> Firewalling forum instead of Small Business Security. Cisco ASA devices are not part of Small Business portfolio and ASA knowledgeable users are probably not checking this Small Business. That's reason why nobody responded yet probably. -
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
Hi,
I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
Here is my configuration:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname xxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.48 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name processia.com
access-list outside_access_in extended permit ip any any
access-list icmp_out_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group icmp_out_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd dns 80.10.246.2 80.10.246.129 interface inside
dhcpd ping_timeout 5000 interface inside
dhcpd domain xxxxxxxxxxxxxxxxx interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map global_policy
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
: end
Thank you for your helpHi Sylla,
The static route you have configured for Internet access needs to be corrected:
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
-Mike -
Cisco ASA 5505 Configurations. Help... Beyond Frustrated
Hello All,
I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
hostname AMDASA
domain-name asa.(mydomain).com
enable password (encrypted)
passwd (encrypted)
interface Ethernet0/0
description TWCoutside
switchport access vlan 2
no shutdown
write mem
exit
interface Ethernet0/1
description Port1inside
switchport access vlan 1
no shutdown
write mem
exit
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
write mem
exit
interface Vlan2
nameif outside
security-level 0
ip address 24.39.245.36 255.255.255.240
write mem
exit
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
write mem
exit
ftp mode passive
write mem
clock timezone EST -5
clock summer-time EDT recurring
write mem
exit
dns server-group DefaultDNS
domain-name asa.adcmotors.com
write mem
exit
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-group acl_outside in interface outside
access-list acl_inside extended permit icmp any any object-group DefaultICMP
access-group acl_inside in interface inside
write mem
exit
write mem
That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!Hi our desperate friend .
First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
That said, I also think that your ASA lacks of some basic configuration as of now. If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
route outside 0.0.0.0 0.0.0.0 24.39.245.33
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
Now regarding the VPN Client configuration you would need to something like this:
Create an isakmp policy:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create a couple of ACLs that we will use later:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tun standard permit 192.168.0.0 255.255.255.0
Create a Pool for the VPN Clients to use:
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
Create a Group Policy:
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
Create a group:
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TestPool
authentication-server-group ABTVPN
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key cisco123
Create crypto map and do a NAT 0:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
nat (inside) 0 access-l nonat
Finally create a user that you will use to connect:
username test password test123
Then you would need to configure your VPN Client to connect with the ASA.
Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
Have fun.
Raga
Maybe you are looking for
-
How do I transfer iPod touch and iPad to a new computer?
I have both an iPod touch 3G 64GB (iPhone OS 3.1.1) and an iPad 32GB WiFi (iOS 3.2). I need to transfer them to a new computer (Windows 7 unfortunately, because I can't afford to replace all my software and the computer yet) I can I do that and not l
-
Can I connect two non-TB external displays to a new MBP?
Looking to pick up a new MBP and I would like to connect two non-Thunderbolt monitors, they are nice but WAY too expensive, and I'm wondering if this is possible. I know I can use Matrox Head2Go line of products, but I would like to avoid shelling o
-
On my PC, all my photos are in folders named for topic or year and they used to sync that way onto my I phone and I pad. Now when I sync to my I pad, they are all jumbled up into the wrong folders (albums) - really mixed up in no particular order. Ca
-
X220 bought in the US, support in Europe?
Hi all I've bought my X220 in the US (haven't got it on my hands yet). Anyway, I live in Europe and I am getting concerned with the ghosting reports in the IPS screen. If I need to get it serviced under the guaranty do I need to send it to the US or
-
When I try to export an InDesign document I can't choose any export options (epub, ea). I use InDesign CC2014. See below my screendump and the missing exprt option field