Can't SSH to inside interface on ASA
Hi there
I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
TIA
Sent from Cisco Technical Support iPhone App
Hi there,
Here it is -
asa01(config)# sh cap capin
4 packets captured
1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4 packets shown
asa01(config)#
asa01(config)# sh cap asp
0 packet captured
0 packet shown
asa01(config)#
Can you ping the Switch interface from the ASA? - Yes
Can you ping the ASA from the switch? - Yes
Similar Messages
-
SSH does not work in inside interface in ASA
I am able to run ASM but I can't run SSH from inside interface. Does anyone know how can I start to debug the problem? I checked all the setting for enable ssh, I setup it the same way as an instruction.
aaa authentication ssh console LOCAL
ssh 192.168.0.0 255.255.255.0 inside
crypto key generate rsa modulus 1024
What I am missing here? I also have username and password for admin.
ThanksHere is the show ver
Result of the command: "show ver"
Cisco Adaptive Security Appliance Software Version 8.2(3)3
Device Manager Version 6.2(5)53
Compiled on Wed 25-Aug-10 21:43 by builders
System image file is "disk0:/asa823-3-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 207 days 6 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 5475.d050.7f46, irq 9
1: Ext: Ethernet0/1 : address is 5475.d050.7f47, irq 9
2: Ext: Ethernet0/2 : address is 5475.d050.7f48, irq 9
3: Ext: Ethernet0/3 : address is 5475.d050.7f49, irq 9
4: Ext: Management0/0 : address is 5475.d050.7f45, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1420L3JW
Running Activation Key: 0x8b0edb7c 0x4cee2474 0x34813190 0x90e01484 0x0d2211b2
Configuration register is 0x1
Configuration last modified by cdinh at 15:36:53.519 PDT Mon Jul 29 2013 -
Routing Issue Accessing Inside Interface of ASA
Ok so I'm making this more complex than it needs to be and can't see the forest for the trees. I'm setting up an ASA 5510 with multiple contexts. I'm working with my main internal context for my internal traffic. I have created interfaces on this context as follows:
interface Ethernet0/0.1
description outside interface
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
interface Ethernet0/1.1
description inside interface for internal context
nameif inside
security-level 100
ip address 10.10.50.150 255.255.0.0
same-security-traffic permit intra-interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1
NOTE: Also has ssh configuration but can't document that here.
My workstation has an IP 10.10.30.20 255.255.0.0 with a default gateway that points to my core switch (10.10.50.151).
When I try to access the inside interface of the ASA via ssh from my workstation I can't connect. I tried to ping the inside interface IP address of the ASA from my workstation and it doesn't reply. I can however ping anything on my internal network from the ASA through the inside interface. What am I missing on this?
Thanks.I figured out this issue but now have a new issue. The problem I had accessing the internal network from the ASA was due to the core switch I was being routed through. After looking at the core I saw that the default route was redirecting all traffic to the IP address of the inside interface on the production ASA. I have since pulled a spare switch and created an isolated network with a laptop and the inside interface on the new ASA. This worked great.
Now to my new problem. I am trying to access our ISPs external address from the ASA. The ISP has provided us with two vlans (100 and 101) on one connection and has given us two public IPs (one is the IP for the router on their end and the second is the IP I am supposed to use on my outside interface for vlan 100). I have created sub-interfaces on my outside interface and defined 0/0.1 as vlan 100 and 0/0.2 as vlan 101. VLAN 101 will go to our rack at our disaster recovery site so it will just be an extension of our existing network.
My network is as follows:
ISP (IP 2.2.2.1)
|
|
3560-CG switch (both ports -- to ISP and ASA outside interface are configured as trunk ports)
|
|
ASA (outside 2.2.2.2 vlan 100)
When I try to ping the 2.2.2.1 address from the ASA it doesn't work. If both my ASA outside port and the port to the ISP are both trunk ports shouldn't it route both VLANs (100 and 101) without any issue or am I missing something in my thinking?
Thanks. -
Connect to VPN but can't ping past inside interface
Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: endHello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end -
Not able to telnet or ssh to outside interface of ASA and Cisco Router
Dear All
Please help me with following question, I have set up testing lab, but still not work.
it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
Hub -- Juniper SRX
Spoke One - Cisco ASA with version 9.1(5)
spoke two - Cisco router with version 12.3
site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
When I tested it, of cause site to site vpn still up and running.
Thanks
YKHello YK,
On this case on the ASA, you should have the following:
CConfiguring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
To specify an interface as a mangement-only interface, enter the following command:
hostname(config)# management access management_interface
where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
You can define only one management-access interface
Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
SSH
- ssh 0 0 outside
- aaa authentication ssh console LOCAL
- Make sure you have a default RSA key, or create a new one either ways, with this command:
*crypto key generate rsa modulus 2048
Telnet
- telnet 0 0 outside
- aaa authentication telnet console LOCAL
Afterwards, if this works you can define the subnets that should be permitted.
On the router:
!--- Step 1: Configure the hostname if you have not previously done so.
hostname Router
!--- aaa new-model causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the router's DNS domain.
ip domain-name yourdomain.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
!--- Step 4: By default the vtys' transport is Telnet. In this case,
!--- Telnet and SSH is supported with transport input all
line vty 0 4
transport input All
*!--- Instead of aaa new-model, the login local command may be used.
no aaa new-model
line vty 0 4
login local
Let me know how it works out!
Please don't forget to Rate and mark as correct the helpful Post!
David Castro,
Regards, -
Help with Slow access or NAT to Inside Interface on ASA 9.1
I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
Attached a diagram of what I am currently doing?
Any help is appreciated.
Thanks.
P.S. Addresses in attached picture config are not real, but I know what they translate to.Hi,
To me you it would seem that you are looking for a NAT configurations something like this
object network SERVER-PUBLIC
host 197.162.127.6
object network SERVER-LOCAL
host 10.0.1.25
nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni -
SSH on Outside interface on ASA 5510
Hi All,
I need the ssh access on my ASA outside interface and have added
ssh ipremoved 255.255.255.255 outside
access-list acl_outside extended permit tcp host ipremoved any eq 22
but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
can someone please help me
many thanks
cheers..many thanks for the quick reply
my connection is something like below
Site A Site B
PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA
Site to Site IPsec VPN
Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage
I have allowed the acl on site A ASA for the PC to go i can see the hit count on it
The reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B ASA i can change the peer IP to new IP and reestablish the VPN
many thanks for the help
cheers -
Can't Ping or access via SNMP Inside interface of 5505
I have a remote site I'm trying to setup monitoring on and I can't get the inside interface to respond to a ping or SNMP requests. I have tried everything I can find in the forums and on the web but this location will not cooperate. I have full access to the ASA and to the inside network behind it. IPSEC VPN tunnel is working perfectly. I see the ping requests in the log on the ASA. I turned on ICMP debugging and only see the echo request.. never an echo reply. Below is a partial configuration. If you need any more information, let me know.
names
name 192.168.0.0 Domain
name 1.1.1.2 MCCC_Outside
name 172.31.10.0 VLAN10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
boot system disk0:/asa847-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mtcomp.org
object network obj-192.168.23.0
subnet 192.168.23.0 255.255.255.0
object network Domain
subnet 192.168.0.0 255.255.0.0
object network 172.31.0.0
subnet 172.31.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 object Domain
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 object Domain
access-list Outside_NAT0_inbound extended permit ip object Domain 192.168.23.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 any
access-list inside_access_in extended permit ip any 192.168.23.0 255.255.255.0 inactive
no pager
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 192.168.x.x 17/1514
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.23.0 obj-192.168.23.0 destination static Domain Domain no-proxy-arp route-lookup
route outside MCCC_Outside 255.255.255.255 1.1.1.1 1
route outside 172.31.0.0 255.255.0.0 192.168.1.1 1
route outside VLAN10 255.255.255.0 MCCC_Outside 1
route outside Domain 255.255.0.0 192.168.1.1 1
route outside 192.168.1.0 255.255.255.0 MCCC_Outside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.81 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.23.0 255.255.255.0 inside
snmp-server host inside 172.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer MCCC_Outside
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map global-policy
service-policy global_policy global
prompt hostname contextHi,
First of all let me clarify your trial.
Where is your monitoring server?
Is it behind inside or outside interface (please share ip adress)?
From config it seems, it can be reach via outside interface. Then you have to make snmp check on outside interface, not on inside (cannot make a snmp/ping check on inside interface with request comming through outside inteface - it simply won't work).
From the first check of routing table, I would suggest:
delete : route outside MCCC_Outside 255.255.255.255 1.1.1.1 1 - doesn't make a sense route host address, when it's directly connected network (and more, route 1.1.1.2 to 1.1.1.1, when 1.1.1.1 is vlan2 interface)
change : route outside 172.31.0.0 255.255.0.0 192.168.1.1 1; route outside Domain 255.255.0.0 192.168.1.1 1 - you should consider route it to 1.1.1.2 (if this is your next hop address at WAN).
route outside VLAN10 255.255.255.0 MCCC_Outside 1 - why?
I would use default route to somewhere at 1.1.1.0/24 range - next hop (router).
HTH,
Pavel -
VPN ASA inside Interface and ip pool are one same Subnet
Hi Everyone,
I have configured RA VPN full tunnel.
Inside interface of ASA is
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0
Need to know is it good design to have both on same subnet?
When i access the Switch connecting to VPN ASA inside interface via--https://10.0.0.2
which has IP 10.0.0.2 while using Remote VPN connection to ASA it does not work gives error
message as below
Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.
Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure
Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)
Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK on interface outside
Current NAT config is
nat (inside,outside) source dynamic any interface
Regards
MAhesh
Message was edited by: mahesh parmarHi Mahesh,
It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.
Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.
I would suggest changing the VPN Pool first and then configuring this
object network LAN
subnet 10.0.0.0 255.255.255.0
object network VPN-POOL
subnet
nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.
In the future it would be best if you changed your current Dynamic PAT configuration to this
nat (inside,outside) after-auto source dynamic any interface
We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)
- Jouni -
Hi ,
I have connected a firewall inside interface to l3 switch.
on l3 switch
int gi0/1
no switchport
ip address 192.168.10.1 255.255.255.0
no shut
on firewall
int gi0/1
nameif inside
security level 100
ip address 192.168.10.2 255.255.255.0
If i ping to 192.168.10.2 from firewall thus it ping.
As i know inside host can ping to inside interface.But not any opposite interface such as dmz etc.(need access-list)Hi Prashant,
Here are two things involved.
1. Ping to the far end interface.
The ASA will not allow to ping the far end interface, for example is you are a host connected on the Inside network and ping the Inside interface the ASA will reply, but if you try to ping the DMZ interface from a host on the inside this will not answer and is expected.
2. Permit traffic from lower to higer interfaces.
All the traffic from higher interface level to lower interface level is permitted by default but is deny the other way around, from lower to higher.
If you need to permit traffic from lower to higher you need to enter a access-list on the lower level interface to permit traffic to the higher security level (If you are on version 8.2 or earlier you might need to add a NAT rule)
For example:
Inside security level 100
Outside security level 0
Inside host 192.168.1.1
access-list outside_access_in permit ip any host 192.168.1.1
access-group outside_access_in in interface outside
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
I hope these helps.
Regards
Godfrey -
Can not access ASAs inside interface via VPN tunnels
Hi there,
I have a funny problem.
I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
All tunnels and the RAS VPN access are working fine.
I use the tunnels for Voip, terminal server access and a few other services.
The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
No problem when I connect to the interface via a host inside the network.
All telnet statments in the config are ending with the INSIDE command.
On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
For the RAS client access I use the Cisco 5.1 VPN client.
Did anybody have any suggestions?
Regards
MarcelMarcel,
Simply add on the asas you want to administer through the tunnels
management-access
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
for asa5505
management-access inside
for all others if you have management interface management0/0 defined then:
management-access management
then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
telnet 10.20.20.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
same principle for l2l vpns
Regards -
I can Ping FW inside interface but can not connect to remote resources
dear all
i configer my asa 5520 through ASDM to enable VPN Connection , i follow the cisco steps and it works fine and the anyconnect version 3.1 in Windows 8 - one day troubleshoot for this point only - can connect and have an IP address from the range , but i have something wrong in NAT may be because all guides talking about old ASDM ( NAT Exempt) but i am confeused to apply it on the new ASDM.
i can ping the inside interface from my labtop which using anyconnect , but i can not access anything else inside my network
Please anyone has a solution , please describe it using ASDM , thanks for help
This is my configuration
interface GigabitEthernet0/1
description
nameif SRV_ZONE
security-level 50
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
description
nameif TRUST_ZONE
security-level 100
ip address 172.17.200.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif MGMT
security-level 0
ip address 10.10.10.1 255.255.255.0
dns server-group DefaultDNS
domain-name xxx.xxx.xxx
object network obj-192.168.1.11
host 192.168.1.11
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service obj-tcp-source-eq-25
service tcp source eq smtp
object network obj-192.168.1.12
host 192.168.1.12
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object service obj-tcp-eq-25
service tcp destination eq smtp
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-172.17.8.8
host 172.17.8.8
object network obj-172.17.0.0
subnet 172.17.0.0 255.255.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj.172.17.8.115
host 172.17.8.115
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service http
service tcp source eq www destination eq www
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service https
service tcp source eq https destination eq https
object service newservice
service tcp source eq pop3 destination eq pop3
object network mail
host 172.17.8.8
description mail
object network 192.168.1.11
host 192.168.1.11
description smtp
object service smtpnew
service tcp source eq 587 destination eq 587
object network VPN_RANGE
description VPN ACCESS RANGE
object network VPN_PoOL
subnet 172.17.16.0 255.255.255.0
description vpn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.1.11
network-object host 192.168.1.12
object-group network Eighth_Floor
network-object 172.17.8.0 255.255.255.0
object-group service WEB_SERVICES
service-object tcp destination eq www
object-group network ENT_SERVERS
network-object host 192.168.1.11
network-object host 192.168.1.1
object-group network DM_INLINE_NETWORK_2
network-object 172.17.200.0 255.255.255.0
network-object 172.17.8.0 255.255.255.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service web tcp
port-object eq www
port-object eq xxx
port-object eq ftp
port-object eq xxx
port-object eq xxx
object-group service xxx_Web_and_Email
service-object object http
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list justice_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl remark vpn
access-list xxx-VPN_splitTunnelAcl standard permit 172.17.16.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl standard permit any
access-list cap extended permit tcp any host xxx.xxx.xxx.xxx eq smtp log
access-list cap1 extended permit tcp host 192.168.1.11 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit ip host 192.168.1.11 any
access-list TRUST_ZONE_access_in extended permit ip host 172.17.88.108 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.3.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.10.50.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.8.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.200.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.1.12
access-list TRUST_ZONE_cryptomap extended permit ip xxx.xxx.xxx.xxx 255.255.255.248 any
access-list outside_access_in extended permit tcp any host 192.168.1.11 eq smtp
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq www
access-list outside_access_in extended permit tcp any host 192.168.1.12 object-group web
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq pop3
access-list outside_access_in extended permit ip 172.17.16.0 255.255.255.0 any inactive
access-list vpn remark vpn
access-list vpn standard permit 172.17.16.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host TRUST_ZONE 172.17.8.100
mtu INT_ZONE 1500
mtu SRV_ZONE 1500
mtu TRUST_ZONE 1500
mtu MGMT 1500
ip local pool VPN_POOL 172.17.16.100-172.17.16.254 mask 255.255.255.0
ip verify reverse-path interface INT_ZONE
ip verify reverse-path interface SRV_ZONE
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any SRV_ZONE
icmp permit any TRUST_ZONE
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.11 obj-xxx.xxx.xxx.xxx service any obj-tcp-source-eq-25
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.12 obj-xxx.xxx.xxx.xxx
nat (SRV_ZONE,INT_ZONE) source dynamic obj-192.168.1.0 interface service obj-tcp-eq-25 obj-tcp-eq-25
nat (INT_ZONE,SRV_ZONE) source static any any destination static 192.168.1.11 obj-172.17.8.8 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
nat (TRUST_ZONE,INT_ZONE) source static VPN_PoOL VPN_PoOL destination static VPN_PoOL VPN_PoOL
object network obj_any
nat (SRV_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-01
nat (SRV_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj-172.17.8.8
nat (TRUST_ZONE,INT_ZONE) static xxx.xxx.xxx.xxx service tcp www www
object network obj-172.17.0.0
nat (TRUST_ZONE,SRV_ZONE) static 172.17.0.0
object network obj_any-02
nat (TRUST_ZONE,INT_ZONE) dynamic interface
object network obj_any-03
nat (TRUST_ZONE,SRV_ZONE) dynamic interface
object network obj_any-04
nat (TRUST_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-05
nat (TRUST_ZONE,SRV_ZONE) dynamic obj-0.0.0.0
object network obj_any-06
nat (TRUST_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj.172.17.8.115
nat (TRUST_ZONE,INT_ZONE) static obj.xxx.xxx.xxx.xxx service tcp www www
object network mail
nat (TRUST_ZONE,INT_ZONE) static obj-xxx.xxx.xxx.xxx service tcp pop3 pop3
nat (TRUST_ZONE,INT_ZONE) after-auto source static obj-172.17.8.8 obj-xxx.xxx.xxx.xxx service https https
access-group outside_access_in in interface INT_ZONE
access-group DMZ_access_in in interface SRV_ZONE
access-group TRUST_ZONE_access_in in interface TRUST_ZONE
route INT_ZONE 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route TRUST_ZONE 10.10.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.11.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.12.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.13.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 172.17.0.0 255.255.0.0 172.17.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 172.17.8.0 255.255.255.0 TRUST_ZONE
http 172.17.8.155 255.255.255.255 TRUST_ZONE
http 172.17.8.45 255.255.255.255 TRUST_ZONE
http 10.10.10.2 255.255.255.255 MGMT
http 192.168.1.12 255.255.255.255 SRV_ZONE
http 0.0.0.0 0.0.0.0 INT_ZONE
http 172.17.200.0 255.255.255.0 TRUST_ZONE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map pol 1 match address TRUST_ZONE_cryptomap
crypto dynamic-map pol 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INT_ZONE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TRUST_ZONE_map0 1 ipsec-isakmp dynamic pol
crypto map TRUST_ZONE_map0 interface TRUST_ZONE
crypto map INT_ZONE_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INT_ZONE_map0 interface INT_ZONE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn SEC-xxx-FW1
subject-name CN=SEC-xxx-FW1
no client-types
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=SEC-xxx-FW1
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
57f4e52e 6b851966 77515d62 c209a0df 1c32ce94 bb90cbce 497cfd04 6745ea85
efb75f85 2ae1ad35 344d94ab 915e01ab d3292626 ac697a52 b4ed6632 d3ed2332 ae
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate e6054352
c64f3661 30f14c3d 06b5f039 9f14560d 3b154fd1 42782268 7531689e 8e547d91
85e88415 e326f653 74733a6c a3f5c935 f7e83f56 f6
quit
crypto isakmp enable INT_ZONE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INT_ZONE
ssh 172.17.8.0 255.255.255.0 TRUST_ZONE
ssh 10.10.10.2 255.255.255.255 MGMT
ssh timeout 5
console timeout 0
management-access TRUST_ZONE
vpn load-balancing
interface lbpublic INT_ZONE
interface lbprivate INT_ZONE
priority-queue INT_ZONE
tx-ring-limit 256
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 INT_ZONE
webvpn
enable INT_ZONE
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy xxx-VPN internal
group-policy xxx-VPN attributes
dns-server value xx.xx.xx.xx xx.xx.xx.xx
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xxx-VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy GPNEW internal
group-policy GPNEW attributes
dns-server value 172.17.8.41
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value xxx.xxx.xxx
address-pools value VPN_POOL
username VPNAM password xxx encrypted
username VPNAM attributes
service-type remote-access
vpn-group-policy xxx-VPN
tunnel-group xxx-VPN type remote-access
tunnel-group xxx-VPN general-attributes
dhcp-server 172.17.8.41
tunnel-group xxx-VPN ipsec-attributes
pre-shared-key *****
tunnel-group pol type ipsec-l2l
tunnel-group pol ipsec-attributes
pre-shared-key *****
trust-point ASDM_TrustPoint0
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool VPN_POOL
default-group-policy GPNEW
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect pptp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:78a941e3f509dec8f3570c60061eedaa
: endthanks god
i solve the problem
the problem is in NAT
i creat an object with the ip address host from VPN pool and name it vpn
then i do the nat from inside to that host as the following picture...
trust zone is the inside zone
vpn is the outside vpn host...
thanks and hope it helps anyone else... -
Cisco ASA 8.2 55xx connect 2 inside interfaces together
Hi all,
I have some problem with my Cisco ASA 8.2 5510. I have to know how shoud i connect 2 inside interfaces together. I am writing what i have.
I have 5 network connection on Cisco ASA.
1. Interface Ethernet 0/0 - outside 200.200.200.200 255.255.255.240
2. Interface Ethernet 0/1 - 1_firm 10.0.1.1 255.255.255.0
3. Interface Ethernet 0/2 - 2_firm 192.168.1.1 255.255.255.0
4. Interface Ethernet 0/3 - DMZ-Server 10.10.10.1 255.255.255.0 (Just one Server)
5. Management - no need
I have to connect 2 Interfaces, (1_firm) with Interface (2_firm). I've tried
"route 1_firm 192.168.1.0 255.255.255.0 10.0.1.1" ,
but i resiving following error "Cannot add route,connected route exists".
But i have no route configuration. What i have cheking? Or maked i some wrong?
Thank you for your helpHi Jennifer,
Thanks for your answer.
Sec. Level 90 .
Can you write me correct NAT and exeption configuration? That is my conf.
This is my test Firewall system
ciscoasa(config)# sh run
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outisde
security-level 0
ip address 200.100.100.200 255.255.255.240
interface Ethernet0/1
nameif vpm
security-level 90
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
nameif wundplan
security-level 90
ip address 10.0.1.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list wundplan_access_in extended permit ip 10.0.1.0 255.255.255.0 any
access-list vpm_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outisde_access_in extended permit ip any 200.100.100.192 255.255.255.240
access-list wundplan_nonat extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outisde 1500
mtu vpm 1500
mtu wundplan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outisde) 101 interface
global (wundplan) 1 10.0.1.0 netmask 255.255.0.0
access-group outisde_access_in in interface outisde
access-group vpm_access_in in interface vpm
access-group wundplan_access_in in interface wundplan
route outisde 0.0.0.0 0.0.0.0 200.100.100.199 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.1.0 255.255.255.0 wundplan
http 192.168.1.0 255.255.255.0 vpm
http 10.0.0.0 255.255.255.0 wundplan
http 192.168.0.0 255.255.255.0 vpm
http redirect wundplan 80
http redirect vpm 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5cd35a1417360a176153562a9c67e266
: end
Thynk you very mach. -
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
ASA 5505 Vlan1/Inside Interface Down
I did an initial setup of an ASA 5505 using the setup wizard.
The inside interface is showing down/down. It is not shutdown in the running config.
The ethernet ports say "available but not configured via nameif."
Anyone have some ideas for me to check?
ethernet0/0 is working with no problems.Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
Brian
Maybe you are looking for
-
Hi, I just want to ask if I can open or edit the .classpath file on my new project? if so, how will i do it? Thanks.
-
Hi, racking my brains on this one. Have a list of postcodes which I want to be able to offer free shipping on all orders to. The easiest option would seem to be to simply set the value generated by (I think) shippingCalc to 0, but I can't seem to fin
-
Hi, i'm in 11.2 on Linux. I've an application that perform some queries with many function. For ex: select funct(field1,0), funct(field2,' '), funct(field3,' '), funct(field4,0), funct(field5,0) from .... This function is a custom NVL and the perform
-
Wli channel qualifiedmessagetype not working sometimes?
I am having the following problem. I have a channel file which is as follows: <?xml version="1.0"?> <channels xmlns="http://www.bea.com/wli/broker/channelfile" xmlns:sa="abcd" xmlns:eg="http://www.bea.com/wli/eventGenerator" channelPrefix="/xyz"> <ch
-
I want to insert large data from dblinks using direct insert however as rollback segment is quite small i need to commit after every 2000 rows or so. insert /*+ append */ into abc_monthly@dblink select * from abc partition(ODFRC_20040201); any help g