Change ASA5510 to ASA5515-X
Hi,
I would like to change ASA5510 to ASA5515-X.
ASA5510 version is 9.1.1
Which is the best method to copy the configuration?
Downtime is acceptable.
I dont know if backup (with ASDM) ASA5510 configuration and restore on 5515 could work because of their difference (Ethernet, GigabitEthernet for example...)
Thanks for your help,
Patrick
What I've done to copy ASA 5510 configuration to ASA 5515-X without error...
On ASA 5510 :
- backup configuration with ASDM --> backup.zip with password
- copy running-config in a file : backup.cfg
I modified few lines on backup.cfg:
- Ethernet to GigabitEthernet
- boot image
On ASA 5515-X
- I configured management interface then I copy many files (dap.xml, <allvpnprofiles>.xml, anyconnect.pkg, ASA, ASDM, backup.cfg)
- I configure "boot system" and "asdm image"
- on ASDM, I restored with the wizard and I select Certificate and VPN. (but VPN data was not restored)
- with CLI, I copied backup.cfg to running-config then write mem
- there was only few warnings and there was no error after reboot.
I didnt tried to connect in production but configuration seems correct.
Patrick
Similar Messages
-
ASA5510: Changed destination object but traffic just will not go through
Hello
I have a fully functioning ASA5510. One of the things that go through it is OWA, presently it is routed to a particular address. I have just built a new Exchange server and I want to get OWA working. I created a new destination object, making sure that all the major details were the same as the original object, just changing the IP address only. I also did the same for the NAT. I have also done the same with the two smarthost rules.
Now when I apply the new config, OWA and external mail is affected. I can access OWA internally, and all I change is literally the destination point.
I have sat and gone through, line by line, the working and the non-working config.
Any ideas?Thanks Walter, below then is the working config. I have removed some information from it and put the whole section of the rules that were changed in red.
: Saved
ASA Version 8.4(3)
hostname TAAS-FW-HH-01
domain-name domain.local
enable password N5MzNpZasdasdadadM.GwZSfSB encrypted
passwd 2KFQnbNIdasdasdadaI.2KYOU encrypted
names
interface Ethernet0/0
nameif WAN-HH-0
security-level 0
ip address x.x.x.243 255.255.255.240
interface Ethernet0/1
nameif WAN-HH-1
security-level 0
pppoe client vpdn group PPPoE-GROUP
ip address pppoe
interface Ethernet0/2
nameif DMZ-HH
security-level 50
ip address 10.0.1.1 255.255.255.0
interface Ethernet0/3
nameif LAN-HH
security-level 100
ip address 10.1.0.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAN-HH-0
dns domain-lookup WAN-HH-1
dns domain-lookup DMZ-HH
dns domain-lookup LAN-HH
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.1.0.41
domain-name domain.local
object network EXT-IP-HH4-244
host x.x.x..244
description EXT-IP-HH4-244 FOR NAT
object network RTR-HH
host x.x.x..241
description RTR-HH
object network EXT-IP-HH2-242
host x.x.x..242
description EXT-IP-HH2-242 FOR EXCHANGE SBS
object network WNAASBS
host 10.1.0.30
description WNAASBS
object network LAN-FUNDRAISING
subnet 10.3.0.0 255.255.255.0
description LAN-FUNDRAISING
object network LAN-HH
subnet 10.1.0.0 255.255.255.0
description LAN-HH
object network EXT-IP-RET
host 80.229.161.185
description EXT-IP-RET
object network LAN-RET
subnet 10.2.0.0 255.255.255.0
description LAN-RET
object network EXT-IP-COV1-130
host 213.120.84.130
description EXT-IP-COV1-130
object network LAN-COV
subnet 10.4.0.0 255.255.255.0
description LAN-COV
object network EXT-IP-DLR
host 81.130.196.105
description EXT-IP-DLR
object network LAN-DLR
subnet 10.5.0.0 255.255.255.0
description LAN-DLR
object network EXT-IP-HH5-245
host x.x.x..245
description EXT-IP-HH5-245 FOR FS
object network TAAS-FSP-HH-01
host 10.0.1.10
description TAAS-FSP-HH-01
object network EXT-IP-HH6-246
host x.x.x..246
description EXT-IP-HH6-246 FOR SSLVPN
object network EXT-IP-HH3-243
host x.x.x..243
description EXP-IP-HH3-243
object network LAN-LON
subnet 10.6.0.0 255.255.255.0
description LAN-LON
object network Supplier2-1-66.197.193.197
host 66.197.193.197
description Supplier2-1-66.197.193.197
object network Supplier2-2-92.48.99.0-mask-255.255.255.192
subnet 92.48.99.0 255.255.255.192
description Supplier2-2-92.48.99.0-mask-255.255.255.192
object network Supplier2-3-195.72.35.96-mask-255.255.255.240
subnet 195.72.35.96 255.255.255.240
description Supplier2-3-195.72.35.96-mask-255.255.255.240
object network Supplier2-4-95.154.198.192
subnet 95.154.198.192 255.255.255.192
description Supplier2-4-95.154.198.192
object network EXT-IP-HH14-254
host x.x.x..254
description EXT-IP-HH14-254
object network PANASONIC-PBX-IP
host 10.1.0.80
description PANASONIC-PBX-IP
object network SUPPLIER1-FIXED-IP
host 81.137.210.17
description SUPPLIER1-FIXED-IP
object network TAAS-DC-HH-01
host 10.1.0.16
description TAAS-DC-HH-01
object network TAAS-EX-HH-01
host 10.1.0.20
description TAAS-EX-HH-01
object network TAAS-FP-HH-01A
host 10.1.0.18
description TAAS-FP-HH-01A
object network Supplier3
subnet 10.0.0.0 255.255.0.0
description Supplier3
object network Supplier3IP
host 87.84.167.147
description Supplier3IP
object network LAN-RITM
subnet 10.71.139.0 255.255.255.0
description Translated LAN address for Supplier3
object network Supplier2_New1
subnet 5.172.153.128 255.255.255.128
description New Supplier2 5.172.153.128
object network Supplier2_New2
host 5.172.153.233
description Supplier2_New2 5.172.153.233
object network Supplier2_New3
range 5.172.153.150 5.172.153.160
description Supplier2_New3 5.172.153.150-160
object network Supplier2_New5
range 5.172.153.230 5.172.153.235
description Supplier2_New5 5.172.153.230-235
object network LAN-LF
subnet 10.177.163.0 255.255.255.0
object network TAAS-SP-APP-01
host 10.1.0.45
description Sharepoint
object network SSL-VPN
host 10.1.0.7
object network NETWORK_OBJ_10.1.0.192_26
subnet 10.1.0.192 255.255.255.192
object network LF
host 92.234.12.53
object service http
service tcp source eq www destination eq www
description http
object network 10.1.0.45
host 10.1.0.45
object network TAAS-EX-HH
host 10.1.0.31
description TAAS-EX-HH
object network 187.72.55.177
host 187.72.55.177
object network 92.51.156.106
host 92.51.156.106
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_2
network-object 10.0.1.0 255.255.255.0
network-object object LAN-HH
object-group network Supplier2-SMTP
description Supplier2-SMTP
network-object object Supplier2-1-66.197.193.197
network-object object Supplier2-2-92.48.99.0-mask-255.255.255.192
network-object object Supplier2-3-195.72.35.96-mask-255.255.255.240
network-object object Supplier2-4-95.154.198.192
object-group service PANASONIC-PBX tcp-udp
description PANASONIC-PBX
port-object eq 35300
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq ntp
object-group network New_Supplier2_SMTP
description New Supplier2 Group
network-object object Supplier2_New1
network-object object Supplier2_New2
network-object object Supplier2_New3
network-object object Supplier2_New5
network-object object LF
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group network Malicious_IP_Addresses
network-object object 187.72.55.177
network-object object 92.51.156.106
access-list WAN-HH-0_access extended permit tcp any object WNAASBS eq https log debugging
access-list WAN-HH-0_access extended permit object-group TCPUDP object SUPPLIER1-FIXED-IP object PANASONIC-PBX-IP object-group PANASONIC-PBX
access-list WAN-HH-0_access extended permit tcp any object TAAS-FSP-HH-01 eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object WNAASBS eq smtp log debugging
access-list WAN-HH-0_access extended permit icmp any object-group DM_INLINE_NETWORK_2 echo-reply inactive
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object WNAASBS eq smtp log debugging
access-list WAN-HH-0_access extended permit tcp any object TAAS-SP-APP-01 object-group DM_INLINE_TCP_1 log
access-list WAN-HH-0_access extended permit tcp any object SSL-VPN eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object TAAS-EX-HH eq smtp log debugging inactive
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object TAAS-EX-HH eq smtp inactive
access-list WAN-HH-0_access extended permit tcp any eq https object TAAS-EX-HH eq https log debugging inactive
(The below part is the full section of that above with the new rules. This is the only thing that is different between the two running config files)
access-list WAN-HH-0_access extended permit tcp any object WNAASBS eq https log debugging inactive
access-list WAN-HH-0_access extended permit object-group TCPUDP object SUPPLIER1-FIXED-IP object PANASONIC-PBX-IP object-group PANASONIC-PBX
access-list WAN-HH-0_access extended permit tcp any object TAAS-FSP-HH-01 eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object WNAASBS eq smtp log debugging inactive
access-list WAN-HH-0_access extended permit icmp any object-group DM_INLINE_NETWORK_2 echo-reply inactive
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object WNAASBS eq smtp log debugging inactive
access-list WAN-HH-0_access extended permit tcp any object TAAS-SP-APP-01 object-group DM_INLINE_TCP_1 log
access-list WAN-HH-0_access extended permit tcp any object SSL-VPN eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object TAAS-EX-HH eq smtp log debugging
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object TAAS-EX-HH eq smtp
access-list WAN-HH-0_access extended permit tcp any object TAAS-EX-HH eq https log debugging
access-list WAN-HH-0_cryptomap extended permit ip object LAN-HH object LAN-RET
access-list WAN-HH-0_cryptomap_2 extended permit ip object LAN-HH object LAN-COV
access-list WAN-HH-0_cryptomap_3 extended permit ip object LAN-HH object LAN-DLR
access-list DMZ-HH_access_in extended permit tcp object TAAS-FSP-HH-01 object TAAS-FP-HH-01A eq https
access-list DMZ-HH_access_in extended permit object-group DM_INLINE_SERVICE_1 object TAAS-FSP-HH-01 any
access-list DMZ-HH_access_in extended deny object-group DM_INLINE_PROTOCOL_1 any any inactive
access-list WAN-HH-0_cryptomap_5 extended permit ip object LAN-HH object LAN-RET
access-list WAN-HH-1_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log
pager lines 24
logging enable
logging asdm informational
mtu WAN-HH-0 1500
mtu WAN-HH-1 1500
mtu DMZ-HH 1500
mtu LAN-HH 1500
mtu management 1500
ip local pool VPNAddresses 10.1.0.200-10.1.0.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-FUNDRAISING LAN-FUNDRAISING no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-RET LAN-RET no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-COV LAN-COV no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-DLR LAN-DLR no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LON LAN-LON no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-RITM destination static Supplier3 Supplier3
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LF LAN-LF
nat (LAN-HH,WAN-HH-0) source static any any destination static NETWORK_OBJ_10.1.0.192_26 NETWORK_OBJ_10.1.0.192_26 no-proxy-arp route-lookup
object network WNAASBS
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
object network TAAS-FSP-HH-01
nat (DMZ-HH,WAN-HH-0) static EXT-IP-HH5-245
object network PANASONIC-PBX-IP
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH14-254
object network SSL-VPN
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH6-246
object network 10.1.0.45
nat (LAN-HH,WAN-HH-0) static interface service tcp www www
object network TAAS-EX-HH
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
nat (DMZ-HH,WAN-HH-0) after-auto source dynamic any EXT-IP-HH5-245 dns
nat (LAN-HH,WAN-HH-0) after-auto source dynamic any interface
access-group WAN-HH-0_access in interface WAN-HH-0
access-group WAN-HH-1_access_in in interface WAN-HH-1
access-group DMZ-HH_access_in in interface DMZ-HH
route WAN-HH-0 0.0.0.0 0.0.0.0 x.x.x..241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 management
http 10.1.0.0 255.255.255.0 LAN-HH
http 195.171.184.58 255.255.255.255 WAN-HH-0
http 10.177.163.0 255.255.255.0 LAN-HH
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 1 match address WAN-HH-0_cryptomap
crypto map WAN-HH-0_map 1 set peer.110
crypto map WAN-HH-0_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 2 match address WAN-HH-0_cryptomap_2
crypto map WAN-HH-0_map 2 set pfs
crypto map WAN-HH-0_map 2 set peer.130
crypto map WAN-HH-0_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 2 set nat-t-disable
crypto map WAN-HH-0_map 4 match address WAN-HH-0_cryptomap_3
crypto map WAN-HH-0_map 4 set peer 105
crypto map WAN-HH-0_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 6 match address WAN-HH-0_cryptomap_5
crypto map WAN-HH-0_map 6 set peer 78.154.108.110
crypto map WAN-HH-0_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 6 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 6 set ikev2 pre-shared-key xxxxxxx
crypto map WAN-HH-0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN-HH-0_map interface WAN-HH-0
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate TOOK THIS OUT AS WAY TOO MUCH TEXT
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WAN-HH-0
crypto ikev2 enable WAN-HH-1
crypto ikev1 enable WAN-HH-0
crypto ikev1 enable WAN-HH-1
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh x.x.x.58 x.255.255.255 WAN-HH-0
ssh x.x.x.x 255.255.255.255 WAN-HH-0
ssh x.x.0.0 255.255.255.0 LAN-HH
ssh timeout 5
console timeout 0
management-access LAN-HH
vpdn group PPPoE_GROUP request dialout pppoe
vpdn group PPPoE_GROUP localname login
vpdn group PPPoE_GROUP ppp authentication chap
vpdn group PPPoE-GROUP request dialout pppoe
vpdn group PPPoE-GROUP localname login
vpdn group PPPoE-GROUP ppp authentication chap
vpdn username login password password
dhcpd address xx.x.x.-x.x.x.x. management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source LAN-HH prefer
ntp server 80.87.128.243 source WAN-HH-0
webvpn
enable WAN-HH-1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 1x.x.x.x
vpn-tunnel-protocol l2tp-ipsec
default-domain value domain.local
group-policy TestIPSECTunnel internal
group-policy TestIPSECTunnel attributes
dns-server value x.x.x.x
vpn-tunnel-protocol ikev1
default-domain value x.x.uk
group-policy DfltGrpPolicy attributes
dns-server value x.x.x.x
webvpn
url-list value Links
group-policy GroupPolicy_147 internal
group-policy GroupPolicy_.147 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_105 internal
group-policy GroupPolicy_105 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_130 internal
group-policy GroupPolicy_130 attributes
vpn-tunnel-protocol ikev1 ikev2
username user password password privilege 0
username user attributes
vpn-group-policy DfltGrpPolicy
username user2 password passwordy encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNAddresses
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key xxxxxxxx
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 10 type ipsec-l2l
tunnel-group110 ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group 147 type ipsec-l2l
tunnel-group 147 general-attributes
default-group-policy GroupPolicy_87.84.164.147
tunnel-group 147 ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group.130 type ipsec-l2l
tunnel-group.130 general-attributes
default-group-policy GroupPolicy_213.120.84.130
tunnel-group 130 ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group 105 type ipsec-l2l
tunnel-group 105 general-attributes
default-group-policy GroupPolicy_81.130.196.105
tunnel-group.105 ipsec-attributes
ikev1 pre-shared-key xxxxxxx
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx
tunnel-group TestIPSECTunnel type remote-access
tunnel-group TestIPSECTunnel general-attributes
address-pool VPNAddresses
default-group-policy TestIPSECTunnel
tunnel-group TestIPSECTunnel ipsec-attributes
ikev1 pre-shared-key xxxxxxx
tunnel-group SSLVPN type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:994038sdgfaefg cesrtsegse55fd0239
: end
no asdm history enable -
How to validate SSL cert on ASA5510, before changing DNS?
I have recently installed an SSL certificate from a third party CA (GoDaddy) into an ASA5510 that I will be using as a VPN appliance for AnyConnect clients.
The ASA is going to replace our VPN server, which currently has the vpn.domain.com FDQN assigned to its IP address in public DNS.
Is there a way for me to properly valiadate that the SSL cert will work without any issues (i.e. no invalid error messages popping up on users' AnyConnect clients) from the Internet, before I cut over public DNS to point to the public facing interface on the ASA5510 which is where vpn.company.com will ultimately be pointing to?Put vpn.domain.com in your local PC hosts file with the new IP. Then try Anyconnect.
-
ASA5510-BUN-K9 + L-ASA5510-SEC-PL= license Does the support change?
Hi,
I have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.
I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?
Any help is much appreciated!Hi Juan,
As long as the contract is still valid it will still cover the firewalls with a new license. The contract is tied to the serial number of the device, rather than the license installed on it.
-Mike -
Failover between ASA5515-X and ASA5510
Hi,
I would like to know if it's possible and how can we setup a failover between ASA 5515-X and a ASA 5510.
I'm aware that the ASA 5510 requires Security Plus for HA Active/Active.
Any answer are welcome,
Thanks !Hi Jouni,
Thanks for your prompt answer !
Too bad to hear that we can't achieve that :/
I guess that in the concept, HA must be same hardware (make sense of course, as we need to be "higly" available if one hardware fall down),
but for the concept to "fail" over something, it would have been great to have features within multi device (like you can temporary "fail" over a 10 Mbps line when your 100 Mbps is down...)
But well, too much concept, it's how it is ! ;= Thanks again for your accurate answer !
Nice day' -
ASA5515-K9 ASA5510-SEC-BUN-K9 VPN
hi i have 10 Firewalls they are in different location all of them are supporting IPsec 250 Sessions
to implement one into the HQ and the other 9 into the branches can i configure Site-to-Site VPN from each branch connected to the HQ i mean dose these number of Concurrent connection to the HQ Firewall covered by the total Number of 250 or i have to have another kind of license to the HQ Firewall.
thanksThe actual license includes Site-to-site IPsec and IKEv1 remote access (which is used by the legacy EasyVPN-client). So you are fine with your actual license. Only if you plan to use AnyConnect RA-VPN, then you need additional licenses.
The config will be quite easy if you need pure hub-and-spoke. For spoke-to-spoke-traffic through the hub, it is a little bit more complex. For this scenario you can consult the following document:
https://supportforums.cisco.com/document/12015091/cisco-asa-vpn-spoke-spoke-communication-hub -
ASA5510 VPN not working after upgrade from 8.2 to 8.3
Hi,
I have recently upgraded a customer ASA5510 to version 8.3.
After upgrade web access etc is working fine however VPN is down.
The config looks very different after the upgrade plus what looks to be duplicate entries.
I suspect its an access list issue but I'm not sure.
If anyone has any ideas based on the config below it would be greatly appreciated as I'm at a loss....?!
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
passwd FNeDAwBbhVaOtVAu encrypted
names
dns-guard
interface Ethernet0/0
nameif Outside
security-level 0
ip address 217.75.8.203 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj-192.168.1.2-04
host 192.168.1.2
object network obj-192.168.1.7-04
host 192.168.1.7
object network obj-192.168.1.0-02
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0-02
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.2.0-02
subnet 10.1.2.0 255.255.255.0
object network obj-192.168.1.224-02
subnet 192.168.1.224 255.255.255.240
object network obj-192.168.1.9-02
host 192.168.1.9
object network obj-192.168.1.2-05
host 192.168.1.2
object network obj-192.168.1.103-02
host 192.168.1.103
object network obj-192.168.1.7-05
host 192.168.1.7
object network NETWORK_OBJ_10.1.2.0_24
subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network obj-192.168.1.2-02
object-group network obj-192.168.1.7-02
object-group network obj-192.168.1.0-01
object-group network obj-192.168.2.0-01
object-group network obj-10.1.2.0-01
object-group network obj-192.168.1.224-01
object-group network obj-192.168.1.9-01
object-group network obj-192.168.1.2-03
object-group network obj-192.168.1.103-01
object-group network obj-192.168.1.7-03
object-group network obj-192.168.1.2
object-group network obj-192.168.1.7
object-group network obj-192.168.1.0
object-group network obj-192.168.2.0
object-group network obj-10.1.2.0
object-group network obj-192.168.1.224
object-group network obj-192.168.1.9
object-group network obj-192.168.1.2-01
object-group network obj-192.168.1.103
object-group network obj-192.168.1.7-01
object-group network obj_any
object-group network obj-0.0.0.0
object-group network obj_any-01
object-group service MonitcomUDP udp
port-object range 3924 3924
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
access-list Outside_access_in remark Monitcom
access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
access-list Outside_access_in extended permit udp any any eq 4500 inactive
access-list Outside_access_in extended permit udp any any eq isakmp inactive
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list RemoteVPN_splitTunnelAcl standard permit any
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm location 192.168.1.208 255.255.255.252 Inside
asdm location 192.168.1.103 255.255.255.255 Inside
asdm location 192.168.1.6 255.255.255.255 Inside
asdm location 192.168.1.7 255.255.255.255 Inside
asdm location 192.168.1.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02 unidirectional
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02 unidirectional
nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
object network obj-192.168.1.2-04
nat (Outside,Inside) static 217.75.8.204
object network obj-192.168.1.7-04
nat (Outside,Inside) static 217.75.8.206
object network obj-192.168.1.0-02
nat (Inside,Outside) dynamic interface
object network obj-192.168.1.9-02
nat (Inside,Outside) static 217.75.8.201
object network obj-192.168.1.2-05
nat (Inside,Outside) static 217.75.8.204
object network obj-192.168.1.103-02
nat (Inside,Outside) static 217.75.8.205
object network obj-192.168.1.7-05
nat (Inside,Outside) static 217.75.8.206
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DellServerAAA protocol radius
aaa-server DellServerAAA (Inside) host 192.168.1.4
key test
http server enable
http 62.17.29.2 255.255.255.255 Outside
http 82.141.224.155 255.255.255.255 Outside
http 63.218.54.8 255.255.255.252 Outside
http 213.79.44.213 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df Inside
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 89.127.172.29
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer 89.105.114.98
crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity key-id nattingreallymatters
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 82.141.224.155 255.255.255.255 Outside
ssh 62.17.29.2 255.255.255.255 Outside
ssh 213.79.44.213 255.255.255.255 Outside
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
wins-server value 192.168.1.31
dns-server value 192.168.1.31
default-domain value freefoam.ie
username freefoam password JLYaVf7FqRM2LH0e encrypted
username cork password qbK2Hqt1H5ttJzPD encrypted
tunnel-group 193.114.70.130 type ipsec-l2l
tunnel-group 193.114.70.130 ipsec-attributes
pre-shared-key ******
tunnel-group 89.127.172.29 type ipsec-l2l
tunnel-group 89.127.172.29 ipsec-attributes
pre-shared-key ******
tunnel-group 89.105.114.98 type ipsec-l2l
tunnel-group 89.105.114.98 ipsec-attributes
pre-shared-key *****
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPool
authentication-server-group DellServerAAA
default-group-policy RemoteVPN
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0dc16fe893bd4bba6fdf6b7eed93e553Hi,
Many thanks for your reply.
Finally got access to implement your suggestions.
Initially none of the VPN's were up.
After making the change the two VPN's came up.
However only data via the first VPN is possible.
Accessing resources on the 10.1.2.0 network is still not possible.
Attached is the latest config, any input is greatly appreciated;
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
passwd FNeDAwBbhVaOtVAu encrypted
names
dns-guard
interface Ethernet0/0
nameif Outside
security-level 0
ip address 217.75.8.203 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj-192.168.1.2-04
host 192.168.1.2
object network obj-192.168.1.7-04
host 192.168.1.7
object network obj-192.168.1.0-02
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0-02
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.2.0-02
subnet 10.1.2.0 255.255.255.0
object network obj-192.168.1.224-02
subnet 192.168.1.224 255.255.255.240
object network obj-192.168.1.9-02
host 192.168.1.9
object network obj-192.168.1.2-05
host 192.168.1.2
object network obj-192.168.1.103-02
host 192.168.1.103
object network obj-192.168.1.7-05
host 192.168.1.7
object network NETWORK_OBJ_10.1.2.0_24
subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network obj-192.168.1.2-02
object-group network obj-192.168.1.7-02
object-group network obj-192.168.1.0-01
object-group network obj-192.168.2.0-01
object-group network obj-10.1.2.0-01
object-group network obj-192.168.1.224-01
object-group network obj-192.168.1.9-01
object-group network obj-192.168.1.2-03
object-group network obj-192.168.1.103-01
object-group network obj-192.168.1.7-03
object-group network obj-192.168.1.2
object-group network obj-192.168.1.7
object-group network obj-192.168.1.0
object-group network obj-192.168.2.0
object-group network obj-10.1.2.0
object-group network obj-192.168.1.224
object-group network obj-192.168.1.9
object-group network obj-192.168.1.2-01
object-group network obj-192.168.1.103
object-group network obj-192.168.1.7-01
object-group network obj_any
object-group network obj-0.0.0.0
object-group network obj_any-01
object-group service MonitcomUDP udp
port-object range 3924 3924
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
access-list Outside_access_in remark Monitcom
access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
access-list Outside_access_in extended permit udp any any eq 4500 inactive
access-list Outside_access_in extended permit udp any any eq isakmp inactive
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list RemoteVPN_splitTunnelAcl standard permit any
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
access-list global_access extended permit ip any any
access-list Outside_cryptomap_80_3 extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Split-tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm image disk0:/asdm-647.bin
asdm location 192.168.1.208 255.255.255.252 Inside
asdm location 192.168.1.103 255.255.255.255 Inside
asdm location 192.168.1.6 255.255.255.255 Inside
asdm location 192.168.1.7 255.255.255.255 Inside
asdm location 192.168.1.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02
nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
object network obj-192.168.1.2-04
nat (Outside,Inside) static 217.75.8.204
object network obj-192.168.1.7-04
nat (Outside,Inside) static 217.75.8.206
object network obj-192.168.1.0-02
nat (Inside,Outside) dynamic interface
object network obj-192.168.1.9-02
nat (Inside,Outside) static 217.75.8.201
object network obj-192.168.1.2-05
nat (Inside,Outside) static 217.75.8.204
object network obj-192.168.1.103-02
nat (Inside,Outside) static 217.75.8.205
object network obj-192.168.1.7-05
nat (Inside,Outside) static 217.75.8.206
nat (Inside,Outside) after-auto source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DellServerAAA protocol radius
aaa-server DellServerAAA (Inside) host 192.168.1.4
key test
http server enable
http 62.17.29.2 255.255.255.255 Outside
http 82.141.224.155 255.255.255.255 Outside
http 63.218.54.8 255.255.255.252 Outside
http 213.79.44.213 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df Inside
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 89.127.172.29
crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer 89.105.114.98
crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity key-id nattingreallymatters
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 82.141.224.155 255.255.255.255 Outside
ssh 62.17.29.2 255.255.255.255 Outside
ssh 213.79.44.213 255.255.255.255 Outside
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
anyconnect-essentials
svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
wins-server value 192.168.1.31
dns-server value 192.168.1.31
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-tunnel
default-domain value freefoam.ie
username freefoam password JLYaVf7FqRM2LH0e encrypted
username cisco password DfO7NBd5PZ1b0kZ1 encrypted privilege 15
username cork password qbK2Hqt1H5ttJzPD encrypted
tunnel-group 193.114.70.130 type ipsec-l2l
tunnel-group 193.114.70.130 ipsec-attributes
pre-shared-key ************
tunnel-group 89.127.172.29 type ipsec-l2l
tunnel-group 89.127.172.29 ipsec-attributes
pre-shared-key ************
tunnel-group 89.105.114.98 type ipsec-l2l
tunnel-group 89.105.114.98 ipsec-attributes
pre-shared-key ************
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPool
authentication-server-group DellServerAAA
default-group-policy RemoteVPN
tunnel-group RemoteVPN webvpn-attributes
group-alias Anyconnect enable
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key c0nnect10nParameter$
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fae6b7bc25fcf39daffbcdc6b91c9d8e -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
Problems to reach ASA5510 via IE on Windows Vista
Dear all,
since some days we have a ASA5510, we connected it on a Windows Vista Laptop via ethernet cable (using at the back of the router the mgtm slot) and connect it on the network slot on the laptop.
Laptop is getting IP addresses automatically.
Now we tried to reach the router in the Internet Explorer using: http://192.168.1.1, but we could not reach this site.
When I try to ping the router via cmd and typing ping 192.168.1.1 I get answers.
For us it is very important to change the IP address of the router, as he will be used in a network with 10.xxx.xxx.xx addresses.
I have no idea, what I did wrong here
Would be nice, if someone has an idea.
Just to let you know, I'm not that Network specialist, all I know comes from learning by doing. So sorry in advance for any stupid question I may have.
Thanks for your patience.Great, this worked!
I have now changed the IP address into one of the address ranges I need and waiting now that the step of communicating the new configuration to the rotuer will be finished.
Let's cross the fingers, that it will work successfully.
Edit 1 11:07 - Is it normal that it take that long to send the new IP address configuration to the Router?
Edit 2 14:54 - It is now accessable on the new IP range. Now having another issue for which I will create a new discussion.
Message was edited by: Simone Schultz -
Changing names on ios7.2
Hi,
This may be a lame question, but under what command can I change the name statement "name 175.129.14.16 mail-ext"? Also, can the name statement be changed without removing the NAT statement and access-list?
ASA Version 7.2(2)
hostname asa5510
domain-name mycompany.local
names
name 175.129.14.16 mail-ext
access-list outside_access_in extended permit tcp any host mail-ext eq smtp
static (inside,outside) mail-ext smtp-server netmask 255.255.255.255Hello,.
ciscoasa(config)# name 4.2.2.2 test
ciscoasa(config)# name 8.8.8.8 test
ERROR: 'test' is already mapped to 4.2.2.2!
So do a no names
and then change the name definition:
no name 4.2.2.2 test
name 8.8.8.8 test
Regards,
Julio -
When upgrading failover pairLast week I had to upgrade ASA5510
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is f0f7.55f3.25be, irq 9
1: Ext: Ethernet0/1 : address is f0f7.55f3.25bf, irq 9
2: Ext: Ethernet0/2 : address is f0f7.55f3.25c0, irq 9
3: Ext: Ethernet0/3 : address is f0f7.55f3.25c1, irq 9
4: Ext: Management0/0 : address is f0f7.55f3.25bd, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1619X0C7
Running Permanent Activation Key: 0xe309e24d 0x50896012 0x98b3ad80 0x98445458 0x0615368e
Configuration register is 0x1
Configuration has not been modified since last system restart.
ciscoasa# ac
ciscoasa# activati
ciscoasa# activation-key e309e24d 50896012 98b3ad80 98445458 0615368e
Validating activation key. This may take a few minutes...
The requested key is the SAME as the flash permanent activation-key.
The flash activation key will not be modified.
ciscoasa#
I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base
I think I was wrong option selected in the process of upgrading, how should I do to be successful upgradeHi Desh,
The key which you have used for activation is the same key that is exist in the ASA. So ASA will not have any changes when you give the same key which is already installed. You should have the different key which should be an licensed key for sec plus bundle.
Serial Number: JMX1619X0C7
Running Permanent Activation Key: 0xe309e24d 0x50896012 0x98b3ad80 0x98445458 0x0615368e
Configuration register is 0x1
Configuration has not been modified since last system restart.
ciscoasa# ac
ciscoasa# activati
ciscoasa# activation-key e309e24d 50896012 98b3ad80 98445458 0615368e
Validating activation key. This may take a few minutes...
The requested key is the SAME as the flash permanent activation-key.
The flash activation key will not be modified.
ciscoasa#
Please do rate if the given information helps.
By
Karthik -
PIX515 to ASA5510 8.4(5) migration
Hi, We're migrating as mentioned in the subject and this new format is quite a departure from previous iOS versions so I thought I'd post the configs of the PIX and the ASA and ask if someone is willing to compare them and verify that it is correct and should be basically plug and play. The xxx.xxx.xxx are outside IP addresses and the yyy.yyy.yyy are inside addresses. Thanks.
Existing PIX config
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
password lines removed
hostname PIX515
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.xxx.173 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.171 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq 53612
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq 587
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq pop3
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq 3389
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq 4660
pager lines 24
logging trap informational
logging host inside yyy.yyy.yyy.20
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.170 255.255.255.248
ip address inside yyy.yyy.yyy.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.171 https yyy.yyy.yyy.7 https
static (inside,outside) tcp xxx.xxx.xxx.170 https yyy.yyy.yyy.16 https
static (inside,outside) tcp xxx.xxx.xxx.170 smtp yyy.yyy.yyy.16 smtp
static (inside,outside) tcp xxx.xxx.xxx.170 53612 yyy.yyy.yyy.16 3389
static (inside,outside) tcp xxx.xxx.xxx.170 587 yyy.yyy.yyy.16 587
static (inside,outside) tcp xxx.xxx.xxx.170 pop3 yyy.yyy.yyy.16 pop3
static (inside,outside) tcp xxx.xxx.xxx.174 https yyy.yyy.yyy.20 https
static (inside,outside) tcp xxx.xxx.xxx.174 www yyy.yyy.yyy.20 www
static (inside,outside) tcp xxx.xxx.xxx.174 3389 yyy.yyy.yyy.20 3389
static (inside,outside) tcp xxx.xxx.xxx.174 4660 yyy.yyy.yyy.20 4660
static (inside,outside) tcp xxx.xxx.xxx.173 https yyy.yyy.yyy.15 https
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http yyy.yyy.yyy.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet yyy.yyy.yyy.0 255.255.255.0 inside
telnet timeout 60ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a56326d3418814261280ec410c8e7a63
: end
PIX515(config)#
Proposed ASA 5510 configuration
ASA5510(config)# sh run
: Saved
ASA Version 8.4(5)
hostname ASA5510
domain-name ciscopix.com
enable password zaU1v9tMuOQsj2hW encrypted
passwd zaU1v9tMuOQsj2hW encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address xxx.xxx.xxx.170 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address yyy.yyy.yyy.254 255.255.255.0
interface Ethernet0/2
shutdown
nameif intf2
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa845-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ciscopix.com
object network intranet-https
host yyy.yyy.yyy.7
object network propalms-https
host yyy.yyy.yyy.20
object network webmail-https
host yyy.yyy.yyy.16
object network webmail-smtp
host yyy.yyy.yyy.16
object network webmail-rdp53612
host yyy.yyy.yyy.16
object network webmail-smtp587
host yyy.yyy.yyy.16
object network webmail-pop3
host yyy.yyy.yyy.16
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network propalms-http
host yyy.yyy.yyy.20
object network propalms-rdp
host yyy.yyy.yyy.20
object network propalms-4660
host yyy.yyy.yyy.20
description Required by ProPalms App.
object network infonet-https
host yyy.yyy.yyy.15
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host yyy.yyy.yyy.7 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq smtp
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq 3389
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq 587
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq pop3
access-list 100 extended permit tcp any host yyy.yyy.yyy.15 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq www
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq 3389
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq 4660
pager lines 24
logging trap informational
logging asdm informational
logging host inside yyy.yyy.yyy.20
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
asdm history enable
arp timeout 14400
arp permit-nonconnected
object network intranet-https
nat (inside,outside) static xxx.xxx.xxx.171 service tcp https https
object network propalms-https
nat (inside,outside) static xxx.xxx.xxx.174 service tcp https https
object network webmail-https
nat (inside,outside) static interface service tcp https https
object network webmail-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network webmail-rdp53612
nat (inside,outside) static interface service tcp 3389 53612
object network webmail-smtp587
nat (inside,outside) static interface service tcp 587 587
object network webmail-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj_any
nat (inside,outside) dynamic interface
object network propalms-http
nat (inside,outside) static xxx.xxx.xxx.174 service tcp www www
object network propalms-rdp
nat (inside,outside) static xxx.xxx.xxx.174 service tcp 3389 3389
object network propalms-4660
nat (inside,outside) static xxx.xxx.xxx.174 service tcp 4660 4660
object network infonet-https
nat (inside,outside) static xxx.xxx.xxx.173 service tcp https https
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.169 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
http server enable
http yyy.yyy.yyy.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet yyy.yyy.yyy.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:016f67d8cb4e77dcbca7c041d1af6a35
: end
ASA5510(config)#Hi,
The new version of the configurations seem ok to me atleast. Unless I missed something.
One thing I would do is remove this NAT
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
And configure it with a similiar
nat (inside,outside) after-auto source dynamic any interface
To my understanding this should move the default PAT configuration to the very end of the NAT rules.
You also seem to have an 8 IP address block from the ISP (of which 2 arent usable and 1 is used for "outside" interface IP address). You dont seem to be using all of the public IP addresses yet (even in the older configuration). You are doing Port Forward configurations even though every public IP address is used for only 1 corresponding LAN IP address. Usually Port Forwarding is done when you want to "split" one public IP address between several LAN hosts/servers
I would think you could at this point actually just configure normal Static NAT between the public IP address and the LAN host to avoid all the different Port Forward configurations and simply make 1 Static NAT per LAN server and open the ports you need on the access-list. The NAT configurations using the "outside" interface IP address would naturally have to be kept as they are now otherwise you would need to change public IP address.
Then again there is nothing stopping from keeping the original setup you had on the PIX. And in this case it might be even better for you to avoid any more changes to make the device change/update as simple as possible.
If you dont want to start changing anything at this point, the configuration should be fine.
Do notice that there is a possibility that when you replace the PIX with the ASA there might be some old ARP information on the connected devices or ISP devices that might cause some connection problems (if they dont update). Since IP address is staying the same but the replacement of device means the MAC/Hardware address of each public IP address changes.
- Jouni -
Second ASA5510 for development work
Up to now we've been making configuration changes to a production unit. Not such a good idea.
We just bought a second ASA5510 to be used as a test unit but we're having trouble getting past the install of ASDM. We used the console interface to reset the unit to factory settings and then we followed the Cisco Getting started guide.
We are connected to the management port using a crossover cable (per the instructions) and we opened a web browser to the following url (again... per the instructions) https://192.168.1.1/admin As expected we receive a certificate warning that we are instructed to ignore. We click on continue and we receive the dreaded "Unable to Launch Device Manager from 192.168.1.1" and the only option is to hit OK.
I realize its not much to go on, but that's all we've got. We can connect using the Console port and execute commands but at this point we would prefer using the ASDM. I'm assuming the ASDM image is either not on the disk in the ASA of if it is there is something wrong with it.
Yes we enable HTTP on the management port.
Any ideas/suggestions would be greatly appreciated.
EdSorry I took so long to get back to you. Here are the two listings you requested.
Thanks again.
Ed
ciscoasa#
ciscoasa# sh ru
: Saved
ASA Version 8.2(4)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
prompt hostname context
Cryptochecksum:eab690a0461cde55ad2ef8cf420385dc
: end
ciscoasa#
ciscoasa# sh flash
--#-- --length-- -----date/time------ path
76 15261696 Oct 04 2011 17:59:08 asa824-k8.bin
3 2048 Oct 04 2011 18:04:32 log
8 2048 Oct 04 2011 18:05:02 crypto_archive
9 2048 Oct 04 2011 18:05:04 coredumpinfo
10 43 Oct 04 2011 18:05:04 coredumpinfo/coredump.cfg
62904320 bytes total (47357952 bytes free)
ciscoasa# -
Recovery password of AIP-SSM on ASA5510
Hi all,
I've configured AIP-SSM on ASA5510, the first time log in to sensor, it prompts to change the default password. But the second time, I can't log in with the password which I've changed.
How can I recovery password? Does anyone meet the same problem?
Thanks,
PhuongFrom the ASA CLI you will need to re-image/recover the System Image of the SSM:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliimage.htm#wp1032373
Putting on the new System Image will reformat the compact flash which winds up erasing your current configuration and also the current passwords. -
Exchange 2010 OWA and ASA5510 - Wrong URL?
I'm in the final steps of migrating my customer's Exchange server from Exchange 2003 to Exchange 2010. I've got all the mailboxes moved and am testing the OWA access. Under Exchange 2003, the internal/external users were able to access OWA thru the following URL:
http://mail.mycustomer.org/exchange
It would pop up a login box, they'd put in their domain info and get connected to their mailbox.
After migrating to Exchange 2010, the user had to change the URL to httpS://mail.mycustomer.org/exchange or httpS://mail.mycustomer.org/owa, but it worked internally. When I test it externally, I get the following page:
https://mail.mycustomer.org/+CSCOE+/wrong_url.html
I have next to no experience with Cisco devices, management, and/or maintenance, but what I've found in my research points to an issue w/ our ASA5510 and the port 443 required by the SSL connection to the Exchange server. Any help to resolve this issue so that my external users will be able to access OWA would be greatly appreciated. Thanks.Hi,
Can you check the output of the following commands
show run http
show run webvpn
These are basically the 2 services that utilize the port TCP/443 port on the ASA.
The first commands output will show some settings related to the ASDM which is the GUI for the ASA management. The second command output will show settings related to the SSL VPN.
Both of these services can be modified to use some other port than TCP/443 which would leave the port free for your server.
I assume that you only have one public IP address at your disposal which is configured on the ASA interface and you have no extra public IP address? Otherwise this should be no problem at all.
Naturally if you change the port on ASDM or SSL VPN it will cause some inconvinience for users of those services. Ofcourse you have the option to map the local TCP/443 port of the server to some other public port like TCP/444 but again this might cause inconvinience to the users also.
- Jouni
Maybe you are looking for
-
Aperture 2 install - serial number problem
Disclaimer: I'm pretty good on a pc. Absolutely terrible on Mac, never had so many problems with tech :/ So...I have my serial number from the back of the Aperture 2 "Installing your software" booklet. Checked that I'm entering "I's" not "1's." Got d
-
Export and import between different versions
Hi everyone, I have some databases in Oracle 7.2, and others in 9i Release 2. Sometimes we have to do exports and imports between them, and I want to know if running the catexp.sql or the catext7.sql file also applies to 9iR2 version. Thanks in advan
-
There's alot about Lion I'm not used to. How can I get the info bar at the bottom of Finder windows back? Thanks
-
Right side bar problems with BC template
I'm using the BC template that was called Cadca from themforest. It has a nice thumbnail portfolio gallery with a drop down menu called Categories. I am trying to use the Categories feature on another page WITHOUT the thumbnail feature. The problem i
-
Paid for a game angerybirds -- everything went through - shows paid for on the web site -- No where to download it-- Just bought this Playbook from a friend -- changed all information and password -- Went on the web site and downloaded software for m