Checkpoint and ASA
Inside I have 2 networks: 10.10.x.x and a 10.199.x.x
My ASA interfaces was the following:
E0/0 Public IP
E0/1 10.199.1.2/24
E0/2 10.10.144.47/22
I put a checkpoint in front of the ASA and changed to the following:
Checkpoint Ext. 10.10.144.47/22
Checkpoint Int. 192.168.1.1/30
ASA E0/1 10.199.1.2/24
ASA E0/2 192.168.1.2/30
Now I am having trouble talking between the networks 10.199.x.x and 10.10.144. x
I have attached ASA config.
Thanks in advance on any help provided
Hi,
So if I am looking correct then the "insideNOV" interface leads to the Checkpoint which has the other LAN network behind it?
The interface ACL for the interface is not really clear to me as it contains a lot of "name" and "object-group" references which are not mentioned. It seems though that on multiple occasions you have referenced the NOV network as the destination. Should this not be the source network as that network is located behind that interface?
Also with regards to the routing you have only shared your Default Route in the configuration.
Do you have a route for the NOV network towards "insideNOV" ?
route insideNOV 10.10.144.0 255.255.252.0 192.168.1.1
Does the Checkpoint have the appropriate routing and other configurations to allow the traffic?
- Jouni
Similar Messages
-
ARP table clash with checkpoint and ASA firewal issue
We are migrating DMZ segments from a checkpoint to a ASA 5585 firewall that we had connected to the same segments as the Checkpoint except on different IP addresses then the checkpoint interfaces. The Checkpoint interfaces are the default gateway for the servers. When I implemented the NATs entries below we experienced an arp table clash with the checkpoint and ASA firewall on the local segments that caused a application outage. What was determined was that the checkpoint firewall was showing that all the IP addresses in particular on vlan130 segment was associating the MAC address of the ASA interface instead of the real sever MAC address. I need assistance understanding the reason why the Checkpoint was pointing the ARP entries for many different address on VLAN130 to the ASA firewall MAC?
nat (any,internet-outside) source static any any destination static isxh2007_Xlate_167.9.6.21 isxh2007_10.121.201.86 unidirectional description To match chkpt NAT rule #5
nat (VLAN130,internet-outside) source static ISX_EDI_Hosts isxh2008_Xlat_167.9.6.22 unidirectional
nat (any,internet-outside) source static Private-Addresses ISX_OUTBOUND_NAT_167.9.6.1 destination static external_167.9.x external_167.9.x unidirectional
nat (any,any) source static Mars-Internal-All Mars-Internal-All destination static Private-Addresses Private-Addresses
nat (internet-dmz,internet-outside) source static acs-vmww2419.mars-ad.net acs-vmww2419_xlate_167.9.6.23
nat (internet-dmz,internet-outside) source static acs_vmww2420 acs_vmww2420_xlate_167.9.6.24
nat (internet-dmz,internet-outside) source static pass_reset_internal_10.121.201.50 pass_reset_external_167.9.6.25
nat (internet-dmz,internet-outside) source static HE-Portal-poland_10.121.120.10 ext_HE-Portal-poland_167.9.6.26
nat (any,internet-outside) source dynamic any ISX_OUTBOUND_NAT_167.9.6.1
isxasa04/wwy-legacy# sho interface
Interface TenGigabitEthernet0/8.129 "core-inside", is down, line protocol is down
MAC address 442b.0330.aba2, MTU 1500
IP address 10.121.129.X, subnet mask 255.255.255.0
Traffic Statistics for "core-inside":
241633 packets input, 12094352 bytes
44788 packets output, 3032584 bytes
109732 packets dropped
Interface TenGigabitEthernet0/9.130 "VLAN130", is down, line protocol is down
MAC address 442b.0330.aba3, MTU 1500
IP address 10.121.130.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN130":
1264203 packets input, 136452168 bytes
326080 packets output, 69216516 bytes
794035 packets dropped
Interface TenGigabitEthernet0/9.136 "VLAN136", is down, line protocol is down
MAC address 442b.0330.aba3, MTU 1500
IP address 10.121.136.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN136":
374547 packets input, 23696109 bytes
51186 packets output, 3324895 bytes
173500 packets dropped
Interface GigabitEthernet0/1 "internet-outside", is down, line protocol is down
MAC address 442b.0330.ab9b, MTU 1500
IP address 167.9.6.X, subnet mask 255.255.255.0
Traffic Statistics for "internet-outside":
352158 packets input, 17245425 bytes
76888 packets output, 3872904 bytes
12255 packets dropped
Interface GigabitEthernet0/2 "internet-dmz", is down, line protocol is down
MAC address 442b.0330.ab9c, MTU 1500
IP address 10.121.201.X, subnet mask 255.255.255.0
Traffic Statistics for "internet-dmz":
237795 packets input, 12460108 bytes
40787 packets output, 2775684 bytes
27378 packets dropped
Interface GigabitEthernet0/4 "VLAN140", is down, line protocol is down
MAC address 442b.0330.ab9e, MTU 1500
IP address 10.121.140.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN140":
386931 packets input, 18807725 bytes
48936 packets output, 3319712 bytes
114417 packets dropped
We crosschecked MAC addresses and this is what we found:
Checkpoint ARP table:
10.121.130.101 44:2b:3:30:ab:a3 3285
ASA ARP table:
isxasa04/wwy-legacy# sh arp | i 10.121.130.101
VLAN130 10.121.130.101 001a.4b06.dd45 10525
Server real address provided by processing:
0x001A4B06DD45
When we saw that the Checkpoints had a different/wrong entry we shut down all the physical ports on the new ASAs (except for failover and management);
Kevin cleared the ARP table on the Checkpoints and problem was solved;
Later I saw this:
isxasa04# sh int | i MAC
MAC address 442b.0330.ab9a, MTU not set
MAC address 442b.0330.ab9b, MTU not set
MAC address 442b.0330.ab9c, MTU not set
MAC address 442b.0330.ab9d, MTU 1500
MAC address 442b.0330.ab9e, MTU not set
MAC address 442b.0330.ab9f, MTU not set
MAC address 442b.0330.aba0, MTU not set
MAC address 442b.0330.aba1, MTU not set
MAC address 442b.0330.ab98, MTU not set
MAC address 442b.0330.ab99, MTU not set
MAC address 442b.0330.aba2, MTU not set
MAC address 442b.0330.aba3, MTU not setThe Asa is proxy Arping those macs. Turn off proxy arp and put in static arp entries until you completely shut down the checkpoint.
Sent from Cisco Technical Support iPad App -
VPN with Cisco 877 and ASA 5505
Hi Experts
this is my scenario :
remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
please i need your support to make this dream real lol.
i will poste my configuration step by step following your help.
many thanks.ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.
-
Hello my friends,
I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
Here are my configuration commands:
Router:
crypto isakmp policy 20
encryption 3des
auth pre-share
hash md5
group 2
crypto isakmp key XXX address 103.252.AAA.AAA
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map MAP 5 ipsec-isakmp
set transform 3DES-MD5
match address VPN
set peer 103.252.AAA.AAA
ip access-list extended VPN
permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
ASA commands:
sysopt connection permit-vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
tunnel-group 203.167.BBB.BBB type ipsec-l2l
tunnel-group 203.167.BBB.BBB ipsec-attributes
pre-shared-key XXX
access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map VPN 10 set transform-set 3DES-MD5
crypto map VPN 10 match address LIST
crypto map VPN 10 set peer 203.167.BBB.BBB
crypto map VPN interface outside
Do you have any idea what is wrong? Thank you a lot in advance.I managed to get this from the show crypto ipsec sa
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
And details from show crypto session detail
Interface: GigabitEthernet0/1
Session status: DOWN
Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 -
Cisco NX-OS and ASA Software Checker
Hi,
I'm sorry if I post this in the wrong section.
Currently we have a few Nexus switches and ASA Firewall in our network and I would like to check if there's any critical bug on the running OS/firmware on those devices.
May I know if Cisco has page to verify on this?Bug Search Tool is what you want to use:
https://tools.cisco.com/bugsearch
You can also ask in the forums for those platforms.
This forum is to discuss specific bugs. -
Hello Everyone,
I have a need to multihome out two MAN links to the same ISP. The two links will connect via an ISR and will participate in an eBGP adjacency. On the internal side, iBGP will be used to create the alternate default route to the ISP. Each of the ISR’s downstream ports participates on the same Ethernet subnet. On the same subnet/broadcast domain, there are two ASA5510 appliances that will use HSRP to advertise the public IPv4 addresses and will NAT them into the private network.
My question is, since the ASAs do not participate in BGP, and since we are going to NAT the traffic eliminating the need to use a route map to inject the default route into the downstream EIGRP network, would I simply build a static default route in the ASAs out the upsteam interfaces? My initial thought is to not worry about recursive lookups because they are connected via Ethernet.
ip route 0.0.0.0 0.0.0.0 fa0/0; and so on.
I’ve attached a simple topology for reference.
Thanks…MattYes Jcarvaja, HSRP is not a feature on the ASAs, and yes HSRP is difficult to setup natively to support active/active load balancing on any device. That's not really the point though is it. FHRP's are typically used for distribution switches and finely tuned to access layer 2 and layer 3 convergence, unless using GLBP (and even then should be considered). My mistake for using the term HSRP and thank you for pointing it out.
As for the iBGP links, they represent the same subnet as I mentioned. The cat switches are there to facilitate physical restraints as each pair of ISRs and ASAs are two miles apart. Since the ASA's are performing NAT, they don't really participate in the BGP network and there is no need or capability to inject the BGP default route into the EIGRP network. They will participate in the downstream EIGRP network. If the MAN connection on one ISR goes down, then the iBGP route to the Internet will be graduated. I guess I could have indicated on the drawing that these were all a part of the same subnet.
How do I configure the ASA's static default route? Wouldn't I be able to inject a static default route in each ASA using the ASA's outside interface when using active/active? If I have to, I could see if we can use EIGRP on the network upstream of the ASAs if there is no other way of doing this, but this is not preferred.
Any help you can provide is greatly appreciated.
Thank you...Matt -
Hi,
When executing below command, I found check point occur and SCN is changed...
alter system switch logfile;
While executing below commnd checkpoint is also ocuured but SCN not changed..
alter system checkpoint;
As both the execusion, checkpoint occur and SCN is written.. can anyone tell why this happened?
Can anyone explain the relationship between checkpoint and SCN?
Thanks,
Tina K.Lets keep it simple and straight, SCN generate when ever there is change (ie change vector).
checkpoint -Simple write dirty block to datafile and update control file too.
( check point keep database safe(=easy recoverable )from instance failure , power failure..)
Just think u have 2 online redo logfile , you switch the logfile so all changes is there in logfile 1 is wriiten to datafile Right, now logfile 2 is current logfile and power went off. When u start again database oracle try to check/match SCN of all datafiles from control file , if any databfiles header has less SCN it will read chnage vector from online redo and apply chnages and update header.
SCN is base for all recovery and work around the change vector.
I know i am very poor in explaining things , if you want to know more insight story read book "Backup and Recovery by Rama -Oracle Press" it has very good details.
Cheer,
Virag Sharma
http://virag.sharma.googlepages.com/ -
What is the difference between full checkpoint and incremental checkpoint?
What is the difference between full checkpoint and incremental checkpoint?
And what is checkpoint queue?
Can someone clarify these concepts?
Thanks!Hi,
there are different types of checkpoints:
- Full checkpoint:
=> DBWR writes all dirty buffers from the Buffer cache to the datafiles and CKPT retrieves a new Checkpoint Change Number from a sys owned sequence and writes this number to all file headers and the controlfile.
-- can be triggered by different events, like a logswitch, a manual checkpoint (alter system ..), a shutdown and so on
This is the setup point for SMON for a crash recovery.
- Partial checkpoint:
=> DBWR writes all dirty buffers of a singel tablespace from the Buffer cache to the datafiles and CKPT retrieves a new Checkpoint Change Number from a sys owned sequence and writes this number to all file headers and the controlfile.
-- can e triggered by an ALTER TABLESPACE OFFLINE, ALTER TABLESPACE READ ONLY, ALTER TABLESPACE BEGIN BACKUP statement.
Incremental checkpoint:
number to all file headers and the controlfile.
-- can be triggered by different events, like a logswitch, a manual checkpoint (alter system ..), a shutdown and so on
- Partial checkpoint:
=> DBWR writes all dirty buffers of a single tablespace from the Buffer cache to the datafiles and CKPT retrieves a new Checkpoint Change Number from a sys owned sequence and writes this number to all file headers and the controlfile.
-- frequency is determined by FAST_START_MTTR_TARGET parameter (new feature to Oracle 9i), with wich you can specify a time in seconds which SMON is allowed to take maximal for a Crash Recovery until the database must be open again.
Dapending on the system you have SMON must calculate the maximum number of Redolog-blocks which it can manage to recover in the specified number of seconds. It will then create so called incremental checkpoints which will be tracked in the so called checkpoint queue in memory.
FAST_START_MTTR_TARGET is auto-tuned in Oracle 10g and Oracle tries to manage (incremental) checkpoint in a fashion that a minimum of I/Os are caused and a minimum time for crash recovery is needed.
If you set LOG_CHECKPOINTS_TO_ALERT to TRUE you will find checkpoint information in the alertSID.log file. You will see FULL and INCREMENTAL checkpoints then.
Hope this clarifies your question,
Lutz Hartmann -
I just had a general question regarding SSIS performance.
I've got a good number of SSIS packages that comprise one master package. I've just implemented checkpoints and logging on each package.
In the past, the master package took around 30 minutes to run. Now with logging and checkpointing in place, it takes 45 minutes!
Do checkpoints and logging add that much more processing time to packages?? That's an increase of 50%...
Has anyone else seen this type of behavior?
Thanks!
A. M. RobinsonHi Ansonee,
Here is another custom restart pattern of SSIS pacakge that you can refer to:
http://www.mssqltips.com/sqlservertip/2959/sql-server-integration-services-package-restartability/
Regards,
Mike Yin
If you have any feedback on our support, please click
here
Mike Yin
TechNet Community Support -
We are currently running a Check Point firewall and would like to migrate to the ASA platform. Does anyone know of a conversion / migration utility that will convert Check Point firewall rules to ASA?
ThanksHere is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.
Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.
Link to the original post:
https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/12/19/conversion-tool--checkpoint-fw-to-cisco-asa
Link to the tool itself:
https://fwmig.cisco.com -
Persistent VPN between PIX 501 and ASA 5505
I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?
No problems whatsoever :-)
There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had? -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
Question on WCCP and ASA/VPN
Hello i have this simple scenario.
-ASA as an EZVPN server.
-WSA in my local lan (inside interface)
-remote vpn users connecting to the ASA.
When a user connects via VPN to my ASA, and i want to do some web filtering to them using the WSA... How would i accomplish it if i dont want to use explicit proxy?
Can i use WCCP on the outside interface of the ASA and redirect web traffic to the WSA which is across my inside ASA interface?
Need to know if WCCP redirection from one ASA interface to another is supported.
Thanks in advanced!
EmilioHi
Please have a look at the following link:
http://my.safaribooksonline.com/1587052091/copyrightpg?cid=2008-ciscopress-pp-widget-book&searchtextbox=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&query=Cisco+ASA%3a+All-in-One+Firewall%2c+IPS%2c+and+VPN+Adaptive+Security+Appliance+&searchmode=simple&searchview=summary&portal=ciscopress#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTE1ODcwNTIwOTElMkZjaDE2JnF1ZXJ5PUNpc2NvJTIwQVNBJTNBJTIwQWxsLWluLU9uZSUyMEZpcmV3YWxsJTJDJTIwSVBTJTJDJTIwYW5kJTIwVlBOJTIwQWRhcHRpdmUlMjBTZWN1cml0eSUyMEFwcGxpYW5jZQ== -
Remote site redundancy IPSEC VPN between 2911 and ASA
We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
Site A has an ASA with one internet circuit.
Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
What is the best way of achieving this?
We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911. Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved? And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
Any help/advice would be appreciated!Hello,
I don't think GRE tunnel that you could set up on the switch behind ASA would be really helpfull. Still site-2-site tunnel you want to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
I hope what I wrote makes some sense. -
VPN load balancing and ASA !!!
Hi netpros,
I have a couple of questions about this and hope you might be able to assist me.
1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
Your comments are much appreciatedHi Gilbert ..
1.- Thanks I wanted to make sure.
2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
ASA1: Public 20.20.20.20
Private 192.168.1.1
ASA2: Public 20.20.20.21
Private 192.168.1.2
Cluster virutal IP: 20.20.20.10
Default gateway for segment 192.168.1.0 is 192.168.1.1
Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
3.- Any idea about this one ..?
Cheers,
Maybe you are looking for
-
I moved to a different region and I want to have access to different regions to get material for teaching purposes can you help me figure out how to to it whiteout changing my billing info?! Thank you for your help!
-
OS 10.3 does then doesn't work on my GS Lombard
Here's hoping that I'm in the correct discussion group and that someone can tell me what is happening and how to fix the problem. This problem concerns my "old G3 Lombard" which has 512MB memory and a 400MHz processor. First let me say that at the pr
-
Adobe reader X will not install
before installing adobe reader X, should I uninstall adobe reader 7 ?
-
The same problem in this thread has happened again. I believe that this is due to the upcoming time change.
-
IPhoto restart has lost everything
I have just opened my laptop to get a photo from iPhoto (where ALL of my photos were stored). When I opened it it asked me where to get it's photo library from, but there was no-where to select so I just clicked to continue. Now that it has opened, I