Cisco ASA 5505 Reset-I Problem with TCP State Bypass
Hello,
I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
6
May 16 2014
14:52:52
302014
72.135.115.37
6915
192.168.20.2
6801
Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
Any help would be greatly appreciated!
Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)#
Similar Messages
-
CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN
I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
CISCO ASA 5505 VPN problem in Windows 7
I am using CISCO ASA 5505. Client PC with Windows XP can use IE to make the VPN connection normally.
However, client PC with Windows 7 cannot use IE to make the VPN connection.
It just show the error of "Internet Explorer cannot display the webpage"
Would you please help?
Thank you very much!Hi Timothy,
Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
Let me know if this helps.
Thanks,
Vishnu Sharma -
Hello, I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
The running-config it created is:
ciscoasa# sh run
: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password XXXX encrypted
passwd XXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.0.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ADSL_Telefonica
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_16
subnet 172.16.0.0 255.255.0.0
access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 55
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 55
console timeout 0
vpdn group ADSL_Telefonica request dialout pppoe
vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
vpdn group ADSL_Telefonica ppp authentication pap
vpdn username adslppp@telefonicanetpa password *****
dhcpd auto_config outside
dhcpd address 172.16.2.2-172.16.2.129 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy test internal
group-policy test attributes
dns-server value 172.16.1.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
username test password XXXXXX encrypted privilege 0
username test attributes
vpn-group-policy test
username ignacio password XXXXXXX encrypted
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
: end
Thank you very much for your helpYes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
• The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
I should have read Release Notes before. Thank you very much for your help and effort. -
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
Firewall Cisco ASA 5505 new interface license problem
Hi
I have one ASA 5505 with a Base License
The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
And the question is if with this base license the interface cannot be used or only cannot be named?
here the output of my firewall:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is e02f.6de6.7843, irq 11
1: Ext: Ethernet0/0 : address is e02f.6de6.783b, irq 255
2: Ext: Ethernet0/1 : address is e02f.6de6.783c, irq 255
3: Ext: Ethernet0/2 : address is e02f.6de6.783d, irq 255
4: Ext: Ethernet0/3 : address is e02f.6de6.783e, irq 255
5: Ext: Ethernet0/4 : address is e02f.6de6.783f, irq 255
6: Ext: Ethernet0/5 : address is e02f.6de6.7840, irq 255
7: Ext: Ethernet0/6 : address is e02f.6de6.7841, irq 255
8: Ext: Ethernet0/7 : address is e02f.6de6.7842, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledHi,
The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
For an interface on the ASA to operate it must have a name with the command "nameif"
If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
- Jouni -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
Cisco ASA 5505 Password Problem
I recently ran into a telnet, console, and enable password issue that was unexpected and I am hoping someone can explain what happened.
I had two working Cisco ASA 5505's that were two end-points of a Site-to-Site VPN. I had used the ASDM file management tools to copy disk0 startup-config.cfg to a file named old-startup-config.cfg on disk0, on both ASA systems, and I wanted those two files to function as good working startup-config backups that I could return to, right there on the firewall, if I had to. I also used the ASDM file management tools to make configuration "zip" backups to my local computer. I am aware that the actual startup-config file is some type of hidden file.
I had made some changes to both Cisco ASA 5505s, but no password changes, and everything was working great and was reloading great. Then, I suddenly found that I needed to revert back to the old working configurations that I had backed up previously. I used the ASDM file management tools to copy old-startup-config.cfg back to startup-config.cfg on disk0 on both machines. I think I may have also issued the CLI command copy old-startup-config.cfg startup-config. I asked both systems to reload without writing the running-config's to memory.
When the systems reloaded, the console, telnet, and enable passwords were no longer recognized on the CLI and Web interface. The interfaces loaded normally, but the passwords didn't work and the cisco default passwords didn't work either. I had to go to each unit's physical location and perform a power cycle and console password recovery.
I am not sure why that happened. Is the startup-config.cfg file on disk0 an altered version of the actual startup-config configuration with missing or encrypted password credentials? I would have never guessed in a million years that my procedure would have knocked out the enable password.
Instead of copy startup-config.cfg old-startup-config.cfg, should I have issued the command copy startup-config old-startup-config.cfg to make a local backup of a working configuration?
I have one more semi-related question. If one uses ASDM file management to create a zip backup of a startup-config or running-config and then proceeds to restore a running-config, when does the restored running-config take effect?If password recovery is disabled then you are locked out hard. You have to sacrifice the config to "re-admin" the appliance. Sorry for the bad news but that's the way it is by design. If there was a "back door" it would hardly be a security appliance would it?
-
Cisco asa 5505: No traffic lan to wan with IPv6
Hello everybody,
I have a Cisco ASA 5505, public ipv6 in outside interface, private ipv6 in LAN, from router I can ping any ipv6 in Internet and ping my LAN ipv6. Traffic doesn't go through router.
This is my configuration.
interface Vlan1
nameif inside
security-level 100
ip address PRIV-Saturn1 255.255.255.0
ipv6 address fc00::1/7
ipv6 enable
interface Vlan2
nameif outside
security-level 0
ip address PUBLIC26 255.255.255.248
ipv6 address xxxx:yyyy:67:36::2/64
ipv6 enable
ipv6 nd suppress-ra
access-list Dynamic_Filter_ACL extended permit tcp any6 any6
ipv6 route outside ::/0 xxx:yyyy:67:36::1
Am I omitting anything?
Thanks in advance for the help.
Jos PSince you're using IPv6 private addressing (fc00::) on the inside, you need a dynamic NAT entry to translate your private IPv6 addresses to a public one.
Alternatively, you could just use a subnet of your registered IPv6 block for the inside network and not worry about NAT. -
Cisco ASA 5505 Site to Site VPN Problem
Hi All,
We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
When I dial into the modem which is connected to the firewall I see the following messages in the logs:
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
I have checked both firewalls for any mis-matched parameters and do not see any.
Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
Thanks!Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
hostname
domain-name
enable passwordpasswd names
interface Vlan701
nameif inside
security-level 100
ip address 10.65.0.69 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ****** 255.255.255.248
interface Ethernet0/0
description Link to Internet
switchport access vlan 999
interface Ethernet0/1
description
switchport access vlan 701
interface range Ethernet0/2 - 0/7
switchport access vlan 2
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name******
access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging asdm informational
logging host outside *****
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route inside ******
route outside 0.0.0.0 0.0.0.0 ********
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
snmp-server location **:
snmp-server contact **
snmp-server community shortkey
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto map CASGMAP 50 match address 101
crypto map CASGMAP 50 set pfs group1
crypto map CASGMAP 50 set peer ********
crypto map CASGMAP 50 set transform-set 3desmd5
crypto map CASGMAP 50 set security-association lifetime seconds 3600
crypto map CASGMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet **** inside
telnet timeout 5
ssh **** inside
ssh **** outside
ssh timeout 5
console timeout 30
management-access inside
dhcpd ping_timeout 750
priority-queue outside
ntp server **
username ***
tunnel-group ******** type ipsec-l2l
tunnel-group ******** ipsec-attributes
pre-shared-key ***
class-map VoIP
match dscp ef
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map General-purpose
class VoIP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
service-policy General-purpose interface outside
prompt hostname context -
Azure Site to Site VPN with Cisco ASA 5505
I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal -
Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access
i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
Cisco Asa 5505
I
Outside == 155.155.155.x
Inside = 192.168.7.1
VPN POOL Address = 10.10.10.1 - 10.10.10.20
Layer 3 Switch Config
Vlan 2
interface ip address = 192.168.1.1
Vlan 2
interface ip address = 192.168.2.1
Vlan 2
interface ip address = 192.168.3.1
Vlan 2
interface ip address = 192.168.4.1
Vlan 2
interface ip address = 192.168.5.1
ip Routing
So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
Thank You allWhen My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
But i can't reach the rest of the VLAN - example
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
But i can reach the Connected Interface Vlan to My ASA ..
So here i think iam miss configuration to my Route
Any Help Please this is urgent -
How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR. I'm able to Ping the Actiontec external IP. I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
What do I need to configure on the Actiontec to make this work?
Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface. At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA. However, at home, I cannot go to the Internet while using the VPN client.
Thanks for any help.
Steve
Solved!
Go to Solution.http://www.dslreports.com/faq/verizonfios/3.0_Networking
those are the best sample config's and resources on how to set the FiOS network
Bridging is possible but difficult. That link will give you great info on it.
Are you a FiOS customer that has phone/internet/tv
or no tv? or no phone? You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue. You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too. -
Internet Connection Became Slow after Introduction of Cisco ASA 5505 to the Network
I configured a Cisco ASA 5505 (Version Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
in transparent firewall mode and inserted after Cisco 1700 router. However, the internet connection became very slow and users are compaining that they cannot load any pages.
My setup looks like:
Internet --> Cisco 1700 --> Cisco ASA 5505 --> LAN
The license information is:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
My running-config looks like:
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Vlan1
nameif inside
security-level 100
no shut
interface Vlan2
nameif outside
security-level 0
no shut
interface Ethernet0/0
switchport access vlan 2
no shut
interface Ethernet0/1
no shut
interface Ethernet0/2
no shut
interface Ethernet0/3
no shut
interface Ethernet0/4
no shut
interface Ethernet0/5
no shut
interface Ethernet0/6
no shut
interface Ethernet0/7
no shut
passwd 2KFQnbNIdI.2KYOU encrypted
regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.diretube\.com"
regex domainlist3 "\.youtube\.com"
regex domainlist4 "\.vimeo\.com"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_in extended permit ip any any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
match regex domainlist4
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map type regex match-any URLBlockList
match regex urllist1
match regex urllist2
match regex urllist3
match regex urllist4
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
class-map type inspect http match-all BlockURLsClass
match request uri regex class URLBlockList
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
class AppHeaderClass
drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log
class BlockURLsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:8ab1a53df6ae3c202aee236d6080edfd
: end
Could the slow internet connection be due to license limitations? Or is there something wrong with my configuration?
Please see the configuration and help.
ThanksI have re-configured the ASA 5505 yesterday and so far it's working fine. I am not sure if the problem will re-appear later on. Anyways here is my sh tech-support
ciscoasa# sh tech-support
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 14 hours 16 mins
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001f.9ee8.ffa2, irq 11
1: Ext: Ethernet0/0 : address is 001f.9ee8.ff9a, irq 255
2: Ext: Ethernet0/1 : address is 001f.9ee8.ff9b, irq 255
3: Ext: Ethernet0/2 : address is 001f.9ee8.ff9c, irq 255
4: Ext: Ethernet0/3 : address is 001f.9ee8.ff9d, irq 255
5: Ext: Ethernet0/4 : address is 001f.9ee8.ff9e, irq 255
6: Ext: Ethernet0/5 : address is 001f.9ee8.ff9f, irq 255
<--- More --->
7: Ext: Ethernet0/6 : address is 001f.9ee8.ffa0, irq 255
8: Ext: Ethernet0/7 : address is 001f.9ee8.ffa1, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Serial Number: JMX1211Z2N4
Running Activation Key: 0xaf0ed046 0xbcf18ebf 0x80b38508 0xba785cc0 0x05250493
Configuration register is 0x1
Configuration has not been modified since last system restart.
<--- More --->
------------------ show clock ------------------
18:32:58.254 UTC Tue Nov 26 2013
------------------ show memory ------------------
Free memory: 199837144 bytes (74%)
Used memory: 68598312 bytes (26%)
Total memory: 268435456 bytes (100%)
------------------ show conn count ------------------
1041 in use, 2469 most used
------------------ show xlate count ------------------
0 in use, 0 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
0 100 68 100
<--- More --->
4 300 299 299
80 100 92 100
256 100 94 100
1550 6174 6166 6174
2048 1124 551 612
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2136 bytes (default)
------------------ show interface ------------------
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is y88acs06, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 001f.9ee8.ffa2, MTU not set
IP address unassigned
18491855 packets input, 11769262614 bytes, 0 no buffer
Received 213772 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops, 0 demux drops
18185861 packets output, 11626494317 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
<--- More --->
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/55) software (0/0)
Control Point Interface States:
Interface number is unassigned
Interface Internal-Data0/1 "", is administratively down, line protocol is up
Hardware is 88E6095, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 0000.0003.0002, MTU not set
IP address unassigned
18184216 packets input, 11625360131 bytes, 0 no buffer
Received 206655 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 switch ingress policy drops
18490057 packets output, 11768078777 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Loopback0 "_internal_loopback", is up, line protocol is up
Hardware is VirtualMAC address 0000.0000.0000, MTU 1500
IP address 127.1.0.1, subnet mask 255.255.0.0
<--- More --->
Traffic Statistics for "_internal_loopback":
1 packets input, 28 bytes
1 packets output, 28 bytes
1 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 28
Interface config status is active
Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa2, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "inside":
7742275 packets input, 903584114 bytes
10645034 packets output, 10347291114 bytes
184883 packets dropped
1 minute input rate 320 pkts/sec, 35404 bytes/sec
1 minute output rate 325 pkts/sec, 313317 bytes/sec
<--- More --->
1 minute drop rate, 17 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa3, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "outside":
10750090 packets input, 10432619059 bytes
7541331 packets output, 870613684 bytes
109911 packets dropped
1 minute input rate 328 pkts/sec, 313770 bytes/sec
1 minute output rate 301 pkts/sec, 32459 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
Control Point Interface States:
Interface number is 2
<--- More --->
Interface config status is active
Interface state is active
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001f.9ee8.ff9a, MTU not set
IP address unassigned
10749794 packets input, 10630700889 bytes, 0 no buffer
Received 2506 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
3 switch ingress policy drops
7541070 packets output, 1028190148 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
<--- More --->
Available but not configured via nameif
MAC address 001f.9ee8.ff9b, MTU not set
IP address unassigned
7741977 packets input, 1064586806 bytes, 0 no buffer
Received 211282 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
10644663 packets output, 10543362751 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9c, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
<--- More --->
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9d, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
<--- More --->
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9e, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
<--- More --->
Interface number is unassigned
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9f, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
<--- More --->
MAC address 001f.9ee8.ffa0, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ffa1, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
<--- More --->
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 12%; 1 minute: 11%; 5 minutes: 11%
------------------ show cpu hogging process ------------------
Process: Dispatch Unit, NUMHOG: 1, MAXHOG: 133, LASTHOG: 140
LASTHOG At: 04:45:59 UTC Nov 26 2013
PC: 8be0f7
Traceback: 8bed19 8bf553 302b87 3030a5 2fad69 7674bf 75ca16
c6251d c62a4c c62f6c 75c653 767820 797f64 769c85
<--- More --->
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Mwe 00c9bb24 01bb8700 013e3250 0 01733fc8 15616/16384 emweb/cifs
Lwe 001072ac 0176f9c4 013e32d0 0 0176d9f0 8132/8192 block_diag
Mrd 00223a67 01783d5c 013e33b0 314854 0177be18 25752/32768 Dispatch Unit
Msi 00f82847 01b07b84 013e3250 229 01b05bc0 7984/8192 y88acs06 OneSec Thread
Mwe 0011b1a5 01b09cfc 013e3250 0 01b07d88 7864/8192 Reload Control Thread
Mwe 00120606 01b1260c 013e5258 0 01b10988 7256/8192 aaa
Mwe 001486aa 01b19404 013e5ae8 0 01b15450 16020/16384 CMGR Server Process
Mwe 0014c3c5 01b1b4d4 013e3250 0 01b19570 7968/8192 CMGR Timer Process
Lwe 002227a1 01b239b4 013ee360 0 01b219f0 7524/8192 dbgtrace
Mwe 004e1ba5 01b29c34 013e3250 157 01b27d50 6436/8192 eswilp_svi_init
Mwe 01064b1d 01b4a7f4 013e3250 0 01b48890 7848/8192 Chunk Manager
Msi 008b61b6 01b52d54 013e3250 230 01b50da0 7856/8192 PIX Garbage Collector
Lsi 00ecb6ac 01b54e94 013e3250 12 01b52ec0 7552/8192 route_process
Mwe 008a5ddc 01b5dc04 0133b430 0 01b5bc40 8116/8192 IP Address Assign
Mwe 00acb779 01b60604 01346e10 0 01b5e640 8116/8192 QoS Support Module
Mwe 0091eba9 01b6275c 0133c530 0 01b60798 8116/8192 Client Update Task
Lwe 01083c8e 01b656d4 013e3250 123088 01b63770 7840/8192 Checkheaps
Mwe 00acfd7d 01b6b824 013e3250 623 01b69ad0 3476/8192 Quack process
Mwe 00b2a260 01b6dad4 013e3250 22 01b6bbf0 7364/8192 Session Manager
Mwe 00c55efd 01b78564 031d0478 4 01b74a50 14768/16384 uauth
<--- More --->
Mwe 00be3c9e 01b7aaec 0135c010 0 01b78b28 7524/8192 Uauth_Proxy
Mwe 00c52759 01b80e0c 01361770 0 01b7ee88 7712/8192 SMTP
Mwe 00c3f7b9 01b82eec 01361710 0 01b80fa8 7412/8192 Logger
Mwe 00c3fd26 01b8502c 013e3250 0 01b830c8 7492/8192 Thread Logger
Mwe 00f62272 01b9596c 013ac520 0 01b939c8 7188/8192 vpnlb_thread
Msi 00b4097c 01c598c4 013e3250 190 01c578f0 8000/8192 emweb/cifs_timer
Msi 005bd338 017a909c 013e3250 25855 017a7108 7412/8192 arp_timer
Mwe 005c76bc 01b486e4 013fba50 20643 01b46770 7348/8192 arp_forward_thread
Mwe 00c5a919 023fa5fc 013619e0 0 023f8648 7968/8192 tcp_fast
Mwe 00c5a6e5 023fc624 013619e0 0 023fa670 7968/8192 tcp_slow
Mwe 00c754d1 0240d42c 013628a0 0 0240b478 8100/8192 udp_timer
Mwe 0019cb17 01b404a4 013e3250 0 01b3e530 7984/8192 CTCP Timer process
Mwe 00efe8b3 0308c15c 013e3250 0 0308a208 7952/8192 L2TP data daemon
Mwe 00efef23 0308e194 013e3250 0 0308c230 7968/8192 L2TP mgmt daemon
Mwe 00eea02b 030c62ac 013a5c10 43 030c2338 16244/16384 ppp_timer_thread
Msi 00f62d57 030c82f4 013e3250 264 030c6360 7924/8192 vpnlb_timer_thread
Mwe 001b96e6 01b7cbbc 01b1e9c8 1 01b7ac48 7728/8192 IPsec message handler
Msi 001c9bac 01b8d4dc 013e3250 2917 01b8b548 7648/8192 CTM message handler
Mwe 00af93b8 031465b4 013e3250 0 03144640 7984/8192 ICMP event handler
Mwe 00831003 0314a724 013e3250 387 031467b0 16100/16384 IP Background
Mwe 0021b267 031a83c4 013123c0 31 03188450 123488/131072 tmatch compile thread
Mwe 009f2405 03290044 013e3250 0 0328c0c0 16072/16384 Crypto PKI RECV
Mwe 009f305a 03294144 013e3250 0 032901e0 16040/16384 Crypto CA
Mwe 0064d4fd 01b3e24c 013e3250 8 01b3c2f8 7508/8192 ESW_MRVL switch interrupt service
<--- More --->
Msi 00646f5c 032c134c 013e3250 3059378 032bf448 7184/8192 esw_stats
Lsi 008cbb80 032dc704 013e3250 3 032da730 7908/8192 uauth_urlb clean
Lwe 008afee7 034a0914 013e3250 197 0349e9b0 6636/8192 pm_timer_thread
Mwe 0052f0bf 034a35ac 013e3250 0 034a1648 7968/8192 IKE Timekeeper
Mwe 00520f6b 034a8adc 0132e2b0 0 034a4e38 15448/16384 IKE Daemon
Mwe 00bf5c78 034ac7ac 01360680 0 034aa7f8 8100/8192 RADIUS Proxy Event Daemon
Mwe 00bc32de 034ae79c 034dcbe0 0 034ac918 7208/8192 RADIUS Proxy Listener
Mwe 00bf5e0f 034b099c 013e3250 0 034aea38 7968/8192 RADIUS Proxy Time Keeper
Mwe 005aac4c 034b3154 013fb980 0 034b1250 7492/8192 Integrity FW Task
M* 008550a5 0009fefc 013e33b0 3183 034e3b20 24896/32768 ci/console
Msi 008eb694 034ed9d4 013e3250 2370 034ebc40 6176/8192 update_cpu_usage
Msi 008e6415 034f7dac 013e3250 1096 034f5eb8 6124/8192 NIC status poll
Mwe 005b63e6 03517d1c 013fbd10 1963 03515d78 7636/8192 IP Thread
Mwe 005becbe 03519e4c 013fbcb0 3 03517e98 7384/8192 ARP Thread
Mwe 004c2b36 0351befc 013fbae0 0 03519fe8 7864/8192 icmp_thread
Mwe 00c7722e 0351e06c 013e3250 0 0351c108 7848/8192 udp_thread
Mwe 00c5d126 0352008c 013fbd00 0 0351e228 7688/8192 tcp_thread
Mwe 00bc32de 03a6982c 03a5ee18 0 03a679b8 7512/8192 EAPoUDP-sock
Mwe 00266c15 03a6b614 013e3250 0 03a699e0 7032/8192 EAPoUDP
Mwe 005a6728 01b27b94 013e3250 0 01b25c30 7968/8192 Integrity Fw Timer Thread
- - - - 47686621 - - scheduler
- - - - 51253819 - - total elapsed
------------------ show failover ------------------
<--- More --->
ERROR: Command requires failover license
------------------ show traffic ------------------
inside:
received (in 51429.740 secs):
7749585 packets905087345 bytes
67 pkts/sec17013 bytes/sec
transmitted (in 51429.740 secs):
10653162 packets10355908020 bytes
40 pkts/sec201026 bytes/sec
1 minute input rate 412 pkts/sec, 51803 bytes/sec
1 minute output rate 475 pkts/sec, 522952 bytes/sec
1 minute drop rate, 24 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
outside:
received (in 51430.240 secs):
10758403 packets10441440193 bytes
42 pkts/sec203021 bytes/sec
transmitted (in 51430.240 secs):
7548339 packets872053854 bytes
<--- More --->
63 pkts/sec16037 bytes/sec
1 minute input rate 479 pkts/sec, 523680 bytes/sec
1 minute output rate 387 pkts/sec, 46796 bytes/sec
1 minute drop rate, 3 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
_internal_loopback:
received (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Aggregated Traffic on Physical Interface
<--- More --->
Ethernet0/0:
received (in 51431.740 secs):
10758462 packets10640075825 bytes
42 pkts/sec206042 bytes/sec
transmitted (in 51431.740 secs):
7548383 packets1029818127 bytes
63 pkts/sec20023 bytes/sec
1 minute input rate 485 pkts/sec, 537048 bytes/sec
1 minute output rate 395 pkts/sec, 54546 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 485 pkts/sec, 511723 bytes/sec
5 minute output rate 387 pkts/sec, 65495 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 51433.570 secs):
7749780 packets1066328930 bytes
67 pkts/sec20064 bytes/sec
transmitted (in 51433.570 secs):
10653359 packets10552787020 bytes
40 pkts/sec205006 bytes/sec
1 minute input rate 419 pkts/sec, 59621 bytes/sec
1 minute output rate 480 pkts/sec, 533950 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 399 pkts/sec, 67618 bytes/sec
<--- More --->
5 minute output rate 482 pkts/sec, 511073 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
<--- More --->
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/4:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/5:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
<--- More --->
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/6:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/7:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
<--- More --->
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/0:
received (in 51435.510 secs):
18513901 packets11784250044 bytes
25 pkts/sec229023 bytes/sec
transmitted (in 51435.510 secs):
18207269 packets11641332179 bytes
19 pkts/sec226078 bytes/sec
1 minute input rate 891 pkts/sec, 595715 bytes/sec
1 minute output rate 863 pkts/sec, 588935 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 885 pkts/sec, 584035 bytes/sec
5 minute output rate 870 pkts/sec, 580393 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/1:
received (in 51436.010 secs):
18207323 packets11641364184 bytes
<--- More --->
19 pkts/sec226076 bytes/sec
transmitted (in 51436.010 secs):
18513954 packets11784281987 bytes
25 pkts/sec229022 bytes/sec
1 minute input rate 855 pkts/sec, 575808 bytes/sec
1 minute output rate 884 pkts/sec, 582339 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 869 pkts/sec, 578350 bytes/sec
5 minute output rate 883 pkts/sec, 581924 bytes/sec
5 minute drop rate, 0 pkts/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 17/s 6/s
TCP Conns 8/s 2/s
UDP Conns 7/s 2/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept 0/s 0/s
HTTP Fixup 0/s 0/s
<--- More --->
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show counters ------------------
Protocol Counter Value Context
IP IN_PKTS 168960 Summary
IP OUT_PKTS 169304 Summary
IP TO_ARP 61 Summary
------------------ show history ------------------
------------------ show firewall ------------------
Firewall mode: Transparent
------------------ show running-config ------------------
<--- More --->
: Saved
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
enable password
names
interface Vlan1
nameif inside
security-level 100
interface Vlan2
nameif outside
security-level 0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
<--- More --->
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd
regex domain1 ".facebook\.com"
regex domain2 ".fb\.com"
regex domain3 ".youtube\.com"
ftp mode passive
access-list ACL_IN extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
<--- More --->
arp timeout 14400
access-group ACL_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domain1
match regex domain2
match regex domain3
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
<--- More --->
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:bb5115ea1d14ee42e7961ef0c9aaed86
: end
<--- More --->
------------------ show startup-config errors ------------------
INFO: No configuration errors
------------------ console logs ------------------
Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
Total SSMs found: 0
Message #15 :
Total NICs found: 10
Message #16 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #17 : MAC: 0000.0003.0002
Message #18 : 88E6095 rev 2 Ethernet @ index 08Message #19 : MAC: 001f.9ee8.ffa1
Message #20 : 88E6095 rev 2 Ethernet @ index 07Message #21 : MAC: 001f.9ee8.ffa0
Message #22 : 88E6095 rev 2 Ethernet @ index 06Message #23 : MAC: 001f.9ee8.ff9f
Message #24 : 88E6095 rev 2 Ethernet @ index 05Message #25 : MAC: 001f.9ee8.ff9e
Message #26 : 88E6095 rev 2 Ethernet @ index 04Message #27 : MAC: 001f.9ee8.ff9d
Message #28 : 88E6095 rev 2 Ethernet @ index 03Message #29 : MAC: 001f.9ee8.ff9c
Message #30 : 88E6095 rev 2 Ethernet @ index 02Message #31 : MAC: 001f.9ee8.ff9b
Message #32 : 88E6095 rev 2 Ethernet @ index 01Message #33 : MAC: 001f.9ee8.ff9a
Message #34 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001f.9ee8.ffa2
Message #35 :
Licensed features for this platform:
Message #36 : Maximum Physical Interfaces : 8
<--- More --->
Message #37 : VLANs : 3, DMZ Restricted
Message #38 : Inside Hosts : Unlimited
Message #39 : Failover : Disabled
Message #40 : VPN-DES : Enabled
Message #41 : VPN-3DES-AES : Enabled
Message #42 : VPN Peers : 10
Message #43 : WebVPN Peers : 2
Message #44 : Dual ISPs : Disabled
Message #45 : VLAN Trunk Ports : 0
Message #46 :
This platform has a Base license.
Message #47 :
Message #48 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Message #49 : Boot microcode : CNlite-MC-Boot-Cisco-1.2
Message #50 : SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
Message #51 : IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Message #52 : --------------------------------------------------------------------------
Message #53 : . .
Message #54 : | |
Message #55 : ||| |||
Message #56 : .|| ||. .|| ||.
Message #57 : .:||| | |||:..:||| | |||:.
Message #58 : C i s c o S y s t e m s
Message #59 : --------------------------------------------------------------------------
<--- More --->
Message #60 :
Cisco Adaptive Security Appliance Software Version 7.2(3)
Message #61 :
Message #62 : ****************************** Warning *******************************
Message #63 : This product contains cryptographic features and is
Message #64 : subject to United States and local country laws
Message #65 : governing, import, export, transfer, and use.
Message #66 : Delivery of Cisco cryptographic products does not
Message #67 : imply third-party authority to import, export,
Message #68 : distribute, or use encryption. Importers, exporters,
Message #69 : distributors and users are responsible for compliance
Message #70 : with U.S. and local country laws. By using this
Message #71 : product you agree to comply with applicable laws and
Message #72 : regulations. If you are unable to comply with U.S.
Message #73 : and local laws, return the enclosed items immediately.
Message #74 :
Message #75 : A summary of U.S. laws governing Cisco cryptographic
Message #76 : products may be found at:
Message #77 : http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
Message #78 :
Message #79 : If you require further assistance please contact us by
Message #80 : sending email to [email protected].
Message #81 : ******************************* Warning *******************************
Message #82 :
<--- More --->
Message #83 : Copyright (c) 1996-2007 by Cisco Systems, Inc.
Message #84 : Restricted Rights Legend
Message #85 : Use, duplication, or disclosure by the Government is
Message #86 : subject to restrictions as set forth in subparagraph
Message #87 : (c) of the Commercial Computer Software - Restricted
Message #88 : Rights clause at FAR sec. 52.227-19 and subparagraph
Message #89 : (c) (1) (ii) of the Rights in Technical Data and Computer
Message #90 : Software clause at DFARS sec. 252.227-7013.
Message #91 : Cisco Systems, Inc.
Message #92 : 170 West Tasman Drive
Message #93 : San Jose, California 95134-1706
ciscoasa#
Maybe you are looking for
-
Inserting image in a sapscript.
Hi everyone, I have to change the existing signature in a sapscript to another signature.For that i have that signature as pdf with me. I want to know how to load this to sap then to my sapscript . Plz give the steps for 1. Changing that pdf t
-
Unable to read podcast in a row
Hi, I just receive my ipod 30gb black. My system is windows xp pro SP2 and I use Itunes 7.0.1.8 and ipod software is 1.2. The problem I have is that I cannot read several podcasts in a row. In a list, I put some episode from my favorites podcast, and
-
Webpage in Edit Mode displays NO editable data!
I used Dreamweaver MX to develop our company's Intranet. Our HR Director makes changes to the Job Postings page on her own using Contribute 2. Since the original creation of our Intranet, I've updated to Macromedia Studio 8. A couple weeks ago she wa
-
Issue with logical operator using SetEnvIF in OHS
We have a requirement to set constant value in ssl.conf (OHS) based on Request_URI & referrer. For example, if (Request_URI=/forms/base/login) and (Referer=http://example.com), then we need to set variable value with 1. Similarly we some more conditi
-
Flickering video with correct field order? help!
On the moment I've got a long term running problem. I've got a uncompressed 8bit quicktime movie, saved using the sheer video codec with adobe's premiere pro on a machine running windows. I convert this file to a m2v file so I can import it in DVDSP