Cisco ASA and Internal Hosted Website
I have a Cisco ASA 8.4. I have an internal website for an application that they use both internal and externally (app.domain.com/app is 10.0.0.3) The company that hosts their External Website and DNS created a record that points to http://app.domain.com/app to their public ip 1.2.3.4. Externally everything works great I have port forward for 80 working. The problem is that when the users bring their laptops in to the office they are unable to get to the interanlly hosted website. I think the the firewall is having an issue letting the traffic back in. If i use the internal DNS and create a zone for domain.com with an A record for app.domain.com and point it to 10.0.0.3 the internal address..it works. Of course when they try to access the external website it does not work. So if create an A record that points to the web hosts address, it kinda of works...parts of the website don't come up. I really think I there is something like a hairpin or u-turn that needs to be done. Oh by the way this is my first real experince with an ASA. The Symantec Gateway they had worked great. I looked in the config and there were no hairpin or crazy rules, just the standard port forward for 80. Any ideas? I have tried several suggestions i found on the web, but none have worked.
Thanks
Nick
Hi,
The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.
You might for example have this configuration
object network WEB-SERVER
host 10.0.0.3
nat (inside,outside) static interface service 80 80
This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".
I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.
If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.
So you could try this configuration on the ASA
object network PUBLIC-IP
host
object network WEB-SERVER
host 10.0.0.3
object network LAN
subnet
nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER
The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)
You would also perhaps needs to add this command
same-security-traffic permit intra-interface
This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn
You can check the current configuration with the command
show run same-security-traffic
Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.
Hope this helps
Let me know how it goes
- Jouni
Similar Messages
-
CISCO ASA Clientless VPN Host Scan
Hi All
We open up Internet Explorer 8 on local PC, then we are connecting using clientless vpn to a CISCO ASA 5520 8.0(4), we are getting an issue with the local internet explorer browser closing after 20 mins. The content accessed from the VPN is still available but all local Internet Explorer processes are terminated.
When i look at the hostscan.log i get TOKEN_SUCESS followed by TOKEN_LOGGEDON for the first 20 mins. After 20 minutes i get TOKEN_INVALID followed by the browser kill command which is closing internet explorer. This is effecting all users. If i close the SSL VPN completly the same issue occurs after exactly 20 mins. The session below was started at 14:23:34 and we recieve TOKEN_LOGGEDON at 14:45:50 but TOKEN_INVALID at 14:46:50.
Hope someone can help?
Ian
Host Scan.Log:
[Tue Oct 09 14:45:50.296 2012][libcsd][info][asa_parse_dap_response] parsing DAP response.
[Tue Oct 09 14:45:50.296 2012][libcsd][debug][asa_parse_dap_response] TOKEN_LOGGEDON
[Tue Oct 09 14:45:50.296 2012][libcsd][debug][asa_parse_dap_response] no scan interval, defaulting to 60 sec.
[Tue Oct 09 14:45:50.296 2012][libcsd][debug][cache_cleaner_check_browsers] cache cleaner enabled, verifying browser is still open.
[Tue Oct 09 14:45:50.343 2012][libcsd][debug][run_loop] sleeping for 60 seconds.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][run_loop] awake.
[Tue Oct 09 14:46:50.349 2012][libcsd][all][scan] performing scan.
[Tue Oct 09 14:46:50.349 2012][libcsd][info][process_system_scans] scanning system...
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][update_file] updating file (C:\Users\REMOVED\AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][verify_file] verifying file: C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][verify_file] file has been verified: (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (kernel32.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_os] os (Windows 7) version (Service Pack 1) arch (x64) proclevel (unknown)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_location] location (REMOVED)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_csdtype] csd protection (cache cleaner)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_csdtype] csd version (3.5.841)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_hostname] hostname (REMOVED)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (135)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (445)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (3389)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (5500)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (6051)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (6129)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (47002)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (47006)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (47007)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49152)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49153)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49154)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49175)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49179)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (49184)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (9089)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (139)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (123)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (500)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (4500)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (5355)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (6004)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64000)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64246)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (1900)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (50907)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (53973)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (56922)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (57555)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (57906)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (59441)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (60837)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (60919)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (63966)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64019)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (64955)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (65202)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (137)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (138)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (1900)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_openports] found open port (60918)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_macaddrs] found MAC addr (6431.5034.738f)
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][scan_system_applications] No removable applications installed.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] initializing certificate subsystem ...
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] mozilla cert store enabled
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] capi cert store enabled
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_init] initializing mozilla certificate module...
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (kernel32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (kernel32.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][reg_open_key] checking 32-bit registry hive: SOFTWARE\Mozilla\Mozilla Firefox.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_init] unable to load mozilla libs.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_init] initializing mozilla certificate module... failed
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_free_api] not initialized
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][moz_free_api] not initialized
[Tue Oct 09 14:46:50.349 2012][libcsd][warn][cert_init] failed to initialize mozilla certificates
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (Crypt32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (Crypt32.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (Crypt32.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_init] initializing certificate subsystem ... done
[Tue Oct 09 14:46:50.349 2012][libcsd][warn][cert_get_user_certs_prop_list] mozilla certificates not initialized.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_free] de-initializing certificate subsystem ...
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_free] de-initialization of capi certificated completed.
[Tue Oct 09 14:46:50.349 2012][libcsd][debug][cert_free] de-initializing certificate subsystem ... done
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_file_verify_trust] verifying file trust (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] path not absolute, file signature not checked (Wintrust.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (Wintrust.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (Wintrust.dll) loaded
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] file signature verified(C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] attempting to load library (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll)
[Tue Oct 09 14:46:50.349 2012][libcsd][info][hs_dl_load] library (C:\Users\ REMOVED \AppData\Local\Cisco\Cisco HostScan\lib\libdesktop.dll) loaded
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB958830)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2425227)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2479943)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2491683)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2503665)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2506014)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2506212)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2507618)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2509553)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2510531)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2511455)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2518869)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2532531)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2533552)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2534111)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2536275)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2536276)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2539635)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2544521)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2544893)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2552343)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2556532)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2560656)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2564958)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2567680)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2570947)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2572077)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2579686)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2584146)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2585542)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2588516)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2598845)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2618444)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2618451)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2619339)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2620704)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2620712)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2631813)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2633952)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2639417)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2641690)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2644615)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB2656356)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB958488)
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][scan_system_hotfixes] detected hotfix: (KB976902)
[Tue Oct 09 14:46:50.895 2012][libcsd][info][process_host_scans] scanning environment...
[Tue Oct 09 14:46:50.895 2012][libcsd][info][process_inspector_scans] scanning for security software...
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][process_inspector_scans] no inspector list items.
[Tue Oct 09 14:46:50.895 2012][libcsd][info][scan_perform_scan] scanning complete.
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.version="Windows 7"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.servicepack="Service Pack 1"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.architecture="x64"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.os.processor_level="unknown"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.policy.location=" REMOVED "
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.protection="cache cleaner"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.protection_version="3.5.841"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.hostname=" REMOVED "
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["135"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["445"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["3389"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["5500"]="true"
[Tue Oct 09 14:46:50.895 2012][libcsd][debug][get_data] endpoint.device.port["6051"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["6129"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["47002"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["47006"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["47007"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49152"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49153"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49154"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49175"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49179"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["49184"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["9089"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["139"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["123"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["500"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["4500"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["5355"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["6004"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64000"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64246"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["1900"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["50907"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["53973"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["56922"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["57555"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["57906"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["59441"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["60837"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["60919"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["63966"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64019"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["64955"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["65202"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["137"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["138"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["1900"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.port["60918"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.device.MAC["6431.5034.738f"]="true"
CERTIFICATE INFO REMOVED
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB958830"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2425227"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2479943"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2491683"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2503665"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2506014"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2506212"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2507618"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2509553"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2510531"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2511455"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2518869"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2532531"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2533552"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2534111"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2536275"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2536276"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2539635"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2544521"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2544893"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2552343"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2556532"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2560656"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2564958"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2567680"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2570947"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2572077"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2579686"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2584146"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2585542"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2588516"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2598845"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2618444"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2618451"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2619339"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2620704"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2620712"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2631813"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2633952"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2639417"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2641690"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2644615"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB2656356"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB958488"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][get_data] endpoint.os.hotfix["KB976902"]="true"
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setpeer] setting peer
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setpeer] setting l2 peer: (REMOVED)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setpeer] setting peer done. peer = REMOVED, referrer = REMOVED
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][asa_post_dap] sending results to: (REMOVED /+CSCOE+/sdesktop/scan.xml?reusebrowser=1)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setcookie] setting cookie
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setcookie] setting cookie: (sdesktop=70E341AC00B5735F069D5FFE)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_addheader] adding http header
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_addheader] adding http header: (Cookie: sdesktop=70E341AC00B5735F069D5FFE)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_addheader] adding http header done
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setcookie] setting cookie done
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setredircount] setting redirects
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setredircount] setting redirects: (10)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_setredircount] setting redirects done
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][asa_post_dap] sending results to: (REMOVED /+CSCOE+/sdesktop/scan.xml?reusebrowser=1)
[Tue Oct 09 14:46:50.911 2012][libcsd][debug][hs_transport_post] posting data
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] processing http response headers
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] getting http headers from l2
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] getting http headers headers from l2 done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][parse_response_headers] parsing http headers
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] --- Http Response Headers ---
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] HTTP-Version: 1.1
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Status-Code: 200
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Cache-Control: no-cache
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Connection: Keep-Alive
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Date: Tue, 09 Oct 2012 13:46:50 GMT
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Pragma: no-cache
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Transfer-Encoding: chunked
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Content-Type: text/xml
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] Server: Cisco AWARE 2.0
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][dump_http_headers] --------------------
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][parse_response_headers] parsing http headers done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][process_response_headers] processing http response headers done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_post] posting data done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_post_dap] results sent to (REMOVED).
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] --- http data ---
todo
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] --- http data ---
todo
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][hs_transport_get_data] getting data done
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_post_dap] headend response: (<?xml version="1.0" encoding="ISO-8859-1"?>
<hostscan><status>TOKEN_INVALID</status></hostscan>
[Tue Oct 09 14:46:50.926 2012][libcsd][info][asa_parse_dap_response] parsing DAP response.
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_parse_dap_response] TOKEN_INVALID
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][asa_parse_dap_response] no scan interval, defaulting to 60 sec.
[Tue Oct 09 14:46:50.926 2012][libcsd][debug][browser_restore] restoring browser settings.
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (2400)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (6944)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (2396)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (1436)
[Tue Oct 09 14:46:50.957 2012][libcsd][info][browser_kill] killing browser: iexplore.exe with pid (532)
[Tue Oct 09 14:46:50.957 2012][libcsd][debug][restore_ie_history] restoring IE history.Windows 8 clientless SSL VPN is officially supported as of 9.0(2) and 9.1(2) codes:
Clientless SSL VPN: Windows 8 Support: http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html
Maybe upgrading your code will fix it...
Patrick -
We purchased a bunch of Cisco ASA 5505 for our branch offices. Offices are made up of less than 20 end points. We are using it as a firewall and DHCP server at hte moment but also assumed that it had DNS server capabilities. Basically use it as a SOHO router. My research thus far indicates that yes we can use the device as a dns server but it won't resolve locally defined hosts. So it can relay dns request to an external dns server but won't allow me to configured an a record on the device itself.
Can anyone verify this before I look into purchasing another device just to do local DNS server services?
Thanks!Joe
As far as i know the ASA cannot act as a DNS server nor can it act as a DNS relay. What you can do is -
1) configure DNS servers on the ASA that can be used in certain situations for allowing the ASA to resolve a name to an IP. For example using the Botnet filter on the ASA, SSL certificates etc. require the ASA to be able to qurey external DNS servers.
But this is for use by the ASA itself ie. it is used to resolve names within the ASA config. It is not used to allow clients to ask the ASA to resolve DNS names for them. So it can neither act as a DNS server itself nor can it pass on clients DNS queries to DNS servers.
2) if you use the ASA to hand out IPs via DHCP you can add valid DNS servers within the DHCP config just as you can with Windows DHCP.
Jon -
Transfer files between ASA and a host across a VPN
Hello Guys,
I have a Remote Access VPN between an ASA and a Windows PC, the issue that I'm seeing is that I can't transfer files between the ASA and my PC across the VPN.
The first time I thought that because the size of the file and some issue with my ADSL service bandwidth could be the problem. However, I tried to copy the running config of the ASA to my PC and is also impossible. I received this error:
ASA# copy running-config tftp:
Source filename [running-config]?
Address or name of remote host []? 10.10.10.2 ----> This is the address of my PC over the VPN tunnel
Destination filename [running-config]? ASA-Config04032014
Cryptochecksum: f5a9f8cb 9f63b2e5 e8c99e36 9498cb50
%Error writing tftp://10.10.10.2/ASA-Config04032014 (Timed out attempting to connect)
Does anybody had this kind of problem before?
Thanks in advance,I was wondering if I transfer files between a PC and Mac via Ethernet cable can I reverse the transfer from a Mac to a Pc?
Yes. Start Windows File Sharing on the Mac and then access it on the PC.
(47464) -
I noticed that the CPU on our ASA had jumped from around %4 to 30% consistently a few weeks back. The process below seems to be causing the load, but I can't find any information on what it does and how to resolve the issue.
ASA# sh proc cpu-usage sorted non-zero
PC Thread 5Sec 1Min 5Min Process
0x08a24505 0x1bdb0124 25.4% 25.6% 25.6% rtcli async executor process
0x081ecc51 0x1bdc0f3c 4.7% 4.3% 4.1% Dispatch Unit
0x08e4687c 0x1bdc0528 0.3% 0.3% 0.3% ssm4ge_cfg_poll_thread
0x08a496d0 0x1bdbecf8 0.1% 0.1% 0.1% Unicorn Admin Handler
0x0866d56e 0x1bdafd1c 0.1% 0.1% 0.1% ARP Thread
A little more background that has me concerned is that I have the exact time when the jump occurred. Since that time, I've lost ssh access to the ASA and can only access it via Telnet internally or the ASDM. I checked the certificates and a new one was generated exactly when the spike occurred. I am unsure wether or not that was a system triggered certificate generation, or if I have a security issue I need to address. Heartbleed maybe??
Any insight would be greatly appreciated.Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Sorry I wasn't clear, but when I was asking about "not a lot of traffic", I was wondering about actual volume passing through the 2811.
When I asked about "kind of tunnels", I was wondering about how they are configured. E.g. GRE or IPSec/GRE or VTI, encryption options, other tunnel interface options.
Perhaps the easiest way to check for fragmentation, is packet analyze the traffic passing through the 2811. -
STS Tunnel in between Cisco ASA and Meraki Firewall
Hello Experts,
We are in process of configuring the syslog server which is placed at remote site and the STS Tunnel is established to send the Meraki syslogs over the Tunnel which is working fine. The local LANS of both sites can communicate each other without issue but we are facing an issue wherein when the traffic leaves the traffic from Meraki firewall then it uses the Meraki wan interface IP and in syslog it's being used as a source which can't be added in encryption list on Meraki firewall unfortunately as there is no option available to get the wan IP added to encryption list. Can somebody please advise on how to solve this issue? I also searched an option to get the source IP changed from wan to Inside interface IP which is still not possible on Meraki firewall.I am not very familiar with Meraki, but I did come across this document...hope it will help you out.
https://kb.meraki.com/knowledge_base/syslog-server-overview-and-configuration
Please remember to select a correct answer and rate helpful posts -
Cisco ASA 5505 Routing between internal networks
Hi,
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
Here is the running conf:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi Jouni,
Yep, Finnish would be good also =)
In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
Here is the conf now, still doesnt work:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Hi All
I have just started working on Cisco ASAs and working on following scenario:
3 Depts having 3 separate Networks given following names
Finance
Accounts
HR
Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
Thanks and RegardsHello,
If all of the networks zone have the same security level for your company then you can use the same one on them.
Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
Regards,
Rate all the helpful pots
Julio
Security Engineer -
Is it recommend to have a vulnerability scan for Cisco ASA device.
Dear everyone.
I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report.
Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?
If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.
If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks) -
Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis
We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.Hi,
So you have N7k acting as L3 with servers connected to 4510?.
Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
This will help narrow down if issue is between server to 4510 or 4510 to N7k.
Thanks,
Nagendra -
How can I debug VPN connections on a Cisco ASA?
Hi,
I have a Cisco ASA and I am trying to get a Cisco 877 DSL router connected to it using the ASDM VPN wizard, but can't.
I have just had the 877 DSL router connect to my Cisco Concentrator and have simlpy changed the peer address on the router to now point to the ASA's external IP instead of the Concentrator. The Concentrator is good because I like it's real-time event viewer and it can tell me if the Concentrator is even seeing the connection attempt, but how can I dall this on the ASA?
Thanksshow isa sa
- that will show the status of phase 1
show cry ipsec sa
- that will show the status of phase 2, as well as number of encrypted/decrypted packets -
Hi,
We have about 50+ Cisco ASA and want to have centralize managment software similiar to Checkpoint ->Provider1 or McAfee Control Center or Fortinet->Forti manager.
We already have CiscoWorks, but need something specialy for firewall with firewall specific features, not just the configurations backup support like CiscoWorks.
Please advise that whats the best option.
ThanksHave you already looked into CSM, Cisco Security Manager? Thats the "native" enterprise security management-tool from cisco: http://www.cisco.com/en/US/products/ps6498/index.html
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Can't get L2L VPN up between ASA and Fortinet (IKEv2)
Hi,
I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
Configuration from the ASA:
crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map VPN 100 match address ABC
crypto map VPN 100 set pfs group5
crypto map VPN 100 set peer x.x.x.x
crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
crypto map VPN 100 set security-association lifetime seconds 28800
crypto map VPN interface outside
crypto ikev2 policy 10
encryption aes-256 3des
integrity sha256 sha
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key blablabla
ikev2 local-authentication pre-shared-key blablabla
Debugs say that there is no matching policy:
IKEv2-PROTO-3: (97): Get peer authentication method
IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
IKEv2-PROTO-3: (97): Verify authentication data
IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
IKEv2-PROTO-2: (97): Processing auth message
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Received Policies:
ESP: Proposal 1: 3DES SHA96
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Expected Policies:
IKEv2-PROTO-5: (97): Failed to verify the proposed policies
IKEv2-PROTO-1: (97): Failed to find a matching policyDear Robert,
The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
1. sh crypto ipsec sa
2. sh crypto isakmp sa
3. debug crypto isa 255
4. debug crypto ipsec 255 -
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik
Maybe you are looking for
-
You've moved stuff around so the tabs are at the top instead of my tool bar. I no longer have the means then to copy and paste, print, etc. when I pull up information I might want to keep from a web page. When I downloaded Version 4 a message came ac
-
Preferences window won't display along with other windows.
I am trying to edit my preferences. It only displays a little hint of a window with an X to close it. The same thing for reporting a bug. Basically I have not been able to get one popup application window to display. I am on Vista Ultimate x64 with d
-
Hi, Im confounded to why this is happening and when it looks so much like a program error, it is sold on the shelves as a final product. My frustration at CS4 is that the new motion paths are already on the object, identified by a dotted line which y
-
How to display with outputText?
Hi! I wonder if anyone can tell me how to display to produce more space between two text elements than just one blank? Is there some escape code if I would like to use HTML tags in outputText (altough I don't find good reason to do so right now :)
-
Breaking down components of ad
Can I break up an Illustrator file into components that an ad agency created for me? I have permission and I have the file. I am a new user