CISCO ASA config issue (Remote management ASDM/SSH/etc)
I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though.
I have a couple ASA devices than I want to be able to manage across our network. I have two devices, Device A-10.23.1.10 the other is on 10.23.2.10, if I remote into a machine on the 10.23.2.x network I can connect through SSH and ASDM, but on the 10.23.1.x network I can not connect.. I have the ASDM configured to accept connection from both netowkrs. any idea why it does not work, the remote ASA is on the local/inside netwkr just on a diff subnet.
This topic first appeared in the Spiceworks Community
Similar Messages
-
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
RV042 issue remote management access
Installed on two RV042 links with adsl load balance, everything works fine, except that an error occurs during a time I can access the remote management via Web RV042 both the LAN and the WAN, only after a while when accessing the page appears to login, but when you enter your username and password the browser is trying to give an error, the connection to the internet works normal again and I can only access the remote management to disconnect and reconnect the RV042, but updated the firmware the error continues, my RV042 is:
RV042 V03
Firmware v4.1.1.01-sp
I changed the default https port (443), to other ports but the error continues, someone had this problem?
André Szytkohi there,
i can use google translate to try understanding your post. but i think its better for you to explain in english mate
regards, -
Odd firewall issue, remote management works on 1 server, not the other
I've enabled port forwarding, made sure I mapped address to mac ports in the DHCP client settings (to ensure a "static" address), and choose the correct IP address for port forwarding. Then, I enable remote management on my snow leopard laptop then connect remotely (from outside lan) and it works. To the reverse, my 10.5.8 OS X server set up with the same items (although the menus are slightly different given each are diff versions), change port forwarding IP addresses on router, and try outside the lan from the client to connect to the server. Failed. Of course, remote management works fine on the LAN in both directions, only fails from snow leopard client to 10.5.8 server when not on same lan.
So, to illustrate:
10.5.8 (client) ---> internet --> router --> snow leopard laptop (server) WORKS!!
snow leopard laptop (client) --> internet --> router --> 10.5.8 (server) FAILS!!!
client --> LAN --> server (in either direction) WORKS!!
Message was edited by: julebuggyI've enabled port forwarding, made sure I mapped address to mac ports in the DHCP client settings (to ensure a "static" address), and choose the correct IP address for port forwarding. Then, I enable remote management on my snow leopard laptop then connect remotely (from outside lan) and it works. To the reverse, my 10.5.8 OS X server set up with the same items (although the menus are slightly different given each are diff versions), change port forwarding IP addresses on router, and try outside the lan from the client to connect to the server. Failed. Of course, remote management works fine on the LAN in both directions, only fails from snow leopard client to 10.5.8 server when not on same lan.
So, to illustrate:
10.5.8 (client) ---> internet --> router --> snow leopard laptop (server) WORKS!!
snow leopard laptop (client) --> internet --> router --> 10.5.8 (server) FAILS!!!
client --> LAN --> server (in either direction) WORKS!!
Message was edited by: julebuggy -
Cisco ASA 5505 VPN Remote Acces Problem
Hello Guys .. i have cisco 5505 Asa security Adaptive , and i have two local networks 192.168.1.0 /24 and 192.168.2.0/24 , and i have my ISP public connection,,,,,what i want to do is i want to connect Remote VPN connection and access my Private Network of 192. my public ip is like 155.155.155.0 /24 ...
i put my ISP connection in the EO/0 and my private networks into E0/1 and E0/2.
so i created a remote vpn connection ,, and then i connected to the VPN ..
My problem i can't reach and access my private networks .. this probem frustrated me a lot .. so cisco guys please help me
and iam using ASDM cisco graphic interfaceHi Timothy,
Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
Let me know if this helps.
Thanks,
Vishnu Sharma -
Cisco asa 5515x web user management
hi all,
i bought recently a new asa 5515x, i'm also new to it especially if i can have user login to internet before they can use the internet. my 5515 security license is a plus license. and also if that user management can be integrated with active directory 2008 r2.
thanks for any comment you may add.The ASA should be able to talk to your AD via either LDAP or Kerberos..
And yes, you need the CX to perform content filtering on the ASA itself, or you can look at the Ironport appliances or Cloud Web Security (scansafe) fir additional filtering options
Sent from Cisco Technical Support iPad App -
Hey guys,
I am unable to access cisco asa device using https and cannot lunch asdm, after recent power failure at our location. I have asdm installed on my machine and whenever i try to access the asdm, receive Error: unable to lunch device manager from X.X.X.X The following is log from java console
Trying for ASDM version file; url = https://x.x.x.x/admin/
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
When i try to access it from the browser it show error message
"The connection was interrupted"
I am running CISCO ASA 8.3 (1)
with asdm image as asdm 7.1.3
JAVA version installed Java 7 update 71
I have added the https:> to exception site list and set security level to medium,
even ssh access is not working !!
I would appreciate if anyone can help me out!!
Thanks
FareedHey lcaruso,
thanks for information!!
i was able to connection through console as suggested and regenerated the rsa key .. was able to connection through ssh, but the issue with the asdm or web access was not resolved.
I have tried few of the steps as suggested on
https://supportforums.cisco.com/document/49741/asa-pixfwsm-unable-manage-unit-sshtelnetasdm#collect_captures
capture output
ZHHFP-FIREWALL1(config)# sh cap capin
139 packets captured
1: 18:50:17.654720 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: S 2567327150:2567327150(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
2: 18:50:17.654812 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: S 590825877:590825877(0) ack 2567327151 win 8192 <mss 1380>
3: 18:50:17.655621 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: . ack 590825878 win 65520
4: 18:50:17.656078 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: P 2567327151:2567327332(181) ack 590825878 win 65520
5: 18:50:17.656139 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: . ack 2567327332 win 8192
6: 18:50:17.656475 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: FP 590825878:590825878(0) ack 2567327332 win 8192
7: 18:50:17.657696 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: . ack 590825879 win 65520
8: 18:50:17.657802 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: F 2567327332:2567327332(0) ack 590825879 win 65520
9: 18:50:17.657848 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: . ack 2567327333 win 8192
10: 18:50:17.658108 802.1Q vlan#1 P0 192.168.160.113.58085 > 192.168.160.126.8
443: S 1351758892:1351758892(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
also i have downgraded the java to 1.6_45 but still not luck.
error message i received on java console
Trying for IDM. url=https://x.x.x.x/idm/idm.jnlp/
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.cisco.launcher.w.a(Unknown Source)
at com.cisco.launcher.s.for(Unknown Source)
at com.cisco.launcher.s.new(Unknown Source)
at com.cisco.launcher.s.access$000(Unknown Source)
at com.cisco.launcher.s$2.a(Unknown Source)
at com.cisco.launcher.g$2.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(Unknown Source)
... 15 more
Any help would be highly appreciated!!
Thanks
Fareed -
Cisco ASA 5505 Failover issue..
Hi,
I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login by console i found out that the failover has been disabled .So again I connected to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.Please find the logs...
Secondary Firewall While Sync..
cisco-asa(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 06:01:10 GMT Apr 29 2015
This host: Secondary - Sync Config
Active time: 55 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): No Link (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 177303 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
=======================================================================================
Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
cisco-asa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:06:12 GMT Apr 29 2015
This host: Secondary - Active
Active time: 44 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
==========================================================================================
After Active firewall got rebootted failover off,whole network gone down.
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
===========================================================================================
Primary Firewall after rebootting
cisco-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:17:29 GMT Apr 29 2015
This host: Primary - Active
Active time: 24707 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): Normal (Waiting)
Interface mgmt (10.11.200.21): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
cisco-asa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
06:16:43 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:29 GMT Apr 29 2015
Negotiation Just Active No Active unit found
06:17:29 GMT Apr 29 2015
Just Active Active Drain No Active unit found
06:17:29 GMT Apr 29 2015
Active Drain Active Applying Config No Active unit found
06:17:29 GMT Apr 29 2015
Active Applying Config Active Config Applied No Active unit found
06:17:29 GMT Apr 29 2015
Active Config Applied Active No Active unit found
==========================================================================
cisco-asa#
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 06:17:43 GMT Apr 29 2015
====Configuration State===
====Communication State===
==================================================================================
Secondary Firewall
cisc-asa# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (down)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
ecs-pune-fw-01# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State===
Thanks... -
Site to site VPN between cisco asa 5550 and checkpoint r75
Hi all ,
below is cisco asa config for our customer end:
crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
What should i configure on checkpoint for first phase and second phase ?
Regards,
SuhailIn checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there. Phase II default is 28,800 so you need to edit the parameter and change it to 3600. the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
Easy right? -
Hi,
I have a dual boot system with two seperate hard drives, Lion and Snow Leopard. One drive has a name of mac-pro2 for Lion and mac-pro2sl for Snow Leopard. Something happened when I rebooted from Snow Leopard to Lion that in System Preferences->Sharing->Remote Management that the computer name had changed to the Snow Leopard computer name it has a address and name of mac-pro2sl. I have change the Computer Name: and it worked and was changed to mac-pro2 but Remote Management still has the address of mac-pro2sl and doesn't reflect the computer name. I can ssh into Lion with mac-pro2sl but I have a conflict with from other computers when I log in with a warning of "Remote Host Identification has Changed". How do you change the computer name for remote management and ssh?
I have changed the hostname and it reflects the change when you login, mac-pro2 for Lion. But when you ssh into Lion it requires mac-pro2sl not mac-pro2.
When I change the computer name it shows below that the name in "Remote Management: On" "computer using the address mac-pro2sl" is selected but then doesn't change but remains the same when the dialog closes. How do you change the address to reflect the computer name? Is there a command line utility?
Thanks for any help.If this problem is due to DNS, look in your configuration. What is the number one DNS server address? Is it local, or is it on the Internet at large? Or post the Address here and folks can help you look it up.
192.168.yyy.zzz
10.xxx.yyy.zzz
172.xxx.yyy.zzz
are all strictly local. -
Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues
We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
"Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
Any insight would be greatly appreciated.
I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
Thanks much,
JustinJavier,
I logged into the ASA last time the VPN went down. I issued the following commands:
debug crypto isakmp 190
debug crypto ipsec 190
capture outside-cap interface outside match udp any any
I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
show capture outside | include 500
and also got nothing. So I issued the following command:
ping 4.2.2.2
Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100 1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100
It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
Once again, any insight would be greatly appreciated.
Thanks,
Justin -
Cisco ASA 5505 IOS 9.2(1), ASDM 7.3(2) NAT issues
Hey all,
I am really new to Cisco and am trying to get this Cisco ASA 5505 configured that I bought recently configured properly.
Things I have successfully been able to do:
1. Configure static WAN IP on WAN port e0/0 (I have a /29 block of addresses)
2. Create static routes to point to all of my vlans that are currently being being routed through my layer 3 SG-300
3. Install and run ASDM 7.3(2)
4. Went through the start-up wizard and configured all of my WAN and LAN settings (I have a WAN block of /29 addresses. So I congured my device with NAT and put in the range the first usable IP address outside of the one I configured for the direct connected WAN port from my modem. Example: 10.24.56.99-102 where .98 is already configured as the direct connect from modem to ASA 5505 and .97 is the gateway of my ISP modem.)
The struggle that I am running into today is with NAT rules from outside to inside. I currently have an Exchange server behind this device but I am unable to get ports forwarded to it. I followed this tutorial about Static NAT, however there is still no joy.
http://www.networkworld.com/article/2162844/tech-primers/how-to-configure-static-nat-on-a-cisco-asa-security-appliance.html
Attached is a copy of my running-config and version. Any help with this would be greatly appreciated.Your Ethernet0/1 is a trunk with multiple VLANs allowed but you do not have corresponding VLAN interfaces for SVIs in each of the associated subnets. If, as your routing setup indicates, you will be going via your internal gateway at 10.10.1.1 to reach the internal subnets then Eth0/1 should just be an access port.
So your Exchange server in the 10.10.12.0/24 subnet will talk via the internal gateway (10.10.12.1?) and thus on to the ASA inside interface at 10.10.1.2.
I assume your "public" IPs have been changed to anonymize the output. If those are your actual addresses (10.24.56.x) then there must be additional NAT taking place upstream - that would all need to be setup properly as well. -
Confused with this ASA - VPN config issue
Hello. Can anyone help me here? I am new to the ASA config and commands. Everything works well, enough, on this ASA except the VPN. A client can connect but cannot access anything inside or outside. Here is the config. Can someone please take a look and tell me why VPN is not working? I don't want to set up split-tunneling, I would prefer everything to go through the firewall. Also, if you see something else wrong (or have a better implementation) then please let me know.
ASA Version 8.4(2)
hostname FIREWALL_NAME
enable password Some_X's_here encrypted
passwd Some_X's_here encrypted
names
interface Ethernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/0.22
description Public Internet space via VLAN 22
vlan 22
nameif Public_Internet
security-level 0
ip address 1.3.3.7 255.255.255.248
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/1.42
description Private LAN space via VLAN 42
shutdown
vlan 42
nameif Private_CDATA
security-level 100
ip address 10.30.136.1 255.255.255.0
interface Ethernet0/1.69
description Private LAN space via VLAN 69
vlan 69
nameif Private_ODATA
security-level 100
ip address 10.30.133.1 255.255.255.0
interface Ethernet0/1.95
description Private LAN space via VLAN 95
shutdown
vlan 95
nameif Private_OVOICE
security-level 100
ip address 192.168.102.254 255.255.255.0
interface Ethernet0/1.96
description Private LAN space via VLAN 96
shutdown
vlan 96
nameif Private_CVOICE
security-level 100
ip address 192.168.91.254 255.255.255.0
interface Ethernet0/1.3610
description Private LAN subnet via VLAN 3610
shutdown
vlan 3610
nameif Private_CeDATA
security-level 100
ip address 10.10.100.18 255.255.255.240
interface Ethernet0/1.3611
description Private LAN space via VLAN 3611
shutdown
vlan 3611
nameif Private_CeVOICE
security-level 100
ip address 10.10.100.66 255.255.255.252
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.69.1 255.255.255.0
management-only
banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
banner exec
banner exec ,
banner exec .';
banner exec .-'` .'
banner exec ,`.-'-.`\
banner exec ; / '-'
banner exec | \ ,-,
banner exec \ '-.__ )_`'._ \|/
banner exec '. ``` ``'--._[]--------------*
banner exec .-' , `'-. /|\
banner exec '-'`-._ (( o )
banner exec `'--....(`- ,__..--'
banner exec '-'`
banner exec
banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CD_3610-GW
host 10.10.100.17
description First hop to 3610
object network CV_3611-GW
host 10.10.100.65
description First hop to 3611
object network GW_22-EXT
host 1.3.3.6
description First hop to 22
object service MS-RDC
service tcp source range 1024 65535 destination eq 3389
description Microsoft Remote Desktop Connection
object network HDC-LAN
subnet 192.168.200.0 255.255.255.0
description DC LAN subnet
object network HAM-LAN
subnet 192.168.110.0 255.255.255.0
description HAM LAN subnet
object service MSN
service tcp source range 1 65535 destination eq 1863
description MSN Messenger
object network BCCs
host 2.1.8.1
description BCCs server access
object network ODLW-EXT
host 7.1.1.5
description OTTDl
object network SWINDS-INT
host 10.30.133.67
description SWINDS server
object network SWINDS(192.x.x.x)-INT
host 192.168.100.67
description SWINDS server
object service YMSG
service tcp source range 1 65535 destination eq 5050
description Yahoo Messenger
object service c.b.ca1
service tcp source range 1 65535 destination eq citrix-ica
description Connections to the bc portal.
object service c.b.ca2
service tcp source range 1 65535 destination eq 2598
description Connections to the bc portal.
object service HTTP-EXT(7001)
service tcp source range 1 65535 destination eq 7001
description HTTP Extended on port 7001.
object service HTTP-EXT(8000-8001)
service tcp source range 1 65535 destination range 8000 8001
description HTTP Extended on ports 8000-8001.
object service HTTP-EXT(8080-8081)
service tcp source range 1 65535 destination range 8080 8081
description HTTP Extended on ports 8080-8081.
object service HTTP-EXT(8100)
service tcp source range 1 65535 destination eq 8100
description HTTP Extended on port 8100.
object service HTTP-EXT(8200)
service tcp source range 1 65535 destination eq 8200
description HTTP Extended on port 8200.
object service HTTP-EXT(8888)
service tcp source range 1 65535 destination eq 8888
description HTTP Extended on port 8888.
object service HTTP-EXT(9080)
service tcp source range 1 65535 destination eq 9080
description HTTP Extended on port 9080.
object service ntp
service tcp source range 1 65535 destination eq 123
description TCP NTP on port 123.
object network Pl-EXT
host 7.1.1.2
description OPl box.
object service Pl-Admin
service tcp source range 1 65535 destination eq 8443
description Pl Admin portal
object network FW-EXT
host 1.3.3.7
description External/Public interface IP address of firewall.
object network Rs-EXT
host 7.1.1.8
description Rs web portal External/Public IP.
object network DWDM-EXT
host 2.1.2.1
description DWDM.
object network HM_VPN-EXT
host 6.2.9.7
description HAM Man.
object network SIM_MGMT
host 2.1.1.1
description SIM Man.
object network TS_MGMT
host 2.1.1.4
description TS Man.
object network TS_MGMT
host 2.1.2.2
description TS Man.
object service VPN-TCP(1723)
service tcp source range 1 65535 destination eq pptp
description For PPTP control path.
object service VPN-UDP(4500)
service udp source range 1 65535 destination eq 4500
description For L2TP(IKEv1) and IKEv2.
object service VPN-TCP(443)
service tcp source range 1 65535 destination eq https
description For SSTP control and data path.
object service VPN-UDP(500)
service udp source range 1 65535 destination eq isakmp
description For L2TP(IKEv1) and IKEv2.
object network RCM
host 6.1.8.2
description RCM
object network RCM_Y
host 6.1.8.9
description RCM Y
object network r.r.r.c163
host 2.1.2.63
description RCV IP.
object network r.r.r.c227
host 2.1.2.27
description RCV IP.
object network v.t.c-EXT
host 2.5.1.2
description RTICR
object service VPN-TCP(10000)
service tcp source range 1 65535 destination eq 10000
description For TCP VPN over port 1000.
object service BGP-JY
service tcp source range 1 65535 destination eq 21174
description BPG
object network KooL
host 192.168.100.100
description KooL
object network FW_Test
host 1.3.3.7
description Testing other External IP
object network AO_10-30-133-0-LAN
range 10.30.133.0 10.30.133.229
description OLS 10.30.133.0/24
object network AC_10-30-136-0-LAN
subnet 10.30.136.0 255.255.255.0
description CLS 10.30.136.0/24
object network NETWORK_OBJ_192.168.238.0_27
subnet 192.168.238.0 255.255.255.224
object-group network All_Private_Interfaces
description All private interfaces
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
network-object 10.10.100.16 255.255.255.240
network-object 10.10.100.64 255.255.255.252
network-object 192.168.102.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service cb.ca
description All ports required for cb.ca connections.
service-object object c.b.ca1
service-object object c.b.ca2
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq snmp
object-group service FTP
description All FTP ports (20 + 21)
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service HTTP-EXT
description HTTP Extended port ranges.
service-object object HTTP-EXT(7001)
service-object object HTTP-EXT(8000-8001)
service-object object HTTP-EXT(8080-8081)
service-object object HTTP-EXT(8100)
service-object object HTTP-EXT(8200)
service-object object HTTP-EXT(8888)
service-object object HTTP-EXT(9080)
object-group service ICMP_Any
description ICMP: Any Type, Any Code
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object icmp
object-group service NTP
description TCP and UPD NTP protocol
service-object object ntp
service-object udp destination eq ntp
object-group service DM_INLINE_SERVICE_3
group-object FTP
group-object HTTP-EXT
group-object ICMP_Any
group-object NTP
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object ip
object-group service DM_INLINE_SERVICE_4
group-object NTP
service-object tcp destination eq daytime
object-group network SWINDS
description Both Internal IP addresses (192 + 10)
network-object object SWINDS-INT
network-object object SWINDS(192.x.x.x)-INT
object-group service IM_Types
description All messenger type applications
service-object object MSN
service-object object YMSG
service-object tcp-udp destination eq talk
service-object tcp destination eq aol
service-object tcp destination eq irc
object-group service SNMP
description Both poll and trap ports.
service-object udp destination eq snmp
service-object udp destination eq snmptrap
object-group service DM_INLINE_SERVICE_2
group-object FTP
service-object object MS-RDC
service-object object Pl-Admin
group-object SNMP
object-group network DM_INLINE_NETWORK_1
network-object object FW-EXT
network-object object Rs-EXT
object-group network AMV
description connections for legacy AM
network-object object DWDM-EXT
network-object object HAM_MGMT
network-object object SIM_MGMT
network-object object TS_MGMT
network-object object TS_MGMT
object-group service IKEv2_L2TP
description IKEv2 and L2TP VPN configurations
service-object esp
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
object-group service PPTP
description PPTP VPN configuration
service-object gre
service-object object VPN-TCP(1723)
object-group service SSTP
description SSTP VPN configuration
service-object object VPN-TCP(443)
object-group network RvIPs
description Rv IP addresses
network-object object RCM
network-object object RCM_Y
network-object object r.r.r.c163
network-object object r.r.r.c227
network-object object v.t.c-EXT
object-group service Rvs
description Rv configuration.
service-object object VPN-TCP(10000)
service-object object VPN-UDP(500)
object-group service DM_INLINE_SERVICE_5
service-object object BGP-JY
service-object tcp destination eq bgp
object-group network Local_Private_Subnets
description OandCl DATA
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
access-list Public/Internet_access_out remark Block all IM traffic out.
access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
access-list Public/Internet_access_out remark Allow access to BMC portal
access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
access-list Public/Internet_access_out remark Allow basic services out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow WhoIS traffic out.
access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
access-list Public/Internet_access_out remark Allow Network Time protocols out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
access-list Public/Internet_access_out remark Allow BPG traffic out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow Kool server out.
access-list Public/Internet_access_out extended permit ip object KooL any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging mail notifications
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu Public_Internet 1500
mtu Private_CDATA 1500
mtu Private_ODATA 1500
mtu Private_OVOICE 1500
mtu Private_CVOICE 1500
mtu Private_CeDATA 1500
mtu Private_CeVOICE 1500
mtu management 1500
ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
ip verify reverse-path interface Public_Internet
ip verify reverse-path interface Private_CDATA
ip verify reverse-path interface Private_ODATA
ip verify reverse-path interface Private_OVOICE
ip verify reverse-path interface Private_CVOICE
ip verify reverse-path interface Private_CeDATA
ip verify reverse-path interface Private_CeVOICE
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Public_Internet
no asdm history enable
arp timeout 14400
nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
access-group Public/Internet_access_out out interface Public_Internet
route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Private_ODATA) host 10.30.133.21
timeout 5
nt-auth-domain-controller Cool_Transformer_Name
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.69.0 255.255.255.0 management
snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
snmp-server location OT
snmp-server contact [email protected]
snmp-server community Some_*s_here
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
sysopt noproxyarp Public_Internet
sysopt noproxyarp Private_CDATA
sysopt noproxyarp Private_ODATA
sysopt noproxyarp Private_OVOICE
sysopt noproxyarp Private_CVOICE
sysopt noproxyarp Private_CeDATA
sysopt noproxyarp Private_CeVOICE
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_Internet_map interface Public_Internet
crypto ikev1 enable Public_Internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 10.30.133.0 255.255.255.0 Private_ODATA
ssh 192.168.69.0 255.255.255.0 management
ssh timeout 2
ssh version 2
console timeout 5
dhcprelay server 10.30.133.13 Private_ODATA
dhcprelay enable Private_CDATA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.30.133.13 prefer
ntp server 132.246.11.227
ntp server 10.30.133.21
webvpn
group-policy AO-VPN_Tunnel internal
group-policy AO-VPN_Tunnel attributes
dns-server value 10.30.133.21 10.30.133.13
vpn-tunnel-protocol ikev1
default-domain value ao.local
username helpme password Some_X's_here encrypted privilege 1
username helpme attributes
service-type nas-prompt
tunnel-group AO-VPN_Tunnel type remote-access
tunnel-group AO-VPN_Tunnel general-attributes
address-pool AO-VPN_Pool
authentication-server-group AD
default-group-policy AO-VPN_Tunnel
tunnel-group AO-VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key Some_*s_here
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
smtp-server 192.168.200.25
prompt hostname context
no call-home reporting anonymous
Thanks,
Jeff.I tried those commands but this started getting messy and so I looked at the current config and it was not the same as what I originally posted. Looks like some changes were implemented but not saved so the config that I posted what slightly different. Thank you for all your suggestions. Here is the new config, confirmed as the current running and saved config. Same situation as before though. I can connect using the Cisco VPN client but can only ping myself and can't get out to the Internet or access anything internal. If someone can take a look it would be greatly appreciated. The main difference is the VPN pool has been set as a subset of the 10.30.133.0 network instead of using a separate subnet (VPN pool is 10.30.133.200 - 10.30.133.230).
ASA Version 8.4(2)
hostname FIREWALL_NAME
enable password Some_X's_here encrypted
passwd Some_X's_here encrypted
names
interface Ethernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/0.22
description Public Internet space via VLAN 22
vlan 22
nameif Public_Internet
security-level 0
ip address 1.3.3.7 255.255.255.248
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/1.42
description Private LAN space via VLAN 42
shutdown
vlan 42
nameif Private_CDATA
security-level 100
ip address 10.30.136.1 255.255.255.0
interface Ethernet0/1.69
description Private LAN space via VLAN 69
vlan 69
nameif Private_ODATA
security-level 100
ip address 10.30.133.1 255.255.255.0
interface Ethernet0/1.95
description Private LAN space via VLAN 95
shutdown
vlan 95
nameif Private_OVOICE
security-level 100
ip address 192.168.102.254 255.255.255.0
interface Ethernet0/1.96
description Private LAN space via VLAN 96
shutdown
vlan 96
nameif Private_CVOICE
security-level 100
ip address 192.168.91.254 255.255.255.0
interface Ethernet0/1.3610
description Private LAN subnet via VLAN 3610
shutdown
vlan 3610
nameif Private_CeDATA
security-level 100
ip address 10.10.100.18 255.255.255.240
interface Ethernet0/1.3611
description Private LAN space via VLAN 3611
shutdown
vlan 3611
nameif Private_CeVOICE
security-level 100
ip address 10.10.100.66 255.255.255.252
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.69.1 255.255.255.0
management-only
banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
banner exec
banner exec ,
banner exec .';
banner exec .-'` .'
banner exec ,`.-'-.`\
banner exec ; / '-'
banner exec | \ ,-,
banner exec \ '-.__ )_`'._ \|/
banner exec '. ``` ``'--._[]--------------*
banner exec .-' , `'-. /|\
banner exec '-'`-._ (( o )
banner exec `'--....(`- ,__..--'
banner exec '-'`
banner exec
banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CD_3610-GW
host 10.10.100.17
description First hop to 3610
object network CV_3611-GW
host 10.10.100.65
description First hop to 3611
object network GW_22-EXT
host 1.3.3.6
description First hop to 22
object network Ts-LAN
host 192.168.100.4
description TS
object service MS-RDC
service tcp source range 1024 65535 destination eq 3389
description Microsoft Remote Desktop Connection
object network HDC-LAN
subnet 192.168.200.0 255.255.255.0
description DC LAN subnet
object network HAM-LAN
subnet 192.168.110.0 255.255.255.0
description HAM LAN subnet
object service MSN
service tcp source range 1 65535 destination eq 1863
description MSN Messenger
object network BCCs
host 2.1.8.1
description BCCs server access
object network ODLW-EXT
host 7.1.1.5
description OTTDl
object network SWINDS-INT
host 10.30.133.67
description SWINDS server
object network SWINDS(192.x.x.x)-INT
host 192.168.100.67
description SWINDS server
object service YMSG
service tcp source range 1 65535 destination eq 5050
description Yahoo Messenger
object service c.b.ca1
service tcp source range 1 65535 destination eq citrix-ica
description Connections to the bc portal.
object service c.b.ca2
service tcp source range 1 65535 destination eq 2598
description Connections to the bc portal.
object service HTTP-EXT(7001)
service tcp source range 1 65535 destination eq 7001
description HTTP Extended on port 7001.
object service HTTP-EXT(8000-8001)
service tcp source range 1 65535 destination range 8000 8001
description HTTP Extended on ports 8000-8001.
object service HTTP-EXT(8080-8081)
service tcp source range 1 65535 destination range 8080 8081
description HTTP Extended on ports 8080-8081.
object service HTTP-EXT(8100)
service tcp source range 1 65535 destination eq 8100
description HTTP Extended on port 8100.
object service HTTP-EXT(8200)
service tcp source range 1 65535 destination eq 8200
description HTTP Extended on port 8200.
object service HTTP-EXT(8888)
service tcp source range 1 65535 destination eq 8888
description HTTP Extended on port 8888.
object service HTTP-EXT(9080)
service tcp source range 1 65535 destination eq 9080
description HTTP Extended on port 9080.
object service ntp
service tcp source range 1 65535 destination eq 123
description TCP NTP on port 123.
object network Pl-EXT
host 7.1.1.2
description OPl box.
object service Pl-Admin
service tcp source range 1 65535 destination eq 8443
description Pl Admin portal
object network FW-EXT
host 1.3.3.7
description External/Public interface IP address of firewall.
object network Rs-EXT
host 7.1.1.8
description Rs web portal External/Public IP.
object network DWDM-EXT
host 2.1.2.1
description DWDM.
object network HM_VPN-EXT
host 6.2.9.7
description HAM Man.
object network SIM_MGMT
host 2.1.1.1
description SIM Man.
object network TS_MGMT
host 2.1.1.4
description TS Man.
object network TS_MGMT
host 2.1.2.2
description TS Man.
object service VPN-TCP(1723)
service tcp source range 1 65535 destination eq pptp
description For PPTP control path.
object service VPN-UDP(4500)
service udp source range 1 65535 destination eq 4500
description For L2TP(IKEv1) and IKEv2.
object service VPN-TCP(443)
service tcp source range 1 65535 destination eq https
description For SSTP control and data path.
object service VPN-UDP(500)
service udp source range 1 65535 destination eq isakmp
description For L2TP(IKEv1) and IKEv2.
object network RCM
host 6.1.8.2
description RCM
object network RCM_Y
host 6.1.8.9
description RCM Y
object network r.r.r.c163
host 2.1.2.63
description RCV IP.
object network r.r.r.c227
host 2.1.2.27
description RCV IP.
object network v.t.c-EXT
host 2.5.1.2
description RTICR
object service VPN-TCP(10000)
service tcp source range 1 65535 destination eq 10000
description For TCP VPN over port 1000.
object service BGP-JY
service tcp source range 1 65535 destination eq 21174
description BPG
object network KooL
host 192.168.100.100
description KooL
object network FW_Test
host 1.3.3.7
description Testing other External IP
object network AO_10-30-133-0-LAN
subnet 10.30.133.0 255.255.255.0
description OLS 10.30.133.0/24
object network AC_10-30-136-0-LAN
subnet 10.30.136.0 255.255.255.0
description CLS 10.30.136.0/24
object-group network All_Private_Interfaces
description All private interfaces
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
network-object 10.10.100.16 255.255.255.240
network-object 10.10.100.64 255.255.255.252
network-object 192.168.102.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service cb.ca
description All ports required for cb.ca connections.
service-object object c.b.ca1
service-object object c.b.ca2
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq snmp
object-group service FTP
description All FTP ports (20 + 21)
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service HTTP-EXT
description HTTP Extended port ranges.
service-object object HTTP-EXT(7001)
service-object object HTTP-EXT(8000-8001)
service-object object HTTP-EXT(8080-8081)
service-object object HTTP-EXT(8100)
service-object object HTTP-EXT(8200)
service-object object HTTP-EXT(8888)
service-object object HTTP-EXT(9080)
object-group service ICMP_Any
description ICMP: Any Type, Any Code
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object icmp
object-group service NTP
description TCP and UPD NTP protocol
service-object object ntp
service-object udp destination eq ntp
object-group service DM_INLINE_SERVICE_3
group-object FTP
group-object HTTP-EXT
group-object ICMP_Any
group-object NTP
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object ip
object-group service DM_INLINE_SERVICE_4
group-object NTP
service-object tcp destination eq daytime
object-group network SWINDS
description Both Internal IP addresses (192 + 10)
network-object object SWINDS-INT
network-object object SWINDS(192.x.x.x)-INT
object-group service IM_Types
description All messenger type applications
service-object object MSN
service-object object YMSG
service-object tcp-udp destination eq talk
service-object tcp destination eq aol
service-object tcp destination eq irc
object-group service SNMP
description Both poll and trap ports.
service-object udp destination eq snmp
service-object udp destination eq snmptrap
object-group service DM_INLINE_SERVICE_2
group-object FTP
service-object object MS-RDC
service-object object Pl-Admin
group-object SNMP
object-group network DM_INLINE_NETWORK_1
network-object object FW-EXT
network-object object Rs-EXT
object-group network AMV
description connections for legacy AM
network-object object DWDM-EXT
network-object object HAM_MGMT
network-object object SIM_MGMT
network-object object TS_MGMT
network-object object TS_MGMT
object-group service IKEv2_L2TP
description IKEv2 and L2TP VPN configurations
service-object esp
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
object-group service PPTP
description PPTP VPN configuration
service-object gre
service-object object VPN-TCP(1723)
object-group service SSTP
description SSTP VPN configuration
service-object object VPN-TCP(443)
object-group network RvIPs
description Rv IP addresses
network-object object RCM
network-object object RCM_Y
network-object object r.r.r.c163
network-object object r.r.r.c227
network-object object v.t.c-EXT
object-group service Rvs
description Rv configuration.
service-object object VPN-TCP(10000)
service-object object VPN-UDP(500)
object-group service DM_INLINE_SERVICE_5
service-object object BGP-JY
service-object tcp destination eq bgp
object-group network Local_Private_Subnets
description OandCl DATA
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
object-group service IPSec
description IPSec traffic
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
access-list Public/Internet_access_out remark Block all IM traffic out.
access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
access-list Public/Internet_access_out remark Allow access to BMC portal
access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
access-list Public/Internet_access_out remark Allow basic services out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow WhoIS traffic out.
access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
access-list Public/Internet_access_out remark Allow Network Time protocols out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
access-list Public/Internet_access_out remark Allow BPG traffic out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow Kool server out.
access-list Public/Internet_access_out extended permit ip object KooL any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging mail notifications
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu Public_Internet 1500
mtu Private_CDATA 1500
mtu Private_ODATA 1500
mtu Private_OVOICE 1500
mtu Private_CVOICE 1500
mtu Private_CeDATA 1500
mtu Private_CeVOICE 1500
mtu management 1500
ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
ip verify reverse-path interface Public_Internet
ip verify reverse-path interface Private_CDATA
ip verify reverse-path interface Private_ODATA
ip verify reverse-path interface Private_OVOICE
ip verify reverse-path interface Private_CVOICE
ip verify reverse-path interface Private_CeDATA
ip verify reverse-path interface Private_CeVOICE
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Public_Internet
no asdm history enable
arp timeout 14400
nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
access-group Public/Internet_access_out out interface Public_Internet
route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.29 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Private_ODATA) host 10.30.133.21
timeout 5
nt-auth-domain-controller Cool_Transformer_Name
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.69.0 255.255.255.0 management
snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
snmp-server location OT
snmp-server contact [email protected]
snmp-server community Some_*s_here
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
sysopt noproxyarp Public_Internet
sysopt noproxyarp Private_CDATA
sysopt noproxyarp Private_ODATA
sysopt noproxyarp Private_OVOICE
sysopt noproxyarp Private_CVOICE
sysopt noproxyarp Private_CeDATA
sysopt noproxyarp Private_CeVOICE
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_Internet_map interface Public_Internet
crypto ikev1 enable Public_Internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 10.30.133.0 255.255.255.0 Private_ODATA
ssh 192.168.69.0 255.255.255.0 management
ssh timeout 2
ssh version 2
console timeout 5
dhcprelay server 10.30.133.13 Private_ODATA
dhcprelay enable Private_CDATA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.30.133.13 prefer
ntp server 132.246.11.227
ntp server 10.30.133.21
webvpn
group-policy AO-VPN_Tunnel internal
group-policy AO-VPN_Tunnel attributes
dns-server value 10.30.133.21 10.30.133.13
vpn-tunnel-protocol ikev1
default-domain value ao.local
username helpme password Some_X's_here encrypted privilege 1
username helpme attributes
service-type nas-prompt
tunnel-group AO-VPN_Tunnel type remote-access
tunnel-group AO-VPN_Tunnel general-attributes
address-pool AO-VPN_Pool
authentication-server-group AD
default-group-policy AO-VPN_Tunnel
tunnel-group AO-VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key Some_*s_here
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
smtp-server 192.168.200.25
prompt hostname context
no call-home reporting anonymous
Thanks in advance,
Jeff. -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#
Maybe you are looking for
-
This might be really dummy question: Which table(s) can I see how many orders were created for a particular PO? And what's the PO status (if that exists)? Thank you.
-
when I plug my iPod in to my car charger, I get a error message words like " Can not connect using a fire wire connection, switch to a usb connection..." at the bottom is states "Push middle button to dismiss", What does this mean. Also when I push m
-
Hi forumers' My problem statement a. how to let a single switchport to carry vlan voice and vlan data? say i had create and configure the vlan voice (20) and vlan data (10) first i do as this (attach voice vlan.png) what should i do over a1. VLAN Man
-
Printer Configuration for PDF Display in New NWBC Window
please am implementing SAP Note 1069540 -Printer Configuration for PDF Display in New NWBC Window and when i finished the configuration i the pdf tab was still not created.. i decided to trace the error and i noticed that in service /sap/bc/webdynpro
-
How to force Photoshop CC 2014 to open files?
When I double click on .jpg, .jpeg, and .psd files, Photoshop 6 opens, not Photoshop CC 2014. I have Got Info on these files and changed the Open With option to PS CC 2014 and click the Change All box. This always re-sets to PS 6, and will not stick.