CISCO ASA Enable DNS Lookup Problem

Similar Messages

• Cisco ASA 5505 Reset-I Problem with TCP State Bypass

  Hello,
  I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
  6
  May 16 2014
  14:52:52
  302014
  72.135.115.37
  6915
  192.168.20.2
  6801
  Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
  My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
  I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
  Any help would be greatly appreciated!

  Thanks Rizwan,
  Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
  homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
  Success rate is 0
  homeasa(config)# debug crypto isakmp 7
  homeasa(config)# debug crypto ipsec 7
  homeasa(config)# sho crypto isakmp 7
                                     ^
  ERROR: % Invalid input detected at '^' marker.
  homeasa(config)# sho crypto isakmp
  There are no isakmp sas
  Global IKE Statistics
  Active Tunnels: 0
  Previous Tunnels: 0
  In Octets: 0
  In Packets: 0
  In Drop Packets: 0
  In Notifys: 0
  In P2 Exchanges: 0
  In P2 Exchange Invalids: 0
  In P2 Exchange Rejects: 0
  In P2 Sa Delete Requests: 0
  Out Octets: 0
  Out Packets: 0
  Out Drop Packets: 0
  Out Notifys: 0
  Out P2 Exchanges: 0
  Out P2 Exchange Invalids: 0
  Out P2 Exchange Rejects: 0
  Out P2 Sa Delete Requests: 0
  Initiator Tunnels: 0
  Initiator Fails: 0
  Responder Fails: 0
  System Capacity Fails: 0
  Auth Fails: 0
  Decrypt Fails: 0
  Hash Valid Fails: 0
  No Sa Fails: 0
  Global IPSec over TCP Statistics
  Embryonic connections: 0
  Active connections: 0
  Previous connections: 0
  Inbound packets: 0
  Inbound dropped packets: 0
  Outbound packets: 0
  Outbound dropped packets: 0
  RST packets: 0
  Recevied ACK heart-beat packets: 0
  Bad headers: 0
  Bad trailers: 0
  Timer failures: 0
  Checksum errors: 0
  Internal errors: 0
  hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
  There are no ipsec sas
  homeasa(config)#

• Cisco ASA Enable Password

  Hey,
  I am trying to change the enable password on cisco ASA 5510.  I run enable password <password>.  I log off, and log back in with my username/password and type en, it asks for a password and enter the password that I just set but it does not work.
  what am I missing?
  Thanks

  Are you using the local user database or a TACACS or RADIUS server to authenticate?
  If using a TACACS or RADIUS server enter your user password when you type enable.  If that doesn't work disconnect the TACACS or RADIUS server and try to enter the enable password you created.
  If using the local user database, are you sure that you are entering the password correctly?  Perhaps you typed it incorrectly when creating it and accidentally put a space at the begining or end?
  If non of the above work then you will need to perform a password recovery:
  Reboot your ASA
  Press the Esc key to enter ROMON mode when prompted
  Change the configuration register value to 0x41 by using the command confreg 0x41
  To tell the ASA to ignor the startup configuration issue the command confreg
       Current Configuration Register: 0x00000041
       Configuration Summary:
         boot default image from Flash
         ignore system configuration
       Do you wish to change this configuration? y/n [n]: y
      5.  At the prompt enter Y
      6.  Accept all default values when prompted
      7.  Reload the ASA by enter the command boot
      8.  When prompted enter enable and leave the password blank
      9.  Issue the command copy start run
    10.  Enter configuration mode configure terminal
    11.  Enter the command no config-register (the value is returned to its default value of 0x1)
    12.  Save your configuration copy run start
  Please remember to rate and select a correct answer

• Cisco ASA and DNS

  We purchased a bunch of Cisco ASA 5505 for our branch offices. Offices are made up of less than 20 end points. We are using it as a firewall and DHCP server at hte moment but also assumed that it had DNS server capabilities.  Basically use it as a SOHO router.  My research thus far indicates that yes we can use the device as a dns server but it won't resolve locally defined hosts.  So it can relay dns request to an external dns server but won't allow me to configured an a record on the device itself.
  Can anyone verify this before I look into purchasing another device just to do local DNS server services?
  Thanks!

  Joe
  As far as i know the ASA cannot act as a DNS server nor can it act as a DNS relay. What you can do is -
  1) configure DNS servers on the ASA that can be used in certain situations for allowing the ASA to resolve a name to an IP. For example using the Botnet filter on the ASA, SSL certificates etc. require the ASA to be able to qurey external DNS servers.
  But this is for use by the ASA itself ie. it is used to resolve names within the ASA config. It is not used to allow clients to ask the ASA to resolve DNS names for them. So it can neither act as a DNS server itself nor can it pass on clients DNS queries to DNS servers.
  2) if you use the ASA to hand out IPs via DHCP you can add valid DNS servers within the DHCP config just as you can with Windows DHCP.
  Jon

• Cisco ASA Active standby failover problem

  We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
  ASA01# show run
  ASA01# show running-config 
  : Saved
  ASA Version 8.2(5) 
  hostname ASA01
  enable password PVSASRJovmamnVkD encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.1 MPLS_Router description MPLS_Router 
  name 192.168.2.1 SCADA_Router description SCADA_Router
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
   switchport access vlan 2
  interface Ethernet0/3
  interface Ethernet0/4
   switchport access vlan 3
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9 
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9 
  interface Vlan3
   description LAN Failover Interface
  ftp mode passive
  clock timezone AST 3
  access-list inside_access_in extended permit icmp any any 
  access-list inside_access_in extended permit ip any any 
  access-list inside_access_in extended permit ip any host MPLS_Router 
  access-list outside_access_in extended permit icmp any any 
  access-list outside_access_in extended permit ip any any 
  access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER Vlan3
  failover key *****
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route-map Route_Out permit 1
   match ip address inside_access_in outside_access_in
   match interface inside
  route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  http authentication-certificate inside
  http authentication-certificate outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password eY/fQXw7Ure8Qrz7 encrypted
  prompt hostname context 
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
  : end

  I suggest removing the failover configuration on both units and then re-add them, and then test.
  Primary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit primary
  failover key KEY
  failover
  Secondary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit secondary
  failover key KEY
  failover
  Please remember to select a correct answer and rate helpful posts

• DNS Lookup problem using JNDI in oracle10g

  Dear Sir,
  I am getting the following error while executing the oracle funtion.
  ENVIRONMENT:
  DATABASE : ORACLE10G
  JAVA : JDK1.4
  ORA-29532: Java call terminated by uncaught Java exception: javax.naming.NoInitialContextException: Cannot instantiate class: com.sun.jndi.dns.DnsContextFactory [Root exception is java.lang.ClassNotFoundException: com/sun/jndi/dns/DnsContextFactory]
  Your Ref:
  JAVA SOURCE
  import java.util.*;
  import java.util.Hashtable;
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.io.*;
  public class EmailLookup {
  public static void main( String args[] ) {
  if( args.length == 0 ) {
  System.err.println( "Usage: MXLookup host [...]" );
  System.exit( 99 );
  for( int i = 0; i < args.length; i++ ) {
  try {
  System.out.println( args[i] + " has " +
  doLookup( args[i] ) + " mail servers" );
  catch( Exception e ) {
  System.out.println(args[i] + " : " + e.getMessage());
  public static int doLookup( String hostName ) throws NamingException {
  Hashtable env = new Hashtable();
  env.put("java.naming.factory.initial",
  "com.sun.jndi.dns.DnsContextFactory");
  DirContext ictx = new InitialDirContext( env );
  Attributes attrs = ictx.getAttributes( hostName, new String[] { "MX" });
  Attribute attr = attrs.get( "MX" );
  if( attr == null ) return( 0 );
  return( attr.size() );
  ORACLE FUNCTION
  CREATE OR REPLACE FUNCTION plf_getlookup(a string) RETURN number as
  LANGUAGE JAVA NAME 'EmailLookup.doLookup(java.lang.String) return int';
  I have loaded class files in the schema and give the executing permission but still i am getting the same above error.Plz. give me immed. solution and treat this as very urgent.
  Thanks in advance.
  Regards
  Vasudevan.

  I don't think this will ever work!
  So far I know you can access the InitialDirContext only if you deploy your application on application server as J2EE application.

• For anyone who is experiencing slow DNS lookups...

  I finally worked out what was wrong with my network config last night and thought I'd share it with everyone in a simgle post in the hope it'll help someone else.
  I tried the BIND work around, but it wasn't all that much faster.
  I tried disabling IPv6, but that didn't do much...
  The solution?
  In 'System Preferences' -> 'Network'
  Go to configure the adaptor (Airport / Ethernet / etc)
  In 'DNS Servers' where you'd normally specify the DNS servers given to you by your ISP... don't do this! As crazy as it sounds don't
  Of course, if you're using newer routers you'd not be having this slow DNS lookup problem and specifying the ISPs DNS Servers would be appropriate... still
  What you want to specify here is your ROUTER's IP:
  eg. 192.168.0.1
  With this simple modifcation you'll be fine. Why? You ask?
  In Linux / OSX (I imagine in Unix as well) the way the lookups are carried out are different from Windows. I have other Windows computers on our network and they never had DNS lookup problems and they've been given the ISPs DNS IPs... anyway I think I'm talking out of my depth now heh.
  This works!
  Remember: Specify your router as the DNS Server!

  I've had this problem on a G4 PowerMac running Panther, and it still had it after a Tiger upgrade. I just replaced it with a Core Duo MacMini, 10.4.7, same problem of slow DNS lookups (i.e., slow initial start to loading a web page, then it goes quickly). Windows machines on the same subnet have no such problem. I've tried the various suggestions on various forums, none of which worked. I tried:
  - turn off IPv6 (no help)
  - directly enter my ISPs DNS servers (no help)
  - manually configure both IP and DNS (no help, went back to DHCP)
  - swear at the computer (a little help, mentally)
  After some more reading, I tried resolving some addresses using the host command from the Terminal:
  host -v www.apple.com 24.34.240.9
  where the IP address is one of the DNS servers for my ISP (Comcast). I got a no server found message! I then tried the second DNS server in the Comcast list (found from my router), also no server found. Tried the third one in Comcast's list of DNS servers, and it worked. Entered it in System Preferences -> Network as a DNS server, and now web browsing is zippy! I verified that the two DNS servers that MacOS couldn't see are also down as far as Windows was concerned (using the nslookup command in windows).
  What this tells me is that the OS X algorithm for handling unreachable or slow DNS servers is different from that in Windows. Maybe Windows remembers a bad experience with a DNS server and uses ones that it has success with, while OS X just keeps trying them in order, slowing timing them out until it finds one that works?
  This could also explain many of the puzzling symptoms people have been seeing (things work some times, other times not; some people have luck specifying the DNS server manually, others don't). It all depends on what DNS servers got distributed to the Mac via DHCP, and how far down the list you have to go to find one that is responsive.
  Anyone reading this forum with technical knowledge of both UNIX and Windows DNS lookup implementations? Is there some way to tweak in MacOS to make it perform more like Windows in this situation (like, maybe shortening the DNS server failure timeout)?

• DNS Lookup Timeout Problems with Cisco SA520w

  Hello,
  We are trying to configure our new Cisco SA520w with our Internet connection.
  As soon as we replace our existing Linksys RV042 with the Cisco SA520w, we find that DNS lookups start to take longer and longer to resovle. For example, an nslookup against yahoo.com will timeout, or take 10-12 seconds. Web browser requests simillarly take 30-45 seconds to resolve.
  We've tried using both Google's and OpenDNS servers, as well as our ISP's nameservers. In all cases, the long DNS resolution takes place.
  At first we thought that the firewall was misconfigured. However, we removed all firwall rules, and continued to experience the problem.
  We've tried checking and unchecking the DNSProxy checkbox, but this doesn't seem to have any noticeable impact.
  Does anyone have any idea about which setting impact DNS looksups, or what else we might try to troubleshoot this issue?
  Thanks,
  Chris

  Regarding the question on 5-10 days for product support to become active, I followed up with the CA team and received the following, which is good for All partners to know...
  Below is a description of the primary cause of delays in contract registration.
  Contract registration takes 24-48hrs. Delays are generally caused by the Reseller/Partner who doesn't provide the product serial numbers to Cisco when they purchase the service. The contract cannot be registered until the Reseller or the Disti provides the serial numbers to Cisco via SMS3 (or B2B). In cases where Disti doesn't have a mechanism to collect the serial number before the product is shipped, or in cases of drop-ship, the Distis often have to track down their Resellers to get the serial numbers to Cisco.
  There is a new program being discussed (drawing board now, so not available today) which will to allow the end-user to register the contract themselves, thus eliminating the need for the Disti or the Reseller to collect the serial number an input it into SMS3.
  But in any case (now or later), when a customer calls in for support, if their contract has not yet been registered, the SBSC can work with the Global Entitlement Team to look-up the contract via the PO or SO number and complete the registration so service can be provided.
  Hope this helps...
  Steve

• VPN PROBLEM CISCO ASA 5505

      Hello,  I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
       I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
       Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
       The running-config it created is:
  ciscoasa# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ciscoasa
  enable password XXXX encrypted
  passwd XXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.1.254 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ADSL_Telefonica
  ip address pppoe setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_172.16.0.0_16
  subnet 172.16.0.0 255.255.0.0
  access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.16.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 172.16.0.0 255.255.0.0 inside
  telnet timeout 55
  ssh 172.16.0.0 255.255.0.0 inside
  ssh timeout 55
  console timeout 0
  vpdn group ADSL_Telefonica request dialout pppoe
  vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
  vpdn group ADSL_Telefonica ppp authentication pap
  vpdn username adslppp@telefonicanetpa password *****
  dhcpd auto_config outside
  dhcpd address 172.16.2.2-172.16.2.129 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy test internal
  group-policy test attributes
  dns-server value 172.16.1.1
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test_splitTunnelAcl
  username test password XXXXXX encrypted privilege 0
  username test attributes
  vpn-group-policy test
  username ignacio password XXXXXXX encrypted
  tunnel-group test type remote-access
  tunnel-group test general-attributes
  address-pool test
  default-group-policy test
  tunnel-group test ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
  : end
  Thank you very much for your help

  Yes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
  • The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
  I should have read Release Notes before. Thank you very much for your help and effort.

• Remote Access VPN on Cisco ASA Problem

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

• Firewall Cisco ASA 5505 new interface license problem

  Hi
  I have one ASA 5505 with a Base License
  The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
  And the question is if with this base license the interface cannot be used or only cannot be named?
  here the output of my firewall:
  Cisco Adaptive Security Appliance Software Version 8.2(5)
  Device Manager Version 6.4(5)
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
  0: Int: Internal-Data0/0    : address is e02f.6de6.7843, irq 11
  1: Ext: Ethernet0/0         : address is e02f.6de6.783b, irq 255
  2: Ext: Ethernet0/1         : address is e02f.6de6.783c, irq 255
  3: Ext: Ethernet0/2         : address is e02f.6de6.783d, irq 255
  4: Ext: Ethernet0/3         : address is e02f.6de6.783e, irq 255
  5: Ext: Ethernet0/4         : address is e02f.6de6.783f, irq 255
  6: Ext: Ethernet0/5         : address is e02f.6de6.7840, irq 255
  7: Ext: Ethernet0/6         : address is e02f.6de6.7841, irq 255
  8: Ext: Ethernet0/7         : address is e02f.6de6.7842, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : Unlimited
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 

  Hi,
  The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
  For an interface on the ASA to operate it must have a name with the command "nameif"
  If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
  I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
  - Jouni

• Cisco ASA 5505 Site to Site VPN Problem

  Hi All,
  We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
  We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
  When I dial into the modem which is connected to the firewall I see the following messages in the logs:
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
  I have checked both firewalls for any mis-matched parameters and do not see any.
  Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
  Thanks!

  Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
  hostname
  domain-name
  enable passwordpasswd names
  interface Vlan701
  nameif inside
  security-level 100
  ip address 10.65.0.69 255.255.255.252
  interface Vlan999
  nameif outside
  security-level 0
  ip address ******  255.255.255.248
  interface Ethernet0/0
  description Link to Internet
  switchport access vlan 999
  interface Ethernet0/1
  description
  switchport access vlan 701
  interface range Ethernet0/2 - 0/7
  switchport access vlan 2
  shutdown
  ftp mode passive
  dns server-group DefaultDNS
  domain-name******
  access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap warnings
  logging asdm informational
  logging host outside *****
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list nonat
  route inside ******
  route outside 0.0.0.0 0.0.0.0 ********
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  snmp-server location **:
  snmp-server contact **
  snmp-server community shortkey
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  snmp-server enable traps syslog
  crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
  crypto map CASGMAP 50 match address 101
  crypto map CASGMAP 50 set pfs group1
  crypto map CASGMAP 50 set peer ********
  crypto map CASGMAP 50 set transform-set 3desmd5
  crypto map CASGMAP 50 set security-association lifetime seconds 3600
  crypto map CASGMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet **** inside
  telnet timeout 5
  ssh **** inside
  ssh **** outside
  ssh timeout 5
  console timeout 30
  management-access inside
  dhcpd ping_timeout 750
  priority-queue outside
  ntp server **
  username ***
  tunnel-group ******** type ipsec-l2l
  tunnel-group ******** ipsec-attributes
  pre-shared-key ***
  class-map VoIP
  match dscp ef
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map General-purpose
  class VoIP
  priority
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
  service-policy General-purpose interface outside
  prompt hostname context

• Problem Packet Flow through Cisco ASA Firewall

  I have a Cisco ASA 5540 8.2(1), with permit ip any any rules
  packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003
  show
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found flow with id 1374599592, using existing flow
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  if you change the source or destination port, the packet is successfully
  clear conn did not help
  please tell me how to solve the problem?

  Hi,
  I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.
  It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.
  I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.
  - Jouni

• DNS Resolution in Cisco ASA 5525

  Hey all,
  I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.
  Current Version: Cisco ASA 5525
  ASA Version: 8.6(1)
  I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.
  What I've done.
  dns domain-lookup inside
  dns domain-lookup outside
  name-server x.x.x.x (Primary internal dns server)
  name-server x.x.x.x (Secondary internal dns server)
  name-server 8.8.8.8 (Google external dns server)
  name-server 8.8.4.4 (Google external dns server)
  domain-name example.com
  With this config I can, however, ping hostnames of internal servers.
  This is an example of me pinging an external hostname.
  ciscoasa# ping google.ca
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:803::101f
  Success rate is 0 percent (0/1)
  Any ideas?
  Thanks!

  officeasa# ping www.google.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:
  No route to host 2607:f8b0:4009:802::1012
  Success rate is 0 percent (0/1)
  John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?
  (I know without certain information you cannot help but I need to ensure security on my end)
  Thanks for understanding.

• DNS lookup behaviour of cisco devices

  Hi All,
  Does anyone know how routers and ASA's deal with dns lookups for hostnames in their configuration?
  For instance, an NTP server (0.pool.ntp.org), or a hostname in a VPN tunnel configuration.
  I get the impression that there is only a 1 time resolve happening.
  Can anyone confirm this and if this is the case, does anyone know how to modify this behaviour....
  Thanks in advance.

  Hi,
  Cisco routers can be set up as proxy-dns but with a lot of limitations but ASA can't so on the ASA you must enter static host commands which stay indefinitely.
  I don' t know if it's possible to tune the cache timeout and what is the default value.
  Here is the link descibing the caveats for IOS:
  http://nil.si/ipcorner/RouterDNS/
  Regards.
  Alain.