Cisco ASA get 'show conn all long' info through snmp
Hi,
I would need to gather the info about all established connections that I can see on the ASA terminal by using the command
show conn all long
for monitoring purposes through snmp. I am browsing several MIBs&OIDs but no one seems to contain this info.
Does anyone know if this is possible ?
Thanks.
Vlad
im looking for the solution ? did u ever find out if this was possible?
Similar Messages
-
How to get List of all activated Info objects in sap BI production system
Hi Experts,
For my requirement I need list of all activated info objects in sap bi production system.
Can any body suggest any thing.Hi,
Check in the following table, all the below tables are for InfoObejct related only
RSDIOBJ -
Directory of all InfoObjects
RSDIOBJT------ Texts of InfoObjects
RSDIOBJ------- Directory of all InfoObjects
RSDIOBJT----- Texts of InfoObjects
RSDATRNAV------ Navigation Attributes
RSDATRNAVT----- Navigation Attributes
RSDBCHATR------ Master Data Attributes
RSDCHABAS------- Basic Characteristics (for Characteristics,Time Characteristics, and Units)
RSDCHA----
Characteristics Catalog
RSDDPA -
Data Package Characteristic
RSDIOBJCMP----
Dependencies of InfoObjects
RSKYF----
Key Figures
RSDTIM----
Time Characteristics
RSDUNI -
Units
Thanks
Reddy -
How to get rid of all my info on phone?
OK, I bit the bullet and bought the new 3G (although I have had nothing but problems with my old iphone since upgrade)
Anyways, my question is how do i delete all the info from this old phone before I sell it to some other "sucker"?
thanksWhile I agree I didn't find the 3G worth upgrading to in my case (and paying more) since I don't live in 3G area (though work in one) and don't care that mush for GPS (the pesdo GPS is good enough for my needs).
But I don't agree about the 2.0 firmware. I do like what it adds (yes I know there are issues) but firmware will be udpated. Alredy talk about 2.01. So, I would say don't give up on 2.0, but if the extra hardware isn't worth the extra money then sure, go back. -
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
FTP Port ERROR Forwarding in Cisco ASA 8.2(5), Very Intersting.
Hi,
I have the following configuration on a Cisco ASA 8.2(5), all the traffic to the port 5000 go to an IP Camera and www 80 it's forward throught static NAT to a Web Server without problem, I have the same Configuration for a FTP SERVER Windows and FTP Server Linux and doesn't make the foward to an internal IP address. Attach is the configuration I would like to know what is causing the problems.
The FTP Server Are running locally without any problems, when I try to reach it for the Outside interface then i can't, this is in the only port i can't forward.
I really appreciate your help.
Thanks
ASA Version 8.2(5)
hostname ciscoasa
enable password dAWCvYvyr2FRISo5 encrypted
passwd dAWCvYvyr2FRISo5 encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.4.4
name-server 8.8.8.8
name-server 196.3.81.132
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TEST2 tcp
port-object eq www
port-object eq https
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit icmp any interface outside echo-reply
access-list 101 extended permit udp any any eq 5000
access-list 101 extended permit udp any any eq ntp
access-list 101 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
access-list 102 extended permit icmp any interface outside echo-reply
access-list 102 extended permit icmp any interface outside
access-list 102 extended permit ip any host 192.168.1.5
access-list 102 extended permit tcp any host 192.168.1.5 eq 5000
access-list 102 extended permit tcp any interface outside eq 5000
access-list 102 extended permit tcp any host 192.168.1.5 eq https
access-list 102 extended permit tcp any any eq 5000
access-list 102 extended permit ip any host 192.168.1.8
access-list 102 extended permit tcp any any eq telnet
access-list 102 extended permit tcp any interface outside object-group TEST2
access-list 102 extended permit ip any 192.168.1.0 255.255.255.0
access-list 102 extended permit tcp any interface outside eq www
access-list 102 extended permit tcp any interface outside eq ftp
access-list 102 extended permit tcp any interface outside eq ftp-data
access-list 102 extended permit tcp any any eq ftp
access-list 103 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5000 192.168.1.5 5000 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.15 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.15 ftp-data netmask 255.255.255.255
access-group 102 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 225.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.10-192.168.1.41 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cabelen password tJPt4MkXkeex6ITZ encrypted
class-map ftp-class
match access-list 102
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3465bc9d04198e9df80787c0c039db27
: end
ciscoasa#This is the results of the log it didn't not find the public ip address which im making FTP connection.
ciscoasa# sh logg | i 147.197.115.171
ciscoasa# sh logg
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 88 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 68 messages logged
connection 125407 for outside:111.221.74.28/443 to inside:192.168.1.24/24483 duration 0:02:01 bytes
44
%ASA-7-609002: Teardown local-host outside:111.221.74.28 duration 0:02:01
%ASA-7-710005: UDP request discarded from 192.168.1.24/138 to inside:192.168.1.255/138
%ASA-6-302016: Teardown UDP connection 125402 for outside:177.0.186.239/57036 to inside:192.168.1.24
/24483 duration 0:02:02 bytes 220
%ASA-7-609002: Teardown local-host outside:177.0.186.239 duration 0:02:02
%ASA-6-302016: Teardown UDP connection 125408 for outside:89.240.135.18/47096 to inside:192.168.1.24
/24483 duration 0:02:01 bytes 44
%ASA-7-609002: Teardown local-host outside:89.240.135.18 duration 0:02:01
%ASA-6-302016: Teardown UDP connection 125409 for outside:111.221.77.145/40037 to inside:192.168.1.2
4/24483 duration 0:02:01 bytes 486
%ASA-7-609002: Teardown local-host outside:111.221.77.145 duration 0:02:01
%ASA-6-302016: Teardown UDP connection 125410 for outside:64.4.23.148/40014 to inside:192.168.1.24/2
4483 duration 0:02:01 bytes 178
%ASA-7-609002: Teardown local-host outside:64.4.23.148 duration 0:02:01
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.24/24483 to outside:69.86.151.
109/54119 duration 0:03:00
%ide:216.146.39.70/80 to inside:192.168.1.5/3628 duration 0:00:00 bytes 303 TCP FINs
%ASA-7-609002: Teardown local-host outside:216.146.39.70 duration 0:00:00
nable_15' executed the 'configure terminal' command.
%ASA-6-302015: Built inbound UDP connection 125412 for inside:192.168.1.20/68 (192.168.1.20/68) to i
dentity:192.168.1.2/67 (192.168.1.2/67)
%ASA-6-604103: DHCP daemon interface inside: address granted 0128.987b.d28e.e7 (192.168.1.20)
%ASA-6-302016: Teardown UDP connection 125411 for inside:192.168.1.27/68 to identity:192.168.1.2/67
duration 0:02:01 bytes 623
%ASA-5-111008: User 'enable_15' executed the 'no access-list 102 extended permit ip any 192.168.1.0
255.255.255.0' command.
%ASA-6-302010: 20 in use, 234 most used
%ASA-5-111008: User 'enable_15' executed the 'no access-list 102 extended permit ip any host 192.168
.1.8' command.
%ASA-5-111005: 192.168.1.24 end configuration: OK
%ASA-6-302016: Teardown UDP connection 125412 for inside:192.168.1.20/68 to identity:192.168.1.2/67
duration 0:02:01 bytes 641
%ASA-7-609001: Built local-host outside:209.128.96.248
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.20/57764 to outside:69.86.151.109
/50424
%ASA-6-302013: Built outbound TCP connection 125413 for outside:209.128.96.248/80 (209.128.96.248/80
) to inside:192.168.1.20/57764 (69.86.151.109/50424)
%ASA-7-111009: User 'enable_15' executed cmd: show running-config
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-609001: Built local-host outside:174.35.22.69
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.24/51106 to outside:69.86.151.109
/53818
%ASA-6-302013: Built outbound TCP connection 125414 for outside:174.35.22.69/80 (174.35.22.69/80) to
inside:192.168.1.24/51106 (69.86.151.109/53818)
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.24/51107 to outside:69.86.151.109
/12433
%ASA-6-302013: Built outbound TCP connection 125415 for outside:174.35.22.69/80 (174.35.22.69/80) to
inside:192.168.1.24/51107 (69.86.151.109/12433)
%ASA-7-609001: Built local-host outside:8.8.8.8
%ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.24/51214 to outside:69.86.151.109
/42103
%ASA-6-302015: Built outbound UDP connection 125416 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:19
2.168.1.24/51214 (69.86.151.109/42103)
%ASA-6-302016: Teardown UDP connection 125416 for outside:8.8.8.8/53 to inside:192.168.1.24/51214 du
ration 0:00:00 bytes 176
%ASA-7-609002: Teardown local-host outside:8.8.8.8 duration 0:00:00
%ASA-6-302014: Teardown TCP connection 125414 for outside:174.35.22.69/80 to inside:192.168.1.24/511
06 duration 0:00:06 bytes 2075 TCP FINs
%ASA-6-302014: Teardown TCP connection 125415 for outside:174.35.22.69/80 to inside:192.168.1.24/511
07 duration 0:00:06 bytes 3016 TCP FINs
%ASA-7-609002: Teardown local-host outside:174.35.22.69 duration 0:00:06
ciscoasa# -
Cisco ASA Not Responding to SNMP
Hi All,
I have a Cisco ASA that I am trying to discover with SNMP (Solar Winds). The Solarwinds server can ping the ASA on the E1 interface (on the same network as the server), yet it cannot be discovered using SNMP, it fails every time.
This is the config I have for the ASA.
interface GigabitEthernet0/0.224
description NMS
vlan 224
nameif NMS
security-level 100
ip address 10.11.120.225 255.255.255.240
snmp-server host NMS 10.11.120.235 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
The server trying to discover the ASA is 10.11.120.235 and the community string is public.
Also, I do not know how you add a RW string to a Cisco ASA - it seems to only let you add a single string.
Thanks in advance.
DanHi Daniel,
The ASA supports only SNMP read-only access. SNMP write access is not allowed, so you cannot make changes with SNMP.
Have you tried to manualy pool the ASA using snmpget or some other tools. One issue might be the community used by Solarwinds.
Regards
Dan -
Hi Team,
Does the show conn count includes both tcp + udp + embryonic connections.
Because when i do a calculation in excel from the output of show conn, i got the below output.
It was extracted from the command "show local-host | include host|count/limit"
(A):
Total Sum of TCP embryonic count to host = 331
(B):
Total Sum of TCP flow count/limit = 102938
(C):
Total Sum of UDP flow count/limit = 3512505
firewall#show conn count
1912284 in use, 2000002 most used
Please let me know how this is caluclated. If show conn count = A+B+C, then i am suspecting that old connection entries are not getting flushed out from the connection table in cisco asa 5580 with version 8.3.2.
Really im in need of help...Hi Kimberly,
My question was, the count of show conn & show local-host does not match... More over, as the show conn was showing that the max limit of 2 million will be reaching very soon... So, i would like to troubleshoot the output of show local-host | include host|count/limit, where in i could see that one of the webserver has lots of tcp connection (lets say 35000, then the other two servers are consuming udp connections 7lacs,5lacs & 3 lacs, as given below...
local host: ,
TCP flow count/limit = 35857/unlimited
TCP embryonic count to host = 25
UDP flow count/limit = 0/unlimited
local host: ,
TCP flow count/limit = 306/unlimited
TCP embryonic count to host = 8
UDP flow count/limit = 736807/unlimited
local host: ,
TCP flow count/limit = 246/unlimited
TCP embryonic count to host = 2
UDP flow count/limit = 582010/unlimited
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
UDP flow count/limit = 308412/unlimited
can you pls let me know any other commands can be executed to know if any huge embryonic/virus attacks/too many broad casts...... Once i clear the local-host, the connections get reduced from a huge value to low value. i reallly do not know if these are geniue traffic or fake ? or do not know if the connection table is not flushing out old entries.. please help -
I have all my music cd's on a hard drive as wav files when I try to add them to I tunes the files get there but no album info I end up with a bunch of track 1's by unknown artists. Is there a way to transfer each album over so it shows up like a normal CD
Try posting in a more appropriate forum, as this has noting to do with itunes U - the place where University/college/museums post education material.
-
A possible bug related to the Cisco ASA "show access-list"?
We encountered a strange problem in our ASA configuration.
In the "show running-config":
access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in extended permit ip object 172.31.254.2 any log
access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in extended permit ip object windowsusageVM any log
access-list inside_access_in extended permit ip any object testCSM-object
access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in extended permit ip host 172.31.254.2 any log
access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
In the "show access-list":
access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a 3bacc1
access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06 85254a
access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0 x7e7ca5a7
access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn t=0) 0x02a111af
access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt =0) 0x19244261
access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn t=0) 0x0dbff051
access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7 b798b0e
access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
There is a comment in the running config: (line 26)
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
Thanks in advance.
show version:
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.1(3)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fmciscoasa up 1 hour 56 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1Could be related to the following bug:
CSCtq12090: ACL remark line is missing when range object is configured in ACL
Fixed in 8.4(6), so update to a newer version and observe it again.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik -
Hello Friends,
I've two iPod Nanos (4th gen - 8GB). I'm facing a severe problem with both of them. For both iPods, I tried to do this method Simultaneously press the top button + home (central) button. But of no use.
1. My first iPod is showing a white screen. I could not see anything. But I can listen to songs by blindly pressing the play button twice. The battery comes only for an hour.? How do I get the display and longer battery?
2. My second iPod is facing more severe problem. None of the buttons are working. When I connect it my PC it showing "CONNECTED- eject before disconnecting". But it is not ejecting with all the usual methods. When I manually and physically disconnect it from the PC the same "CONNECTED- eject before disconnecting" is still showing till the battery goes off. After that if i press any button it is showing low battery signal. And when i re-connect it to the PC the same process is repeating. When I tied to restore it to the factory settings I'm getting "Error" report.
(I'm using windows 7)
Friends, Please help me with the above problems. It will be a great help.
Thank You.
R.SAMALASounds like some hardware issues, meaning you'll want to take or send the iPods in for service or repairs. You can choose to have Apple do an out of warranty exchange for the prices indicated in the link below or find another third party service perhaps even local to your area.
http://www.apple.com/support/ipod/service/prices/
B-rock -
What happen to all my info and google bookmarks and toolbar after I updated to 6.o ? How do I get them back? I will never update firefox ever again.. I am getting so I do not want to use firefox any more do to this on going problem with your updates.
I see others have written in complaining about them loosing their Google tool bars as well. I ask again what are you going to do about this problem?????Google decided that they will no longer produce the Google Toolbar for Firefox 5 and newer versions. Future versions of Google toolbar will only work with IE7-9. Google Toolbar is not available on any other browser, even Google's own browser.
*http://googletoolbarhelp.blogspot.com/2011/07/update-on-google-toolbar-for-firefox.html
*http://www.google.com/support/toolbar/bin/answer.py?answer=1342452&topic=15356%29
*Google Toolbar 8 FAQ (IE only): https://www.google.com/support/toolbar/bin/answer.py?hl=en&answer=1111588
'''Access your Google bookmarks here''': https://www.google.com/bookmarks/l
Alternatives:
*http://kb.mozillazine.org/Using_Google_Toolbar_features_without_toolbars
*https://addons.mozilla.org/en-US/firefox/addon/googlebar-lite/
*https://addons.mozilla.org/en-US/firefox/addon/gbookmarks-google-bookmarks-fo/
'''If this reply solves your problem, please click "Solved It" next to this reply when <u>signed-in</u> to the forum.'''
Not related to your question, but...
You may need to update some plug-ins. Check your plug-ins and update as necessary:
*Plug-in check: https://www-trunk.stage.mozilla.com/en-US/plugincheck/
*Adobe Shockwave for Director Netscape plug-in: [https://support.mozilla.com/en-US/kb/Using%20the%20Shockwave%20plugin%20with%20Firefox#w_installing-shockwave Installing ('''''or Updating''''') the Shockwave plugin with Firefox]
*Adobe PDF Plug-In For Firefox and Netscape: [https://support.mozilla.com/en-US/kb/Using%20the%20Adobe%20Reader%20plugin%20with%20Firefox#w_installing-and-updating-adobe-reader Installing/Updating Adobe Reader in Firefox]
*Shockwave Flash (Adobe Flash or Flash): [https://support.mozilla.com/en-US/kb/Managing%20the%20Flash%20plugin#w_updating-flash Updating Flash in Firefox]
*Next Generation Java Plug-in for Mozilla browsers: [https://support.mozilla.com/en-US/kb/Using%20the%20Java%20plugin%20with%20Firefox#w_installing-or-updating-java Installing or Updating Java in Firefox] -
how do i remove a description on a replicat? It shows up in 'ggsci, info all' and i want to remove it. It looks like this:
REPLICAT STOPPED namexxx 00:00:00 00:00:04
Description "(null)"
I tried this:
GGSCI (qlxdodsr001.qaapollogrp.edu) 3> alter replicat namexxx description null;
I get this error:
ERROR: Missing begin quote for DESCRIPTION entry.
So i tried this: alter replicat namexxx description "(null)"; and ended up with above.
You have to use double quotes to add a description so something has to be listed, but how do i get rid of it?
Any help is greatly appreciated.
Thank you!Hi,
if you run
alter replicat namexxx description ""
you've got :
REPLICAT STOPPED namexxx 00:00:00 00:00:04
Description ""
The description is now empty... but it's not the same as creating the replicat without description (in this case you haven't got the description line. I don't know how to do it
Regards, -
Cisco ACE - "show conn" command queries
Hi all,
i have some queries regarding the "show conn" command in Cisco ACE.
Working Scenario:
VIP : 10.10.10.1
Server 1 : 10.10.20.1
Server 2 : 10.10.20.2
Client: 30.30.30.1
When a client 30.30.30.1 initiates a connection to the VIP on 10.10.10.1, the ACE load balances it to Server 1, 10.10.20.1. Looking at the "show conn" table, it shows that Server 1 is replying back to the Client 30.30.30.1 through the ACE.
Now, my question is when the ACE returns the traffic to the Client, should the Client be seeing the source IP coming from the VIP or Server 1? My understanding is that the Client should be seeing traffic returning from the VIP. But the show conn table does not seem to suggest so.
show conn table
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
1768 1 in TCP 10 30.30.30.1:9221 10.10.10.1:80 ESTAB
41 1 out TCP 52 10.10.20.1:80 30.30.30.1:9221 CLOSEDDaniel,
The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.
The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs" the reply so now the source of the packet is the VIP and destination is 30.30.30.1.
This is a expected behavior as you're not using S-NAT on your network.
HTH.
Pablo -
Hi,
Does the ASA have an SNMP OID which will provide information like the show conn command ?2 years later, how's LLDP support via SNMP?
If Cisco does not support LLDP via SNMP, please remove the wrong information from
http://tools.cisco.com/ITDIT/MIBS/MainServlet?ReleaseSel=2514&PlatformSel=231&fsSel=705
Stop lying!
Maybe you are looking for
-
Unable to communicate with "ImporterProcessServer"
Hi there, I searched the forum, but only found one entry, which didn't help. I re-installed Premiere CS4 due to a OS crash. Before that, everything worked smoothly, but now I get an error message saying: unable to communicate with the ImporterProcess
-
How to incert custom leave application IView under ESS overview?
Dear Team, We are developed custom leave application like Work & Time & now that displaying at work set row My client requirement is Custom leave application should also display under ESS Overview with iView pic along with other iView's. Please share
-
140MB of photos in "modified" folder, but didn't modify any of them?
I just recently upgraded to '09. I uploaded my first batch of photos the other day. It was a lot, about 1.4GB from a trip I took. I happened to be looking in the package contents for something else, but stumbled up the modified folder for the photos
-
Vat number showing invalid in vendor master
Hi, Could any body advise me why vat number is showing in valid in vendor master? I put the vat number in the vendor master FK02, showing in valid where as other vat number is working fine in the same vendor, Is there any validation for the same, My
-
I have an abstract class A that has a couple of concrete extensions B and C. Now I need to extend B and C as well, not to add additional persistent attributes but merely to alter behavior. While I could simply derive B and C directly (yeilding derive