Cisco ASA packet-tracer Palo Alto equivalent

Hi All
Does anyone know if the Palo Alto 3020 boxes have an equivalent feature to the Cisco ASA Packet-tracer ?
many thanks

I have used the "test security-policy-match" cli command which identifies the specific policy rule a source/destination traffic pair matches against.  You need to make sure you specify all fields (zone, src/dst network, protocol and ports.

Similar Messages

  • How to display date for each packet in a Cisco ASA packet capture

    Hello,
    Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
    When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet?  I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export. 
    Sample capture below.  Time is displayed but not the date of the packet capture.  Issuing command "sh cap test detail" doesn't show the date either.  I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
    ASA5505# sh cap test
       1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x:  udp 404
       2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53:  udp 37
       3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082:  udp 53
       4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500:  udp 404
       5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
       6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
    Thanks for any help.
    Joe

    Hi,
    I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
    For example
    copy /pcap capture:test tftp://x.x.x.x/test.pcap
    This should copy the current data in the capture to the mentioned location with the mentioned filename.
    I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
    Hope this helps :)
    - Jouni

  • Cisco ASA 8.6 configuration issues

    Hello all ,
                                                 internet router-----------outside------------- ASA -------inside-------------cisco 3750 (----A----)
                                                                                                            |
                                                                                                            |
                                                                                                         DMZ
                                                                                                             |
                                                                                                             |                                                                                                        
                                                                                                             Cisco  3750 (-----B---)
    1- switch A -- wireless User + Cisco Wireless Ip phones
    2- Switch B -- CUCM
    Problem discriptiom :
    --- from switch A i can not ping SwitchB (DMZ) so ip phones can not reached to CUCM
    --- on switchA 4 VLANS are configured with Different SSIDs and internet is working fine .
    --- on Switch A   i want 2 VLANs (vlan60 and vlan 80) to communicate with DMZ also (Not working )
    ## some relevent Config is as under :
    SWITCH A CONFIG
    ===============
    vlan internal allocation policy ascending
              interface FastEthernet0
               no ip address
               no ip route-cache cef
               no ip route-cache
               shutdown
              interface GigabitEthernet1/0/1
               switchport access vlan 60
               switchport mode access
               spanning-tree portfast
    |
    |
    |
    |
    |
    |
              interface GigabitEthernet1/0/23
               description **connected to ASA-Inside**
               switchport access vlan 100
               switchport mode access
    interface Vlan10
               ip address X.X.100.5 255.255.255.0
              interface Vlan50
               ip address X.X.6.12 255.255.255.0
              interface Vlan60
               ip address X.X.8.251 255.255.255.0
              interface Vlan80
               ip address X.X.10.251 255.255.255.0
              interface Vlan100
               ip address X.X.20.1 255.255.255.0
              ip classless
              ip route 0.0.0.0 0.0.0.0 X.X.20.2
    =========================================
    ASA CONFIG
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    ip address X.X.20.2 255.255.255.0
    |
    |
    interface GigabitEthernet0/2
    nameif DMZ
    security-level 50
    ip address X.X.21.2 255.255.255.0
    |
    |
    interface GigabitEthernet0/5
    nameif outside
    security-level 0
    ip address 192.168.2.5 255.255.255.0
    |
    |
    object network IN-OUT
    subnet 0.0.0.0 0.0.0.0
    object network W-PHONE
    subnet X.X.10.0 255.255.255.0
    object network BECA-WIRELESS-USER
    subnet X.X.8.0 255.255.255.0
    pager lines 24
    |
    |
    nat (inside,outside) source dynamic IN-OUT interface
    nat (inside,DMZ) source dynamic W-PHONE interface
    nat (inside,DMZ) source dynamic BECA-WIRELESS-USER interface
    route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
    route inside X.X.6.0 255.255.255.0 X.X.20.1 1
    route inside X.X.7.0 255.255.255.0 X.X.20.1 1
    route inside X.X.8.0 255.255.255.0 X.X.20.1 1
    route inside X.X.10.0 255.255.255.0 X.X.20.1 1
    timeout xlate 3:00:00
    ============================================
    switch B
    interface GigabitEthernet1/0/17
             switchport access vlan 50
             switchport mode access
             switchport voice vlan 20
             spanning-tree portfast
            interface GigabitEthernet1/0/18
             switchport access vlan 50
             switchport mode access
    interface Vlan10
             ip address X.X.100.1 255.255.255.0
            interface Vlan20
             ip address X.X.7.1 255.255.255.0
             ip helper-address X.X.6.6
            interface Vlan50
             ip address X.X.6.30 255.255.255.0
             ip helper-address X.X.6.6
            interface Vlan60
             ip address X.X.8.252 255.255.255.0
            interface Vlan101
             ip address X.X.21.1 255.255.255.0
            ip forward-protocol nd
            ip http server
            ip http secure-server
            ip route 0.0.0.0 0.0.0.0 X.X.6.4
            ip route X.X.6.0 255.255.255.0 X.X.21.2
            ip route X.X.7.0 255.255.255.0 X.X.21.2

    We would also need to see the ACL configuration of the ASA as this is what actually controls the flow of traffic, that is if routing is correct which it seems to be from your configuration.
    What you can do is run a packet-tracer on the ASA to see if the packet is allowed through the ASA:
    packet-tracer input inside tcp 12345 detail
    This should give you an indication where or if there is a misconfiguration on the ASA.
    Please post the output here if you require further assistance.  Also a full ASA configuration (remove public IPs and passwords) would help to identify the issue.
    Please remember to rate and select a correct answer

  • Cisco ASA 8.4.2 acl hitcount issue

    Hi,
    I have some peculiar issue that my acl hit count is not getting increased. not bale to ping the public ip's
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit icmp any any
    access-group inside_access_in in interface inside
    icmp permit any inside
    icmp permit any outside
    im able to ping my inside interface but not able to ping internet. from asa im able to ping internet
    my packet tracer output below.
    packet-tracer input inside icmp 10.20.90.1 7 7 8.8.8.8 detailed
    ASA# packet-tracer input inside icmp 10.20.90.1 7 7 8.8.8.8 $
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         Outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0x6e1ef600, priority=500, domain=permit, deny=true
            hits=171641, user_data=0x8, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: Outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    ASA#
    my nat is like below
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network obj_any
    nat (inside,outside) dynamic interface
    Any suggestion really appreciated.

    Hello,
    Add the following
    fixup protocol ICMP
    If this does not make the difference do the following:
    1) Check the Ip address on your PC, make sure the ASA is the default gateway?
    2) Ping the ISP address ( The default gateway of the ASA)
    3) Share the complete output of show run nat
    Let me know the result

  • Problem Packet Flow through Cisco ASA Firewall

    I have a Cisco ASA 5540 8.2(1), with permit ip any any rules
    packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003
    show
    Phase: 1
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found flow with id 1374599592, using existing flow
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    if you change the source or destination port, the packet is successfully
    clear conn did not help
    please tell me how to solve the problem?

    Hi,
    I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.
    It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.
    I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.
    - Jouni

  • Dynamic NAT ASA 8.4 Packet Tracer not working

    Hi guys,
    I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.
    Thanks!
    ASA Version 8.4(2)
    hostname ciscoasa
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.2 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.10.10.2 255.0.0.0
    object network inside-subnet
    subnet 192.168.1.0 255.255.255.0
    object network inside-subnet
    nat (inside,outside) dynamic interface
    telnet timeout 5
    ssh timeout 5
    dhcpd address 192.168.1.5-192.168.1.35 inside
    dhcpd auto_config outside

    Thanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working. 
    Does anyone have a suggestion? My updated config is below.
    Thanks!
    ASA Version 8.4(2)
    hostname ciscoasa
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.0.0.1 255.0.0.0
    object network inside-subnet
    subnet 192.168.1.0 255.255.255.0
    object network outside-subnet
    subnet 10.0.0.0 255.0.0.0
    access-list TEST extended permit icmp any any echo-reply
    access-list TEST extended permit tcp any any eq www
    access-list http extended permit tcp any any eq www
    access-list http2 extended permit udp any any eq www
    access-group TEST in interface outside
    object network inside-subnet
    nat (inside,outside) dynamic interface
    telnet timeout 5
    ssh timeout 5
    dhcpd auto_config outside
    dhcpd address 192.168.1.5-192.168.1.35 inside
    dhcpd enable inside

  • I can't find and stet up the Cisco packet tracer program in my Macbook , i need help?

    i can't find and stet up the Cisco packet tracer program in my Macbook , i need help?

    Check my post
    http://rafavg77.wordpress.com/2013/09/07/como-empaquetar-packet-tracer-exe-a-una -app-nativa-en-mac-os-x/
    I think it will help, sorry for my english

  • How to install cisco packet tracer on mac os x?

    I do not know to start for installing the cisco packet tracer on mac os x. please teach me. I need to use packet tracer for my styding in the class room

    Hi
    download " PlayOnMac " Application ==> http://www.playonmac.com/en  and  then install "Cisco Packet Tracer"
    Kind Regards

  • [ASK] How to install Cisco Packet Tracer 5.3 on Mac Without CrossOver, VB, etc

    I wanna install Cisco Packet Tracer 5.3 on my Mac and I follow the step (post 4) from this http://hintsforums.macworld.com/showthread.php?t=104077
    I have successfuly install the Packet Tracer but the application always didn't show up. Is there anything that missing from the step or maybe there's additional step before or after installing?

    I had used PlayOnMac!
    https://www.facebook.com/groups/packettracermac/?fref=ts

  • How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)

    Hi All,
    How to Enable IP Accounting or capture packets in Cisco ASA 5510 (8.2)
    Thanks
    Roopesh

    Hi Roopesh,
    Please go through this document for detailed documentation on captures:
    https://supportforums.cisco.com/docs/DOC-17814
    Hope that helps.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • Cisco ASA 5505 Simple PAT

    Good morning you clever bunch,
    Having a real issue here, am used to the Router\Switch CLI but been asked to set up an ASA 5505 8.4.
    Quite simply I am trying to at least test out a static PAT from an external source to an internal server in a test environment and no matter whether I set it up as an auto-nat or a twice-nat whenever I run a packet tracer I end up with the same error. This is the packet-tracer I am running -
    packet-trace input outside tcp 80.80.80.80 3389 10.240.0.10 3389
    Phase: 5
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    Config:
    nat (inside,outside) source static server publicIP service RDP RDP
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    Now I have a couple of questions initially. I have made the presumption that packet-tracer does not look at any external devices while running - as in as long as the ports are up it doesn't matter what is on the end of them for testing purposes? Is there anything I am missing?
    I have this morning wiped the config and have simply set up the adapters, a default route and twice nat and am not sure why I keep getting the error. I am sure it is something very simple and I'm being a massive donut! Any help ios greatly appreciated as I've gotten quite stuck and feel like I have followed all the instructions online and just about trie everything.
    Many thanks,
    Sam - below is my running config
    ASA Version 8.4(4)1
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.240.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 80.*.*.203 255.255.255.248
    ftp mode passive
    object network server
    host 10.240.0.10
    object network publicIP
    host 80.*.*.37
    object service RDP
    service tcp source eq 3389
    access-list ouside_in extended permit tcp any host 10.240.0.10 eq 3389
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static server publicIP service RDP RDP
    access-group ouside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 80.*.*.201 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:e67c79a8361f7b6aa3a7dd549f85e818
    : end

    Hi Jennifer,
    No I just changed that for testing purposes as I had tried everything I thought was correct to no avail.
    You, Jennifer, are my new hero.... literally on the config side I was trying everything and was completely barking up the wrong tree! Every time I had set up packet tracer that way, you can understand my logic when it comes to the destination address, seeing as I had already specified the outside adapter, but it makes a lot more sense using the outside host. Flow is now running perfectly.
    Many thanks.
    Sam

  • Cisco ASA 5505 - EasyVPN - ARD can't scan remote Networks

    Hi all,
    We have been installing Cisco ASA5505 to hook our systems and remote offices together.  Our first install went great, and I can scan the remote network no problem, this network is setup using the site to site VPN setup.
    Since then we have added 3 more ASA5505 so the the mix, these are not running via the Site to Site VPN but are rather using the EZVPN.
    On the Remote ASAs using EasyVPN, I cannot scan the networks with ARD or even Ping. 
    I am wondering if anyone has any insights on this?  I know this info is a bit sketchy...
    I will post more as I get it.

    ASAs are the default gw for respective LANs. For the point 2 if i trace the packets i can see that their are blocked
    packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.2.0     255.255.255.0   outside
    Phase: 2
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup
    Additional Information:
    NAT divert to egress interface outside
    Untranslate 192.168.2.31/80 to 192.168.2.31/80
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: inside-g
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    192.168.1.42 is the ASA1 inside IP address. But i've an explicit ACL that permits ALL traffic from 192.168.1.0/24.
    I've also tried to add an ACL for the specific IP for inside interface but with no results.

  • Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!

    Hi,
    I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
    Config
    ciscoasa# sh run
    : Saved
    ASA Version 8.0(3)
    hostname ciscoasa
    enable password 5QB4svsHoIHxXpF/ encrypted
    names
    name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
    name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
    name xxx.xxx.xxx.xxx Mail_Server
    name xxx.xxx.xxx.xxx IncomingIP
    name xxx.xxx.xxx.xxx SAP
    name xxx.xxx.xxx.xxx WebServer
    name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
    name 192.168.2.2 isa_server_outside
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address IncomingIP 255.255.255.248
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.253 255.255.255.0
    management-only
    passwd 123
    ftp mode passive
    clock timezone EEST 2
    clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    object-group service TCP_8081 tcp
    port-object eq 8081
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq 3389
    port-object eq ftp
    port-object eq www
    port-object eq https
    port-object eq smtp
    port-object eq pop3
    port-object eq 3200
    port-object eq 3300
    port-object eq 3600
    port-object eq 3299
    port-object eq 3390
    port-object eq 50000
    port-object eq 3396
    port-object eq 3397
    port-object eq 3398
    port-object eq imap4
    port-object eq 587
    port-object eq 993
    port-object eq 8000
    port-object eq 8443
    port-object eq telnet
    port-object eq 3901
    group-object TCP_8081
    port-object eq 1433
    port-object eq 3391
    port-object eq 3399
    port-object eq 8080
    port-object eq 3128
    port-object eq 3900
    port-object eq 3902
    port-object eq 7777
    port-object eq 3392
    port-object eq 3393
    port-object eq 3394
    port-object eq 3395
    port-object eq 92
    port-object eq 91
    port-object eq 3206
    port-object eq 8001
    port-object eq 8181
    port-object eq 7778
    port-object eq 8180
    port-object eq 22222
    port-object eq 11001
    port-object eq 11002
    port-object eq 1555
    port-object eq 2223
    port-object eq 2224
    object-group service RDP tcp
    port-object eq 3389
    object-group service 3901 tcp
    description 3901
    port-object eq 3901
    object-group service 50000 tcp
    description 50000
    port-object eq 50000
    object-group service Enable_Transparent_Tunneling_UDP udp
    port-object eq 4500
    access-list inside_access_in remark connection to SAP
    access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
    access-list inside_access_in remark VPN Outgoing - PPTP
    access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
    access-list inside_access_in remark VPN Outgoing - GRE
    access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
    access-list inside_access_in remark VPN - GRE
    access-list inside_access_in extended permit gre any any
    access-list inside_access_in remark VPN Outgoing - IKE Client
    access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
    access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
    access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
    access-list inside_access_in remark DNS Outgoing
    access-list inside_access_in extended permit udp any any eq domain
    access-list inside_access_in remark DNS Outgoing
    access-list inside_access_in extended permit tcp any any eq domain
    access-list inside_access_in remark Outoing Ports
    access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
    access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
    access-list outside_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any any eq pptp
    access-list outside_access_in extended permit gre any any
    access-list outside_access_in extended permit gre any host Mail_Server
    access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
    access-list outside_access_in extended permit esp any any
    access-list outside_access_in extended permit ah any any
    access-list outside_access_in extended permit udp any any eq isakmp
    access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
    access-list VPN standard permit 192.168.2.0 255.255.255.0
    access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 2 Mail_Server netmask 255.0.0.0
    global (outside) 1 interface
    global (inside) 2 interface
    nat (inside) 0 access-list corp_vpn
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
    static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
    static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
    static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
    static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
    static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
    static (inside,outside) 192.168.2.0  access-list corp_vpn
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set transet esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set pfs
    crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
    crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
    crypto map cryptomap interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 management
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
    dhcpd domain domain.local interface inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    tftp-server management 192.168.1.123 /
    group-policy mypolicy internal
    group-policy mypolicy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN
    username vpdn password 123
    username vpdn attributes
    vpn-group-policy mypolicy
    service-type remote-access
    tunnel-group mypolicy type remote-access
    tunnel-group mypolicy general-attributes
    address-pool POOL
    default-group-policy mypolicy
    tunnel-group mypolicy ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect pptp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
    : end
    Thank you very much.

    Here is the output:
    ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
    Phase: 1
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 2
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    static (inside,outside) 192.168.2.0  access-list corp_vpn
    nat-control
      match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
        static translation to 192.168.2.0
        translate_hits = 0, untranslate_hits = 139
    Additional Information:
    NAT divert to egress interface inside
    Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_in in interface outside
    access-list outside_access_in extended permit ip any any
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect icmp
    service-policy global_policy global
    Additional Information:
    Phase: 7
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    static (inside,outside) 192.168.2.0  access-list corp_vpn
    nat-control
      match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
        static translation to 192.168.2.0
        translate_hits = 0, untranslate_hits = 140
    Additional Information:
    Phase: 11
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

  • Cisco ASA 5505 and PAT

    So I have a weird problem that I'm hoping someone has a point in the right direction I can follow... At home I have a Cisco ASA 5505 - not very complex network some BCP configs and it's providing a NAT (PAT). I have a static IP and using a few RFC 1918 segments - like I said nothing earth shattering. I have a linksys E1200 802.11N WPA2 PSK - again pretty standard. I connect laptops, iPads, iPhones, Kindles, Androids no problem. Until recently my 60" Vizio had no issues using the network (wired or wireless). Now network is failing on the TV. I see it get to the FW and I can ping trace etc... to the TV. The FW logs show resets (log is below).
    Now here is the real interesting part - if I turn the tether feature on my iPhone on and connect the TV to it - it works - what's even more interesting is if I then go back to the home network it all works again no problem until I reboot the TV... HELP!
    Apr 19 15:34:09 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60657 to outside:68.162.222.142/57003
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61988 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60657 (68.162.222.142/57003)
    Apr 19 15:34:09 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61988 for outside:98.137.204.251/443 to inside:10.10.10.139/60657 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/60658 to outside:68.162.222.142/53332
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61989 for outside:98.137.204.251/443 (98.137.204.251/443) to inside:10.10.10.139/60658 (68.162.222.142/53332)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-305011: Built dynamic TCP translation from inside:10.10.10.139/37006 to outside:68.162.222.142/40015
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302013: Built outbound TCP connection 61990 for outside:98.136.10.32/443 (98.136.10.32/443) to inside:10.10.10.139/37006 (68.162.222.142/40015)
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61989 for outside:98.137.204.251/443 to inside:10.10.10.139/60658 duration 0:00:00 bytes 3689 TCP Reset-I
    Apr 19 15:34:12 192.168.10.254 %ASA-6-302014: Teardown TCP connection 61990 for outside:98.136.10.32/443 to inside:10.10.10.139/37006 duration 0:00:00 bytes 3689 TCP FINs
    A

    Hello ras,
    As you mentioned the TV is sending a reset packet to the remote address. I will recommend you to create a capture of the traffic and review the traffic at the packet level to see a posible reason for the drop.
    Here is how. Then you can download it to pcap format and uploaded to the forum for further analysis.
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
    http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs.html#pgfId-6941209
    Hope this information is helpful.

  • Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic

    Thanks to a previous thread, I do have a 5505 up and running, and passing data....
    https://supportforums.cisco.com/message/3900751
    Now I am trying to get a IPSEC VPN tunnel working.
    I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
    The networks concerned:
    name 10.0.0.0  Eventual  (HQ Site behind Firewall)
    name 1.1.1.0  CFS  (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
    name 2.2.2.0  T1  (Remote site - Outside interface of 5505: 2.2.2.2)
    name 10.209.0.0  Local  (Remote Network - internal interface of 5505: 10.209.0.3)
    On a ping to the HQ network from behind the ASA, I get....
    portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
    I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
    Below is the config.
    Can anyone see if there is something sticking out?
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.0 Eventual
    name 10.209.0.0 Local
    name 2.2.2.0 T1
    name 1.1.1.0 CFS
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 0
    ip address 10.209.0.3 255.0.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 2.2.2.2 255.255.255.248
    time-range Indefinite
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_1
    network-object Eventual 255.0.0.0
    network-object T1 255.255.255.248
    network-object CFS 255.255.255.240
    access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Eventual 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 1.1.1.1
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map 1 set phase1-mode aggressive
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.209.0.201-10.209.0.232 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    group-policy FTMGP internal
    group-policy FTMGP attributes
    vpn-idle-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 general-attributes
    default-group-policy FTMGP
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
    : end
    asdm location Eventual 255.0.0.0 inside
    asdm location Local 255.255.255.0 inside
    asdm location T1 255.255.255.248 inside
    asdm location CFS 255.255.255.240 inside
    asdm history enable
    Thank You.

    I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
    Here's the output requested:
    Result of the command: "show crypto isakmp sa"
    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1 IKE Peer: 1.1.1.1
    Type : L2L Role : initiator
    Rekey : no State : AM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
    access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
    local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
    current_peer: 1.1.1.1
    #pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0
    local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
    path mtu 1500, ipsec overhead 58, media mtu 1500
    current outbound spi: 8FC06BD1
    current inbound spi : 42EC16F4
    inbound esp sas:
    spi: 0x42EC16F4 (1122768628)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, PFS Group 2, }
    slot: 0, conn_id: 4096, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (62207/28464)
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    outbound esp sas:
    spi: 0x8FC06BD1 (2411752401)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, PFS Group 2, }
    slot: 0, conn_id: 4096, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (62201/28464)
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    Here's the current config:
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.0 Eventual
    name 10.209.0.0 Local
    name 67.139.113.216 T1
    name 1.1.1.0 IntegraCFS
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 0
    ip address 10.209.0.3 255.0.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 2.2.2.2 255.255.255.248
    time-range Indefinite
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_1
    network-object Eventual 255.0.0.0
    network-object T1 255.255.255.248
    network-object IntegraCFS 255.255.255.240
    access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
    access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list No_NAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
    route outside Eventual 255.255.255.0 1.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Eventual 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 1.1.1.1
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map 1 set security-association lifetime kilobytes 65535
    crypto map outside_map 1 set phase1-mode aggressive
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.209.0.201-10.209.0.232 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    group-policy FTMGP internal
    group-policy FTMGP attributes
    vpn-idle-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 general-attributes
    default-group-policy FTMGP
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
    : end
    asdm location Eventual 255.0.0.0 inside
    asdm location Local 255.255.255.0 inside
    asdm location T1 255.255.255.248 inside
    asdm location IntegraCFS 255.255.255.240 inside
    asdm history enable

Maybe you are looking for

  • Adobe Muse CC (2014) - Installation Fails, then Finishes, but no application.

    I'm having trouble installing Muse. the installer gets to 84% and fails. I've uninstalled, repaired permissions, booted from repair partition and repaired, zapped PRAM and then tried them all again twice, but it still doesn't install. Here's the erro

  • NO  MATERIAL VALUE DISPLAY IN MB51 . PL HELP ?

    Dear All ,                         user is using MB51, for seeing the data for stock transfer material here in this t.code user  is giving plant , strg. loc., mvmt. type, posting date,  & executing it so now the report is having - > MAT. CODE , STRG.

  • No sim works for my nokia lumia 520

    My brother gave me an Nokia lumia 520, and i have tried off all of the sim cards and some ask for a sim card code or something similar im not sure now. on others it says that its in gpm or gps mode im not sure what to do i don't know what to do. i ca

  • Cant Get Music on My Phone

    Had iTunes match on my phone with 7000 songs and than i synced my phone and lost all my music on the phone and can't get any music back on it even if i turn iTunes match off

  • My photoshop app doesn't get installed in my computer

    I installed it a couple months ago for the trial. But then I uninstalled everything. And today I bought the membership and I it says like that it gets the actualization but it doesnt installe the app.