Cisco ASA - Pass Through QoS Traffic

Hi Sirs,
Given the following topology:
     Switch - IP Phone (Branch) |----| Router |----| MPLS |----| Router |----| ASA |----| Switch - Voice Network (Head Office)
My question, the ASA can impact the QoS traffic to pass through it?
Thank you!
Rafael Trujilho

Hi Andrew,
I want the ASA does NOT take any markings, NOT impacting the quality applied to voice traffic.
Regards,
Trujilho

Similar Messages

  • Cisco ASA IPsec encrypt selective traffic between peers

    Hello i have aproximately this topology:
    192.168.13.0/24  ----> ASA1 (Public IP 10.1.1.2) ---> ISP1 <----> ISP2 --->ASA2 (Public IP 10.1.2.2) ---->192.168.4.0/24
    Both ASA are 55xx
    I've setup IPsec site-to-site vpn between these two ASA and now the net 192.168.13.0/24 is able to access the net 192.168.4.0 and vice versa.
    Now, I want to access the ASA2 with via SNMP from 192.168.13.0 but it seems that ISP1 or ISP2 blocks UDP port 161 ...
    Now my question:
    can I encrypt the traffic between 192.168.13.0/24 and 10.1.2.2 ?
    I tried to add NAT and VPN ACL an entries like this:
    ASA1:
    permit from net 192.168.13.0/24 to host 10.1.2.2
    no nat from net 192.168.13.0/24 to host 10.1.2.2
    ASA2:
    permit from host 10.1.2.2 to net 192.168.13.0/24
    After this setup I watch in ASDM / monitoring / VPN Session Details:
    ASA1
    Local Addr: 192.168.13.0/24
    RemoteAddr: 10.1.2.2
    Bytes TX: 46036
    Bytes RX: 0
    ASA2
    Local Addr: 10.1.2.2
    RemoteAddr: 192.168.13.0/24
    Bytes TX: 0
    Bytes RX: 45144
    From log debugging I watch that the ICMP and SNMP packets from 192.168.13.0/24 arive to 10.1.2.2, but it seems that ASA2 doesn't repply... Any idea ?
    ASA2 config:
    route ISP2 192.168.13.0 255.255.255.0 10.1.1.2
    crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
    access-list ISP2_cryptomap line 1 extended permit ip 192.168.4.0 255.255.255.0 192.168.13.0 255.255.255.0
    access-list ISP2_cryptomap line 1 extended permit ip host 10.1.2.2 192.168.13.0 255.255.255.0
    crypto map ISP2_map4 1 match address ISP2_cryptomap
    crypto map ISP2_map4 1 set peer 10.1.1.2
    crypto map ISP2_map4 1 set ikev1 transform-set FirstSet
    crypto map ISP2_map4 1 set security-association lifetime seconds 86400
    crypto map ISP2_map4 interface ISP2
    crypto ikev1 enable ISP2
    crypto ikev1 am-disable
    crypto ikev1 policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    tunnel-group 10.1.1.2 type ipsec-l2l
    tunnel-group 10.1.1.2 ipsec-attributes
    ikev1 pre-shared-key *****
    ASA1 Config:
    route ISP1 10.1.2.2 255.255.255.255 10.1.1.1
    access-list ISP1_cryptomap line 1 extended permit ip 192.168.13.0 255.255.255.0 192.168.4.0 255.255.255.0
    access-list ISP1_cryptomap line 1 extended permit ip 192.168.13.0 255.255.255.0 host 5.56.103.111
    crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
    crypto map ISP1_map4 1 match address ISP1_cryptomap
    crypto map ISP1_map4 1 set peer 10.1.2.2
    crypto map ISP1_map4 1 set ikev1 transform-set FirstSet
    crypto map ISP1_map4 1 set security-association lifetime seconds 86400
    crypto map ISP1_map4 interface ISP1
    crypto ikev1 enable ISP1
    crypto ikev1 am-disable
    crypto ikev1 policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    tunnel-group 10.1.2.2 type ipsec-l2l
    tunnel-group 10.1.2.2 ipsec-attributes
    ikev1 pre-shared-key *****

    LAN behind ASA is 192.168.50.0/24, but i need have comunication between 
    192.168.211.0/24 and 192.168.212.0/24
    I have ACL in both direction because i need initialize connection from both sides:
    192.168.211.0/24 <-> 192.168.212.0/24
    i have both acl becasue i have two peers:
    crypto map SDM_CMAP_1 211 match address test-p1-p2
    crypto map SDM_CMAP_1 211 set peer 8.8.8.8
    crypto map SDM_CMAP_1 212 match address test-p2-p1
    crypto map SDM_CMAP_1 212 set peer 8.8.4.4
    i removed :
    route outside 192.168.211.0 255.255.255.0 194.146.123.1 1
    but it didn't help
    packet-tracer input outside icmp 192.168.211.1 0 3 192.168.212.1
    Phase: 8
    Type: VPN
    Subtype: encrypt
    Result: DROP
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xd83fd240, priority=70, domain=encrypt, deny=false
            hits=81, user_data=0x0, cs_id=0xd7b688c8, reverse, flags=0x0, protocol=0
            src ip=192.168.211.0, mask=255.255.255.0, port=0
            dst ip=192.168.212.0, mask=255.255.255.0, port=0, dscp=0x0

  • IPSec Pass Through on ASA

    I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.
    Any thoughts?

    Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?
    Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..
    packet-tracer input outside udp 500 500 detail
    If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?
    Please reply with packet-tracer results.
    Kind Regards,
    Kevin
    **Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

  • UDP Broadcast Traffic from Cisco ASA

    Hi,
    I want to know that, like Cisco IOS Router, Does Cisco ASA pass the UDP Broadcast traffic e.g., TFTP etc...?
    Any thoughts ???
    BR,
    Mubasher Sultan

    Hi Mubasher,
    Unlike the router the ASA does not forward any kind of broadcast packet (with the exemption of the DHCP broadcasts when DHCP Relay is enabled).
    I understand that your DHCP server is providing here the IP address for your TFTP servers. I guess you are using DHCP option 150.
    So if the DHCP server is on one interface and the client is on another you can configure DHCP Relay on your ASA.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
    In regards of the TFTP requests these will be normal unicast packets as Cadet said so just make sure that you have the proper ACLs and NAT rules for that.

  • AAA Authentication for Traffic Passing through ASA

    I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
    Am I missing something?
    firewall# show run aaa
    aaa authentication http console TACACS+ LOCAL
    aaa authentication telnet console TACACS+ LOCAL
    aaa authentication serial console TACACS+ LOCAL
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL
    aaa authentication match guestnetwork_access guestnetwork RADIUS
    aaa authentication secure-http-client
    firewall# show access-li guestnetwork_access
    access-list guestnetwork_access; 2 elements
    access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
    access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
    firewall# show run aaa-s
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.250.14
    key xxxxx
    firewall# show run http
    http server enable

    your definition for the aaa-server is different to the aaa authentication server-group
    try
    aaa authentication http console RADIUS LOCAL
    aaa authentication telnet console RADIUS LOCAL

  • Does IPv6 traffic "pass-through" or "drop" by cisco waas?

    Since cisco waas is not yet supported IPv6, if i am running IPv4 and IPv6 dual stack mode on the same circuit, does IPv6 traffic get dropped by the waas or does waas put IPv6 traffic in "pass-through" mode and let it goes?  I am thinking, waas will treat IPv6 as non-IP traffic and will let it goes.  Am i right?
     

    Hi Joe and Kanwai,
    One note though - if your running WCCP as the redirection mode, you won't get the IPv6 traffic redirected, as WCCP does NOT support IPv6. Hence you won't see IPv6 traffic at all on the WAAS device.
    Best Regards
    Finn Poulsen

  • Cisco ASA QoS traffic policing - how to count conform burst

    hi,
    I have cisco ASA 8.4(5). I will do configuration for QoS traffic policing. Maximum output/input rate will be 850 Mbits/s.
    I am not sure if I need to do configuration also for conform burst ? if yes, can I count suitable value for it ? I must admit that I dont understand difference between conform rate and conform burst.
    access-list acl_qos_policing_admin extended permit ip any any
    class-map class_qos_policing_admin
     match access-list acl_qos_policing_admin
    policy-map policy_qos_policing_admin
     class  class_qos_policing_admin
     police output 850000000 xxxxxxx
     police input 850000000 xxxxxxx
    service-policy policy_qos_policing_admin interface
    inside_ADM

    Hi, I already have done configuration on production firewall. Bandwidth test worked very good for 200Mbps or 300 Mbps. But I got little strange results for bigger rate limits such 600Mbps or 850 Mbps. I could not see any dropped packets. I did test via http://www.speedtest.net. Maybe because
    I need to set conform-burst? there is now only default value (If you set bigger conform-rate then you get bigger conform-burst with default value).
    Interface inside_EDU:
      Service-policy: policy_qos_policing_edu
        Class-map: class_qos_policing_edu
          Output police Interface inside_EDU:
            cir 200000000 bps, bc 6250000 bytes
          Input police Interface inside_EDU:
            cir 200000000 bps, bc 6250000 bytes
    Interface inside_EDU:
      Service-policy: policy_qos_policing_edu
        Class-map: class_qos_policing_edu
          Output police Interface inside_EDU:
            cir 600000000 bps, bc 18750000 bytes
          Input police Interface inside_EDU:
            cir 600000000 bps, bc 18750000 bytes
    Interface inside_ADM:
      Service-policy: policy_qos_policing_admin
        Class-map: class_qos_policing_admin
          Output police Interface inside_ADM:
            cir 300000000 bps, bc 9375000 bytes
          Input police Interface inside_ADM:
            cir 300000000 bps, bc 9375000 bytes
    Interface inside_ADM:
      Service-policy: policy_qos_policing_admin
        Class-map: class_qos_policing_admin
          Output police Interface inside_ADM:
            cir 850000000 bps, bc 26562500 bytes
          Input police Interface inside_ADM:
            cir 850000000 bps, bc 26562500 bytes

  • Cisco ASA 5505 L2TP Pass through

    I am having trouble with L2TP pass through on an ASA 5505 device.
    L2TP server: OSX 10.6
    I can connect with any OSX system and it works fine straight away.
    When connecting with a windows computer I get a 789 error.  "Error 789: The L2TP connection attempt failed because the security layer encountere a processing error during the initial negotiations with the remote computer."
    I did not setup or configure the device to start with and apart from this issue its working fine so I am hessitant at trying to just mess around too much to try and find the problem.
    I am using the ASDM 6.4 to manage the device.
    Ports look to be forwarded correctly; 1701, 4500 & 500 UDP.
    Im just looking for other common issues?
    Rob

    Below is the commands you wanted.
    Where you see: IPNOTWHATIWASEXPECTING
    This is an IP I dont know. possible and old IP address.
    and
    default-domain value domain-notcorrect.local
    This is an old domain from years ago.
    Result of the command: "show run crypto"
    crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
    crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map map-dynamic 1 set pfs group5
    crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
    crypto dynamic-map map-dynamic 2 set pfs
    crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
    crypto dynamic-map map-dynamic 3 set pfs
    crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
    crypto dynamic-map map-dynamic 4 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer IPNOTWHATIWASEXPECTING3
    crypto map outside_map 1 set transform-set ESP-DES-SHA
    crypto map outside_map 2 match address acl-amzn
    crypto map outside_map 2 set pfs
    crypto map outside_map 2 set peer IPNOTWHATIWASEXPECTING IPNOTWHATIWASEXPECTING
    crypto map outside_map 2 set transform-set transform-amzn
    crypto map outside_map 255 ipsec-isakmp dynamic map-dynamic
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 2
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 3
    authentication pre-share
    encryption aes-256
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 11
    authentication pre-share
    encryption aes-192
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 12
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 13
    authentication pre-share
    encryption aes-192
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 21
    authentication pre-share
    encryption aes
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 22
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 23
    authentication pre-share
    encryption aes
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 31
    authentication pre-share
    encryption 3des
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 32
    authentication rsa-sig
    encryption des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 33
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 34
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    Result of the command: "show run group-policy"
    group-policy evertest internal
    group-policy evertest attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 720
    vpn-tunnel-protocol IPSec l2tp-ipsec
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnsplittunnel
    default-domain value domain-notcorrect.local
    group-policy petero internal
    group-policy petero attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 720
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnsplittunnel
    default-domain value domain-notcorrect.local
    group-policy awsfilter internal
    group-policy awsfilter attributes
    vpn-filter value amzn-filter
    group-policy vpnpptp internal
    group-policy vpnpptp attributes
    dns-server value 10.100.25.252
    vpn-tunnel-protocol l2tp-ipsec
    group-policy vanheelm internal
    group-policy vanheelm attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 720
    vpn-tunnel-protocol IPSec l2tp-ipsec
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnsplittunnel
    default-domain value domain-notcorrect.local
    group-policy ciscoVPNuser internal
    group-policy ciscoVPNuser attributes
    dns-server value 10.100.25.10
    vpn-idle-timeout 720
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnsplittunnel
    default-domain value domain-notcorrect.local
    group-policy chauhanv2 internal
    group-policy chauhanv2 attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 720
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnsplittunnel
    default-domain value domain-notcorrect.local
    group-policy oterop internal
    group-policy oterop attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 720
    vpn-tunnel-protocol IPSec l2tp-ipsec
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnsplittunnel
    default-domain value domain-notcorrect.local
    group-policy Oterop internal
    group-policy Oterop attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 30
    group-policy chauhanv internal
    group-policy chauhanv attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 30
    vpn-tunnel-protocol IPSec l2tp-ipsec
    group-policy bnixon2 internal
    group-policy bnixon2 attributes
    dns-server value 10.100.25.252
    vpn-idle-timeout 720
    vpn-tunnel-protocol IPSec l2tp-ipsec
    pfs enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnsplittunnel
    default-domain value domain-notcorrect.local
    Result of the command: "show run tunnel-group"
    tunnel-group ciscoVPNuser type remote-access
    tunnel-group ciscoVPNuser general-attributes
    address-pool vpnippool
    default-group-policy ciscoVPNuser
    tunnel-group ciscoVPNuser ipsec-attributes
    pre-shared-key *****
    tunnel-group petero type remote-access
    tunnel-group petero general-attributes
    address-pool vpnippool
    default-group-policy petero
    tunnel-group petero ipsec-attributes
    pre-shared-key *****
    tunnel-group oterop type remote-access
    tunnel-group oterop general-attributes
    address-pool vpnippool
    default-group-policy oterop
    tunnel-group oterop ipsec-attributes
    pre-shared-key *****
    tunnel-group vanheelm type remote-access
    tunnel-group vanheelm general-attributes
    address-pool vpnippool
    default-group-policy vanheelm
    tunnel-group vanheelm ipsec-attributes
    pre-shared-key *****
    tunnel-group chauhanv type remote-access
    tunnel-group chauhanv general-attributes
    default-group-policy chauhanv
    tunnel-group Oterop type remote-access
    tunnel-group Oterop general-attributes
    default-group-policy Oterop
    tunnel-group chauhanv2 type remote-access
    tunnel-group chauhanv2 general-attributes
    address-pool vpnippool
    default-group-policy chauhanv2
    tunnel-group chauhanv2 ipsec-attributes
    pre-shared-key *****
    tunnel-group bnixon2 type remote-access
    tunnel-group bnixon2 general-attributes
    address-pool vpnippool
    default-group-policy bnixon2
    tunnel-group bnixon2 ipsec-attributes
    pre-shared-key *****
    tunnel-group vpnpptp type remote-access
    tunnel-group vpnpptp general-attributes
    address-pool vpnippool
    default-group-policy vpnpptp
    tunnel-group IPNOTWHATIWASEXPECTING4 type ipsec-l2l
    tunnel-group IPNOTWHATIWASEXPECTING4 ipsec-attributes
    pre-shared-key *****
    tunnel-group evertest type remote-access
    tunnel-group evertest general-attributes
    address-pool vpnippool
    default-group-policy evertest
    tunnel-group evertest ipsec-attributes
    pre-shared-key *****
    tunnel-group evertest ppp-attributes
    authentication ms-chap-v2
    tunnel-group IPNOTWHATIWASEXPECTING3 type ipsec-l2l
    tunnel-group IPNOTWHATIWASEXPECTING3 ipsec-attributes
    pre-shared-key *****
    tunnel-group IPNOTWHATIWASEXPECTING2 type ipsec-l2l
    tunnel-group IPNOTWHATIWASEXPECTING2 general-attributes
    default-group-policy awsfilter
    tunnel-group IPNOTWHATIWASEXPECTING2 ipsec-attributes
    pre-shared-key *****
    isakmp keepalive threshold 10 retry 3
    tunnel-group IPNOTWHATIWASEXPECTING type ipsec-l2l
    tunnel-group IPNOTWHATIWASEXPECTING general-attributes
    default-group-policy awsfilter
    tunnel-group IPNOTWHATIWASEXPECTING ipsec-attributes
    pre-shared-key *****
    isakmp keepalive threshold 10 retry 3
    Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsec"
    INFO: There are presently no active sessions of the type specified
    Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT"
    INFO: There are presently no active sessions of the type specified

  • Cisco ASA not returning traffic when wccp peering with Bluecoat.

    Experts,
    My setup has a Cisco ASA where we are doing wccp with a Bluecoat SG box. The traffic gets redirected to the Bluecoat due to the wccp settings so it's just transparent to the end users. Theye do not have to do any manual proxy settings in their IE.
    We however notice that somehow the ASA does not return these connection back to the requesting hosts and somehere the connection table breaks. The message we see on the ASA that state table is somehow not being maintained. Any idea where this connection must be breaking?
    Regards,
    Nikhil Kulkarni.

    Nikhil,
    Let me give you a little bit of backgrounf in regards to WCCP that can help you. As you stated the ASA will do transparent redirection, so the client doesn't have to configure anything on the PC.
    The traffic will get to the ASA (port 80/443 or any configured port) and then the ASA will establish a GRE tunnel with WCCP server and will redirect the traffic. After the Bluecoat receives the traffic it will "spoof" the IP address of the requested web page (the WCCP server needs to have direct comunication with the client PC without passing through the ASA). I have seen some issues where the ASA and the WCCP server are unable to establish the GRE tunnel becuase the ASA uses the highest IP address as the router ID and uses this IP address to establish the tunnel. The WCCP keepalives (Here I am, I see you) are sent using the IP address of the closest IP address to the WCCP server.
    At this point you may turn on the WCCP debugs and run some "show WCCP" commands.
    I hope it helps
    Luis Silva

  • Cisco ASA 5520 traffic between interfaces

    Hello,
    I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
    ciscoasa# ping esx_management 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ciscoasa# ping home_network 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Thank you in advance.

    Hi,
    Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
    I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
    packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
    I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
    I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
    Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
    Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
    Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
    Static Identity NAT
    static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    OR
    NAT0
    access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
    nat (home_network) 0 access-list HOMENETWORK-NAT0
    Hope this helps
    - Jouni

  • Cisco asa 5505: No traffic lan to wan with IPv6

    Hello everybody,
    I have a Cisco ASA 5505, public ipv6 in outside interface, private ipv6 in LAN, from router I can ping any ipv6 in Internet and ping my LAN ipv6. Traffic doesn't go through router.
    This is my configuration.
    interface Vlan1
     nameif inside
     security-level 100
     ip address PRIV-Saturn1 255.255.255.0
     ipv6 address fc00::1/7
     ipv6 enable
    interface Vlan2
     nameif outside
     security-level 0
     ip address PUBLIC26 255.255.255.248
     ipv6 address xxxx:yyyy:67:36::2/64
     ipv6 enable
     ipv6 nd suppress-ra
    access-list Dynamic_Filter_ACL extended permit tcp any6 any6
    ipv6 route outside ::/0 xxx:yyyy:67:36::1
    Am I omitting anything?
    Thanks in advance for the help.
    Jos P

    Since you're using IPv6 private addressing (fc00::) on the inside, you need a dynamic NAT entry to translate your private IPv6 addresses to a public one.
    Alternatively, you could just use a subnet of your registered IPv6 block for the inside network and not worry about NAT.

  • Trying to pass internet with a Cisco ASA 5505

    Hello,
       I have not been having much success configuring my 5505 for Internet access, and I'm sure there are a few small things I'm missing.  At times I believe I got it to the point where I could ping, but still not pass through the Internet traffic.  At this point, I reset the 5505 and only changed a couple of settings. 
    I have an external range with these characteristics: Network Address 67.139.113.16 (.17 is Gateway), SM: 255.255.255.248, available IP: 67.139.113.218
    The external connection is through a T1 modem, and when I put those settings in my laptop, I can access just fine.
    When I went through the startup wizard in the ADSM, I maded the internal interface 10.209.0.3, subnet mask: 255.255.255.0
    I selected PAT in the Wizard, but don't know if I should have, or if the NAT rules I tried to put in are fine.
    Eventually I want to add a Site to Site VPN to the rest of the 10.0.0.0 network, but I can't even pass the Internet through to the inside.
    Also, this will eventually be behind another hosted firewall, so I'm not worried about restricting access, even currently.
    However, I suspect the problem is that traffic is being blocked with the NAT rules or Access rules.
    I wish I could just disable those inherent deny rules
    Outside of pings to 10.209.0.3, all pings come back as request timed out.
    Can someone please review this, and see if they notice anything I can change?
    I do appreciate it....
    Config:
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.0 Eventual
    name 10.209.0.0 Local
    name 67.139.113.216 T1
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 0
    ip address 10.209.0.3 255.0.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 67.139.113.218 255.255.255.248
    time-range Indefinite
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 Local 255.255.255.0 any time-range Indefinite
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 0.0.0.0 0.0.0.0 dns tcp 255 255  udp 255
    access-group inside_access_in in interface inside
    route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Eventual 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.209.0.201-10.209.0.232 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:d3c4872f997a93984332213f98fbe12b
    : end
    asdm location Eventual 255.0.0.0 inside
    asdm location Local 255.255.255.0 inside
    asdm location T1 255.255.255.248 inside
    asdm history enable

    Unfortunately that didn't work....
    The new config:
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.0 Eventual
    name 10.209.0.0 Local
    name 67.139.113.216 T1
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 0
    ip address 10.209.0.3 255.0.0.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 67.139.113.218 255.255.255.248
    time-range Indefinite
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Eventual 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.209.0.201-10.209.0.232 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:64bbf533cf1bd591e797c053ea9e107a
    : end
    asdm location Eventual 255.0.0.0 inside
    asdm location Local 255.255.255.0 inside
    asdm location T1 255.255.255.248 inside
    asdm history enable
    I am getting some more encouraging messages in the Syslog, but I still cannot bing 8.8.8.8 or the outside interface.
    5
    Aug 29 2008
    01:42:55
    8.8.4.4
    53
    Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src inside:10.209.0.6/64477 dst inside:8.8.4.4/53 denied due to NAT reverse path failure
    6
    Aug 29 2008
    01:42:54
    10.209.0.6
    1686
    SSL session with client inside:10.209.0.6/1686 terminated.
    6
    Aug 29 2008
    01:42:54
    10.209.0.6
    1686
    10.209.0.3
    443
    Deny TCP (no connection) from 10.209.0.6/1686 to 10.209.0.3/443 flags FIN ACK on interface inside

  • Allow RTP traffic to pass through different subnets

    I'm having trouble setting up a two-radio system. We have a location on a subnet and everything local functions correctly. But we also have a remote site that has an antenna and that remote site can communicate with the main location except with RTP. Below is a crude version of the setup to help visualize it.
    radio --> Cisco 3560 -->3750--->3750---(ATT Gigaman)--> 6807 (main data center) ---(TWC Point-to-point)--> 4507 (remote core) -->3560-->radio
    As I said I can ping, ssh, communicate in every way possible between the two locations but at the remote site the radio is unable to communicate via RTP.
    Any suggestions or ideas on what the problem could be? I was advised to create span ports from remote to home and run wireshark each time to see where it fails, but the remote site is an hour away and I'd like to avoid the 2hr drive to try that.

    Just in case anyone else encounters this issue what I had to do was enable multicast through the entire path between the radio at the remote site and the server at the main site. We narrowed the multicast to the VLAN's that were going to be passing the radio traffic.

  • Black box able to log traffic passing through...

    Hi
    I'm looking for a box able to sniff the tcp/ip traffic (source ip address, destination ip address and ports) passing from it's ingress interface to the egress interface and viceversa (useful the bypass option if this box fails) without any change of the traffic passing through, just logging it and sending this log to a syslog server.
    We need it as solution to be compliant with the new police law against computer criminals where is written that all the internet traffic has to be logged (we offer sometimes transparent internet access to our customers where we do not put any kind of equipment as firewall, proxy or something else, only the router providing the internet access).
    Do you know if Cisco provide something like that ? Other vendors ?
    Any other idea how to be compliant with this request ?
    Thanks
    Pls advise
    Ric

    Cisco Intrusion Prevention System Sensor can be used to log ip traffic. You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged

  • QoS in Cisco ASA Transparant

    Guys,
    Can you help me,
    I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
    Best Regards,
    Rizal Ferdiyan

    Hi Rizal,
    Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
    I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
    -Mike

Maybe you are looking for

  • Sales order - KOFK account determination - incompletion procedure

    Hi Gurus, i am a little bit confused and need help! When I am creating a sales order (free of charge) and assign a WBS Element i get the message in the imcompletion routine that the account for type KOFK is missing. I know where to maintain this but

  • Not able to stop flip effect available in the distortioneffects swc

    Hi, I am using flip effect available in the distortioneffects.swc component(http://blogs.adobe.com/auhlmann/archives/2007/03/distortion_effe.html).I am trying to stop a running flip effect.Though the isPlaying property of the effect is false when i t

  • [Workflow 2013] No tasks created (Only the first task)

    Hello  I ve created a Sharepoint Workflow 2013  (so using workllow manager) with visual studio 2013 that contains some simple and composite tasks. On my development environment, all tasks are created and the workflow is well executed and terminated.

  • Problem camera Recording

    Hello, I have a G20 and on the back of it there is a S-video in port. As far as I know i must then be able to record my camcorder vhs films . Using Intervideo windvd does however nothing. Using pinaclle studio 9 recognizes a tv port but stll no image

  • Syslog messages not showing

    Hello, I have a newly installed LMS 4.1 that had the Syslog feature working for a while. Recently, the Syslog is no longer displaying any records (neither new or old messages). Below are the steps I have tried to troubleshoot the problem: - Installed