Cisco ASA, skipping real source port number with PAT.

Similar Messages

• Cisco ASA 5510 Site to Site VPN with Sonicwall

  I am trying to setup a VPN tunnel between a Cisco ASA 5510 (Version 8.2(2)) and Sonicwall TZ200. I got tunnel up and going and I am able to ping the Cisco ASA internal IP from the Sonicwall LAN but nothing else works. When I try to ping a host behind the Cisco ASA from the Sonicwall LAN I get the following message "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx denied due to NAT reverse path failures" on the ASA
  Googling the above error shows issues with version 8.3 and later which looked like the nat commands were changed but the ASA I am working on is still on 8.2 and the other common issue is not adding a NAT exemption. I have double-triple checked that I did add a NAT exception rule from the hosts on the cisco network to the hosts on the Sonicwall network. Seems like I have hit a road block so any help would be appreciated. Thanks
  Here are some excertps from the config file (10.20.2.0 behind the cisco and 10.20.10.0 behind the sonicwall)
  nat (inside) 0 access-list nonat
  access-list nonat extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer x.x.x.x
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 28800
  group-policy SiteToSitePolicy internal
  group-policy SiteToSitePolicy attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec
  split-tunnel-network-list none
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x general-attributes
  default-group-policy SiteToSitePolicy
  tunnel-group x.x.x.x ipsec-attributes
  pre-shared-key *****
  Added few excerpts from config file

  Yes inspect icmp is enabled in global_policy
  The ping requests time out (The only ping that works is when I ping from the remote side to the ASA internal IP address, no other pings from either side work)
  #show crypto isakmp sa
  1   IKE Peer: x.x.x.x
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  #show crypto ipsec sa
  interface: outside
      Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
        access-list outside_2_cryptomap extended permit ip 10.20.2.0 255.255.255.0 10.20.10.0 255.255.255.0
        local ident (addr/mask/prot/port): (10.20.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
        current_peer: y.y.y.y
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 39543, #pkts decrypt: 39543, #pkts verify: 39543
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: 0ED0F897
        current inbound spi : 596CCE6F
      inbound esp sas:
        spi: 0x596CCE6F (1500302959)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 50327552, crypto-map: outside_map
           sa timing: remaining key lifetime (sec): 7440
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x0ED0F897 (248576151)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 50327552, crypto-map: outside_map
           sa timing: remaining key lifetime (sec): 7440
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

• Cisco ASA 5512, IP NVR port forwarding

  Hi,
  i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
  please help me how to configure port forwarding in cisco asa in CLI?
  I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
  thank you so much.

  ASA#
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   94.56.178.222   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0x7fffa2969000, priority=0, domain=permit, deny=true
          hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=OUTSIDE, output_ifc=any
  Result:
  input-interface: OUTSIDE
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  please advise 

• Wrong remote port number with TCP listener

  Hi
  I am sending data from a dsp with a network card over TCP/IP to my pc running labview7express. The data is received correctly, I use a 'TCP create listener' followed by a 'TCP wait on listener' to establish the connection, followed by a while loop with 'TCP read' in it.
  The port returned by 'TCP create listener' is correct (1001), but somehow 'TCP wait on listener' returns 57345 as remote port!?
  Also when using another port eg 1003 it still returns 57345..
  Anyone knows how this erroneous portnumber is achieved?

  stino wrote:
  > Hi
  > I am sending data from a dsp with a network card over TCP/IP to my pc
  > running labview7express. The data is received correctly, I use a 'TCP
  > create listener' followed by a 'TCP wait on listener' to establish the
  > connection, followed by a while loop with 'TCP read' in it.
  > The port returned by 'TCP create listener' is correct (1001), but
  > somehow 'TCP wait on listener' returns 57345 as remote port!?
  > Also when using another port eg 1003 it still returns 57345..
  > Anyone knows how this erroneous portnumber is achieved?
  Nothing wrong with that. A TCP/IP connection has ALWAYS two connection
  ends with each of them using a port number. 1001 is the port of the
  local listen socket (which needs to be fixed so that clients can connect
  to a know
  n server) in your LabVIEW application. 57345 is the port number
  used by your software running on your DSP board. A client usually has no
  fixed port number but allocates any port number not already in use. When
  the listen socket receives a connection request it connects and passes
  the connection with the local port 1001 and the remote port 57345
  through TCP Wait On Listener to your application. Since you set up the
  Listen Socket in Create Listener you already know its port number so TCP
  Wait on Listener does only return the port number of the remote
  connection end of your connection.
  Rolf Kalbermatter
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions

• Cisco AS5400 SIP Trunk source port ?

  Hello,
  Is there a command to fix the trunk signaling source port to 5060 in the Cisco AS5400XM ?
  Thanks,

  hi,
  what's the exact issue?
  IOS  can use random port as source port on SIP request.
  However if you are running 12.3 then you cannot set it to one port.
  Later 12.4(5a) and 12.4(6)T have following hidden command.
  (config-sip-ua)#connection-reuse
  This command sets used source port to SIP listen port.
  It sets it to udp port 5060
  Hope this helps!!
  Thanks,
  karthik

• Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access

  i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
  Cisco Asa 5505
  I
  Outside  == 155.155.155.x
  Inside  =      192.168.7.1
  VPN POOL Address =   10.10.10.1   -   10.10.10.20
  Layer 3 Switch Config
  Vlan 2
  interface ip address =  192.168.1.1
  Vlan 2
  interface ip address =  192.168.2.1
  Vlan 2
  interface ip address =  192.168.3.1
  Vlan 2
  interface ip address =  192.168.4.1
  Vlan 2
  interface ip address =  192.168.5.1
  ip Routing
  So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
  Thank You all

  When My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
  But i can't reach the rest of the VLAN - example
  192.168.1.1
  192.168.1.2
  192.168.1.3
  192.168.1.4
  192.168.1.5
  But i can reach the Connected Interface Vlan to My ASA ..
  So here i think iam miss configuration to my Route
  Any Help Please this is urgent

• Cisco ASA 5510 and Spiceworks port forward

  So you want to set up a static NAT from 207.123.123.123:9876 to 192.168.0.11:9876. (I assume you're keeping the same port on the public interface.)
  Here's a link to a how-to for setting it up. (I'm headed out the door for the weekend. Sorry!) Hope this helps.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/na..
  Skip down to the section "Configuring Static NAT or Static NAT-with-Port-Translation"

  I know this topic has been beaten to death, but I'm rather green with firewalls and would like some guidance with why my config is not working. I'm using ASDM 6.4.
  My public address is 207.123.123.123 (simplified for this example)
  My Spiceworks server is 192.168.0.11 (SpiceServer)
  My SpiceServer SSL port for SW is 9876
  I've created a NAT for SpiceServer to Any Outside connection. I've created an access rule for Outside where Any is destined for SpiceServer and I created a Service Group for TCP-UDP for Port 9876.
  Where am I going wrong (besides everywhere)??
  This topic first appeared in the Spiceworks Community

• Two Cisco ASA 5505, IPSec Multiple Subnets, Problem with Phase2, DSL

  Hi all.
  we have following IPSec configuration:
  ASA Site 1:
  Cisco Adaptive Security Appliance Software Version 9.1(1)
  crypto ipsec ikev1 transform-set TSAES esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TSMD5 esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal PropAES256
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.28.60.0 255.255.254.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.97.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.27.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  access-list SITE_2 extended permit ip 172.22.0.0 255.255.0.0 172.27.99.0 255.255.255.0
  crypto map CMVPN 5 match address SITE_2
  crypto map CMVPN 5 set peer IP_SITE2
  crypto map CMVPN 5 set ikev2 ipsec-proposal PropAES256
  crypto map CMVPN interface OUTSIDE
  route OUTSIDE 172.27.97.0 255.255.255.0 citic-internet-gw 255
  route OUTSIDE 172.27.99.0 255.255.255.0 citic-internet-gw 255
  tunnel-group IP_SITE2 type ipsec-l2l
  tunnel-group IP_SITE2 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE2 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  ASA Site 2:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.28.60.0 255.255.254.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.97.0 255.255.255.0 172.22.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.27.0.0 255.255.0.0
  access-list SITE_1 extended permit ip 172.27.99.0 255.255.255.0 172.22.0.0 255.255.0.0
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 match address SITE_1
  crypto map CMVPN 10 set peer IP_SITE1
  crypto map CMVPN 10 set ikev2 ipsec-proposal IKEV2AES
  crypto map CMVPN 10 set reverse-route
  crypto map CMVPN interface OUTSIDE
  tunnel-group IP_SITE1 type ipsec-l2l
  tunnel-group IP_SITE1 general-attributes
  default-group-policy VPN_S2S_WAN
  tunnel-group IP_SITE1 ipsec-attributes
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  We are not able to reach from 172.22.20.x ips 172.27.99.x.
  It seems so that the phase2 for this subnet is missing…...... as long as we try to reach from 172.27.99.x any ip in 172.22.20.x.
  We are using similar configuration on many sites and it works correctly expect sites with DSL line.
  We can exclude problem with NAT,ACL or routing. The connection is working fine as long as “we open all phase 2 manually” . After re-open (idle timeout) the tunnel the problem comes back.
  Thanks in advance for your help.
  Regards.
  Jan
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (3)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (3)SHA1
  Bytes Tx     : 423634                 Bytes Rx     : 450526
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 1h:50m:45s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 3
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 79756 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22156 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607648 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 312546                 Bytes Rx     : 361444
    Pkts Tx      : 3745                   Pkts Rx      : 3785
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22165 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607952 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 50014                  Bytes Rx     : 44621
    Pkts Tx      : 496                    Pkts Rx      : 503
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 22324 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607941 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 61074                  Bytes Rx     : 44461
    Pkts Tx      : 402                    Pkts Rx      : 437
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 6648 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :
  ....  after ping from 172.27.99.x any ip in 172.22.20.x.
  ASA Site 1# sh vpn-sessiondb detail l2l filter ipaddress ASA Site 2
  Session Type: LAN-to-LAN Detailed
  Connection   : IP ASA Site 2
  Index        : 3058                   IP Addr      : IP ASA Site 2
  Protocol     : IKEv2 IPsec
  Encryption   : IKEv2: (1)AES256  IPsec: (4)AES256
  Hashing      : IKEv2: (1)SHA512  IPsec: (4)SHA1
  Bytes Tx     : 784455                 Bytes Rx     : 1808965
  Login Time   : 19:59:35 HKT Tue Apr 29 2014
  Duration     : 2h:10m:48s
  IKEv2 Tunnels: 1
  IPsec Tunnels: 4
  IKEv2:
    Tunnel ID    : 3058.1
    UDP Src Port : 500                    UDP Dst Port : 500
    Rem Auth Mode: preSharedKeys
    Loc Auth Mode: preSharedKeys
    Encryption   : AES256                 Hashing      : SHA512
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 78553 Seconds
    PRF          : SHA512                 D/H Group    : 5
    Filter Name  :
    IPv6 Filter  :
  IPsec:
    Tunnel ID    : 3058.2
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20953 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4606335 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 652492                 Bytes Rx     : 1705136
    Pkts Tx      : 7419                   Pkts Rx      : 7611
  IPsec:
    Tunnel ID    : 3058.3
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.97.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 20962 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607942 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 60128                  Bytes Rx     : 52359
    Pkts Tx      : 587                    Pkts Rx      : 594
  IPsec:
    Tunnel ID    : 3058.4
    Local Addr   : 172.27.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 21121 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607931 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 70949                  Bytes Rx     : 50684
    Pkts Tx      : 475                    Pkts Rx      : 514
  IPsec:
    Tunnel ID    : 3058.5
    Local Addr   : 172.22.0.0/255.255.0.0/0/0
    Remote Addr  : 172.27.99.0/255.255.255.0/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 28767 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4608000 K-Bytes
    Idle Time Out: 25 Minutes             Idle TO Left : 24 Minutes
    Bytes Tx     : 961                    Bytes Rx     : 871
    Pkts Tx      : 17                     Pkts Rx      : 14
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 7852 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.

• Source port 0 with Summarize set to 15

  See Sig. ID 5930/0 in IME in Event Monitoring as an example.
  If the Alert Frequency, Summary mode of an IPS signature is set to Summarize with a value of 15, does this mean that all 15 hits receive the stated Action Taken (eg. dropped packet, deniedFlow, tcpOneWayResetSent) as in the first alert triggered.
  Is it true that the display of 'port 0' in the next triggered event represents the following 14 events which also experience the same action taken as the first, but the Actions Taken words (dropped packet, deniedFlow, tcpOneWayResetSent) are not displayed (ie. the field is blank).
  Can someone clear this up for me?
  Thanks.
  WG

  Hi,
  Yes, actually what will happen is that after X amount of events (times triggered the signature) on an X amount of time you will see an event generated.
  The action will be the same for all events (times triggered the signature) but message will only display after X amount of events
  http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clisgdef.html#wp1040171
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
  http://www.cisco.com/web/partners/tools/pdihd.html

• ASA PAT UDP source port

  Is there a way to preserve the source port for UDP packets that use a PAT pool?
  Here is what I need:
  The client (1.1.1.1) sends a UDP packet from port 5060 to port 5060 on our external 2.2.2.2. This packet is port forwarded to our internal server 10.10.10.10 with the original source and destination port. The server then sends a UDP response to the client from port 5060 to port 5060. The server is in a PAT pool that only contains the address 2.2.2.2. The ASA changes the source port and our client ends up rejecting the packet because the source port is not what it expected.
  How can I preserve the original source port when the packet goes through the PAT pool?
  Thanks,
  Steven

  Hi,
  Well you could probably make this work for the outbound direction BUT in the inbound direction from the Internet I dont think the is really a way to use the same public IP address and public UDP port.
  I mean, the ASA doesnt have any way to determine what traffic on destination port UDP5060 to destination IP 2.2.2.2 would have to be forwarded to which internal IP.
  It would simply use the first rule matched always.
  But as I said for the outbound direction it might work.
  You would simply add another similiar NAT statement with different source object with different source IP address. ASA would again accept the command but give an warning about rule overlap.
  I guess the below added would work for the outbound direction IN THEORY
  object network HOST-1
  host 10.10.11.11
  object network HOST-2
  host 10.10.11.12
  nat (inside,outside) source static HOST-1 interface service UDP5060 UDP5060
  nat (inside,outside) source static HOST-2 interface service UDP5060 UDP5060
  But not for inbound, though if I understood correctly, the inbound traffic should only even go to a single virtual IP
  I would imagine this is as close as you can get to "implementing" something wierd on the ASA
  - Jouni

• Cisco ASA not returning traffic when wccp peering with Bluecoat.

  Experts,
  My setup has a Cisco ASA where we are doing wccp with a Bluecoat SG box. The traffic gets redirected to the Bluecoat due to the wccp settings so it's just transparent to the end users. Theye do not have to do any manual proxy settings in their IE.
  We however notice that somehow the ASA does not return these connection back to the requesting hosts and somehere the connection table breaks. The message we see on the ASA that state table is somehow not being maintained. Any idea where this connection must be breaking?
  Regards,
  Nikhil Kulkarni.

  Nikhil,
  Let me give you a little bit of backgrounf in regards to WCCP that can help you. As you stated the ASA will do transparent redirection, so the client doesn't have to configure anything on the PC.
  The traffic will get to the ASA (port 80/443 or any configured port) and then the ASA will establish a GRE tunnel with WCCP server and will redirect the traffic. After the Bluecoat receives the traffic it will "spoof" the IP address of the requested web page (the WCCP server needs to have direct comunication with the client PC without passing through the ASA). I have seen some issues where the ASA and the WCCP server are unable to establish the GRE tunnel becuase the ASA uses the highest IP address as the router ID and uses this IP address to establish the tunnel. The WCCP keepalives (Here I am, I see you) are sent using the IP address of the closest IP address to the WCCP server.
  At this point you may turn on the WCCP debugs and run some "show WCCP" commands.
  I hope it helps
  Luis Silva

• Will there be any problem if CSS reuses a TCP PORT number?

  Will there be any problem if CSS reuses a TCP PORT number for a new flow a few minutes after it finished a flow with the same TCP Port number.
  CSS Server inititaed connection to Internet.
  Sometimes a TCP RST terminates the connection. When it happens it appears that the CSS has used a TCP source port number which is sthe same as a previous flow that FIN'ed a few minutes ago. See attachment.

  My answer to your question is, I think you'll be 'less likely'. Although the screen proble has also been reported to create blue tints over the screen at certain angles, thus, if you do get a defective (yet to be confirmed) device, then sadly, it will most definatley affect the colours of a cartoon show.

• Get TCP Service Name Port Number

  The TCP Listen and TCP Create Listener VIs have an input terminal named 'Service Name', once a listener is created in the LabVIEW application is it possible to query which named service is running and on what port in an external application? The external application may or may not be developed in LabVIEW.
  The TCP Create Listener VI outputs the port number used, this is useful for information purposes but I can see no automatic method for an external application to get this information?
  The C++ function getservbyname does not return any information given the known, created and listening LabVIEW TCP listener.
  Solved!
  Go to Solution.

  From the LabVIEW help:
  service name creates a known reference for the port number. If you specify a service name, LabVIEW registers the service name and the port number with the NI Service Locator.
  NI Service Locator:
  http://digital.ni.com/public.nsf/allkb/227453F884CE035386256E55007A303D
  Now is the right time to use %^<%Y-%m-%dT%H:%M:%S%3uZ>T
  If you don't hate time zones, you're not a real programmer.
  "You are what you don't automate"
  Inplaceness is synonymous with insidiousness

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• ASA 5505 Site-to-Site VPN with multiple networks

  Hi,
  I have 2 Cisco ASAs 5505 in the different places with a created connection Site-to-Site VPN. It’s working fine in the networks where they are (10.1.1.0/24 and 10.2.1.0/24 respectively).
  Additionally to the ASA1 are connected two subnets: 10.1.2.0/24 and 10.1.3.0/24 and the ASA2 is connected to one subnet: 10.2.2.0/24
  A problem is when I’m trying to get to a host in the subnet behind the ASA2 from the subnet behind the ASA1  and vice versa.
  Any help would be greatly appreciated.

  It's all about the crypto ACL. You have to combine all networks behind ASA1 with all networks behind ASA2. You can use object-groups for that to handle it. What's the config of your crypto ACL?
  Sent from Cisco Technical Support iPad App