Configure multiple SSH connections through ASA
I have two pieces of equipment on the inside of the network that people on the outside need to access via SSH. Is there a way to do this?
Mike
There are many ways:
If you have multiple public IPs, then you configure PAT for each internal system with a unique public IP.
If you only have one or not enough public IP(s), then you configure PAT with a mapping that for example Public:221 maps to INT1:22, Public:222 maps to INT2:22 and so on.
The external users could use a VPN-Client to connect to your network.
Probably you'll pick solution 2, then the config could look like that on the ASA:
object network SERVER1
host 10.10.10.1
nat (inside,outside) static interface service tcp 22 221
object network SERVER2
host 10.10.10.2
nat (inside,outside) static interface service tcp 22 222
object network SERVER3
host 10.10.10.3
nat (inside,outside) static interface service tcp 22 223
access-list OUTSIDE-IN permit tcp any object SERVER1 eq 22
access-list OUTSIDE-IN permit tcp any object SERVER2 eq 22
access-list OUTSIDE-IN permit tcp any object SERVER3 eq 22
Similar Messages
-
SSH connection through the Homehub
I'm unsure if this is the correct thread. Sorry if it isn't.
Basically I'm trying to turn off the BTHOMEHUB2's SSH server its hosting. I have an SSH server running on my home network which is facing the internet. At the moment it is setup to use a non standard port and I use port forwarding on the home hub to make it all work. The problem is I need to use port 22 and it is already being used. I cannot see what possible reason there is to have port 22 filtered on the home hub.
Is there a way to turn this off so it can be used by my SSH server instead?
The only reason I'm curious if this can be done is because the BTHOMEHUB gives me the option to port forward SSH from port 22 as a preset application in the port forwarding options. So it must expect I can use port 22.
Thank you in advance for your help
JamesJust as an alternative idea, it might be easier (and indeed partially more secure) if you were to change the port that your SSH server is using and have the hub port forward that port instead.
-
Multiple VPN Connections through Wireless router
I have an old LinkSys Wireless router that I use at home to connect to my work's VPN. Recvently I've added a few machines to my network. I need 2 or 3 of them connected to the VPN at work simultaneously. However, if I connect more than one computer to the VPN one of them always drops. I cannot get more than one connection to the VPN. All 3 connections use a different ID and password so it is not an account problem.
My question is, is this a limitation of the older router? And if I get a new LinkSys Wireless-G router will that allow me to connect more than one machine to the VPN?
Thank You,
Jason
(Mod note: Removed non-public information.)
Message Edited by Vince_02 on 06-30-2007 10:02 AMHi,
I'm facing the same issue. i have WRT54G.
You said something like "you will have to trigger the VPN ports instead of forwarding them."
Dunno what it means, can you explain it in more non-network-techy language... something which i can do... dunno if i can do it!
Thanks,
Santosh. -
Configure sapgui to connect through saprouter ?
Hi,
How to do that ?
Or maybe there is standard documentation on this task ?
thanks in advance
ViliusHi,
Check the link below
http://sap.ittoolbox.com/groups/technical-functional/sap-basis/usage-of-saprouter-189002
Rgds,
Suman -
Good morning everybody,
I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
What I have successfully managed to get to work so far is this:
1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
show authentication sessions:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
What I want to get is an output like this:
Interface MAC Address Method Domain Status Session ID
Fa0/23 0021.9b62.b79b dot1x DATA Authz Success C0A8FF69000000F3008E (user1)
Fa0/23 b888.e3eb.ebac dot1x DATA Authz Success C0A8FF69000000F8008C (user2)
Fa0/23 0015.655c.b912 dot1x VOICE Authz Success C0A8FF69000000F9009F (phone)
I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
The configuration of the interface connected to the Dumb switch is as follows.
interface FastEthernet0/x
description Connection to DUMBswitch
switchport mode access
switchport voice vlan XXX
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect
authentication host-mode multi-auth
authentication priority dot1x
authentication port-control auto
authentication timer reauthenticate 4000
authentication violation replace
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
The way I see it is explained in the following steps:
- PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
- When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
Thank you
Stoimen HristovHi Stoimen,
I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
From what I can see, you have 2 options available to you:
1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
Hopefully someone else will chime in with another option.
Xavier -
Multiple SSH listening ports on Catalyst switches
Hi community,
On Cisco Routers you have the option to configure multiple SSH ports (instead of the default tcp 22) in combination with rotary groups. Then, attach these rotary groups to specific VTY lines.This works just fine.
But, it seems on Cisco switches, you can not define different SSH ports. The command Router(config)#ip ssh port portnum rotary group is not available. You can use the rotary statement on the VTY lines, but this works only for Telnet connections.
Does anyone know, if it's possible to use the rotary groups on switches with SSH? The goal which I am trying to achieve is, I want to use multiple AAA method lists, and define these under specific VTY lines. That way, I am able to designate specific users, connecting from specific IP addresses, on a dedicated VTY line, with a custom AAA method list.
Any help is much appreciated!
Kind regards,
Dion DohmenHi,
I am currently using 12.2(58)SE2 on the 3560.
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1)
I downgraded my IOS to check if it's still supported for the 3560 on 12.2(55)SE1 and it's not.
XXX uptime is 1 minute
System returned to ROM by power-on
System restarted at 14:38:50 GMT Tue Jul 29 2014
System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE1.bin"
XXX(config)#ip ssh ?
authentication-retries Specify number of authentication retries
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
precedence IP Precedence value for SSH traffic
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version supported
XXX(config)#ip ssh
I then upgraded to 12.2(55)SE9 and it's still not supported.
XXX uptime is 1 minute
System returned to ROM by power-on
System restarted at 14:47:49 GMT Tue Jul 29 2014
System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE9.bin"
XXX(config)#ip ssh ?
authentication-retries Specify number of authentication retries
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
precedence IP Precedence value for SSH traffic
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version supported
XXX(config)#ip ssh
I would recommend that you upgrade but I don't see any point unfortunately.
Thanks,
Nehmaan -
SSH timeout not available while on ssh connection
Hi Everyone,
I found that ssh timeout command is only available when you console to ASA.
It is not available when you do the ssh connection to ASA is this default behaviour? or any reason behind it?
Thanks
MaheshHi Jennifer,
My bad actually i overlooked the command.
it does have option
ciscoasa(config)# ssh ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network authorized to
login to the system
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system
scopy Secure Copy mode
timeout Configure ssh idle timeout ?????????????
version Specify protocol version to be supported
exec mode commands/options:
disconnect Specify SSH session id to be disconnected after this keyword
Thanks for help.
MAhesh -
Multiple IPSEC tunnels on ASA 5505
Configuring Multiple IPSEC tunnels on ASA 5505
Hi,
I need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505. 1st one is static ipsec tunnel already configured between HO to site A and 2nd one is dynamic to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
I have following clarification
1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
kindly help me on this
Thanks in advance
Subhan Shaikh
France TelecomConfiguring Multiple IPSEC tunnels on ASA 5505
Hi,
I need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505. 1st one is static ipsec tunnel already configured between HO to site A and 2nd one is dynamic to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
I have following clarification
1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
kindly help me on this
Thanks in advance
Subhan Shaikh
France Telecom -
Number of ssh connection to Oracle servers
Hello All,
one of the requirements while implementing Oracle rac is to have passwordless ssh connectivity betweeen the nodes.
My question is that needed after implementation by the Oracle nodes?
Does Oracle nodes communicate to each others using ssh after implementation?
Regards,OK, a quick search yielded this Oracle document
http://www.oracle.com/technetwork/articles/hunter-rac11gr2-iscsi-2-088698.html
16. Configure RAC Nodes for Remote Access using SSH - (Optional)
Perform the following optional procedures on both Oracle RAC nodes to manually configure passwordless SSH connectivity between the two cluster member nodes as the "grid" and "oracle" user.
One of the best parts about this section of the document is that it is completely optional! That's not to say configuring Secure Shell (SSH) connectivity between the Oracle RAC nodes is not necessary. To the contrary, the Oracle Universal Installer (OUI) uses the secure shell tools ssh and scp commands during installation to run remote commands on and copy files to the other cluster nodes. During the Oracle software installations, SSH must be configured so that these commands do not prompt for a password. The ability to run SSH commands without being prompted for a password is sometimes referred to as user equivalence.
The reason this section of the document is optional is that the OUI interface in 11g release 2 includes a new feature that can automatically configure SSH during the actual install phase of the Oracle software for the user account running the installation. The automatic configuration performed by OUI creates passwordless SSH connectivity between all cluster member nodes. Oracle recommends that you use the automatic procedure whenever possible.
Regards
Venkat -
Ssh configuration to avoid connection timeouts / broken pipes ?
I'm running irssi through screen on my server via ssh. Recently, my parents' internet connection has become very dodgy, and because of this, my terminal freezes altogether once every 15 minutes or so, and resumes with some "broken pipe" message after a very long time (around 10 minutes). I usualy just kill the terminal when I notice the freezing and open a new one with another ssh connection, but this seems to be getting more and more frequent, so it's very annoying. I was wondering if there is a way to get around this? Server configuration, client configuration, a different ssh client ... ?
By googling, I found that disabling "TCPKeepAlive" might do the trick, and so I did. It seemed to work at first, my connection was up for about half an hour, but then the same thing occured again
The sadest part of this is that by using puTTY on my phone over 3G, the connection stays up forever, but with the wired broadband, it won't stay up for more than 15 minutes
EDIT: This time I got this message: "Timeout, server <myaddress> not responding", after 29 minutes.
Last edited by pauligrinder (2011-04-24 00:50:30)yep, this connection used to be reliable too, but now I get timeouts all the time, and also if I connect the Deluge-GTK to a daemon running on my server, it will randomly freeze and I have to reconnect to get it to work again. Luckily I'm getting out of here tomorrow
Still, it would be nice to solve this problem, because I will be coming here every once in a while... I would call the ISP and complain (I don't think the problem can be with our routers, because ssh connections inside the LAN work just fine), but because it's easter, their customer support is closed Besides, I don't know how to explain the problem to them, because most likely they won't even know what ssh is...
I tried rwd's configs, and they didn't help either. The only difference is that it seems to timeout faster now, instead of freezing the whole terminal for a long time...
Last edited by pauligrinder (2011-04-25 14:13:11) -
Can no longer connect to ASA 5505 (serial or ssh)
I have an ASA 5505 running software version 8.0(4) that I picked up a while back. I had just finished configuring it via the serial console. I confirmed that DHCP addresses we're being pushed out on the VLANs, made a couple of minor tweaks, and confirmed that I could ssh into the ASA on the appropriate VLAN. After that I issued a write to save the config and took the firewall downstairs to replace my cheap little router.
After hooking it up, I started checking my machines only to discover that none of the machines on any of the vlans were getting IP addresses. I assigned a static IP on the VLAN with management access but I still couldn't connect to it. A packet capture showed zero traffic coming from the ASA. I grabbed the ASA and hooked it back up via a serial console but now I can no longer connect to it. The power & status lights are on. Plugging in cables turns the link lights on in front and back and they flash indicating activity. When I unplug the ASA I see a single odd character show up in putty over the serial connection.
I'm out of ideas. Is there anything else I can do?
Thanks.Step three of the password recovery option says, "During the startup messages, press the Escape key when prompted to enter ROMMON," but that pre-supposes that I'm seeing some output on the serial console. I'm seeing nothing at all (until I turn off the ASA then I see a single odd character).
Despite not seeing the usual console output, I've tried hitting repeatedly Escape as indicated but I'm still not getting any output. I've even tried other baud rates.
Thank you for the suggestion. Other ideas? -
ASA 5505 configured for WebVPN connecting to Citrix Web Interface
ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface . The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark citrix server http:// 172.30.40.5.) i enter the citrix and then for example i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
thanks.Teymur,
Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error. It is possible that it is generating a different error.
The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1. Can you confirm the exact version of code you are running on the ASA.
If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
Thanks
-Jay -
Multiple connections through same user
We have a web app with an n-tier backend. We have found that if we have around 7 server apps on a single box but have found when we push past that it starts degrading performance severely.
All of our back end apps connect to the database as the same user and I'm wondering if we are bottle necking either on the database server or the back end server through the driver. The apps are written in VB6.0 and PowerBuilder7.x.
Should we put in an additional network card in the box and point another driver through it? I don't even know if it can be done but there has to be a setting or change I can make to help it out.
-Herbhi,
Try to understand your issue,
you have a web application connecting to the database
it connects through a single application user
you found that degrading performance by this connectivity
want to add a new network card to the server
Is my understanding correct?
regards -
Telnet/SSH Connection to Switch
I'm studying for the CCENT, and I have one issue and two general inquiries I'd like to present.
First of all, I'm having trouble connecting to my 2950 using Telnet/SSH, though I've applied a VTY password. As an aside, I'm able to connect through the console. I applied an IP address to the switch, and I'm wondering if there's a part of the process that I've missed. When using Putty to connect to the IP, I immediately receive the "Network Error: Connection refused" error; the same basic message happens, using Tera Term.
Here's my running config:
Switch#show running-config
Building configuration...
Current configuration : 2416 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
interface FastEthernet0/1
switchport mode access
interface FastEthernet0/2
switchport mode access
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
interface FastEthernet0/25
interface FastEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan2
ip address 192.168.1.107 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.1
ip http server
line con 0
exec-timeout 0 0
password CCENT
logging synchronous
login
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
end
--More--
The physical connection I'm using is from my desktop's second NIC, and I've configured the IPv4 connection to the switch's listed IP, which is 192.168.1.107. Is there anything listed above that would be problematic?
One of my questions has to do with the IP address that's supposed to be used to receive rsa keys: why is it necessary? Also, I tried entering the "ip address dhcp" command to grab an address from my WRT54G and received the following:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-if)#ip address dhcp
^
% Invalid input detected at '^' marker.
I'm following the directions in Odom's book, and I don't see what I'm missing.
My other question has to do with passwords, in general. Entering the username/password on either the interface-subcommand or the global configuration area seems unimportant, here:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#username DDDD password EEEE
Switch(config)#^Z
...and...
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#exit
Switch(config)#username FFFF password GGGG
Switch(config)#^Z
Here's the running config, afterwards:
Switch#show running-config
Building configuration...
Current configuration : 2535 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
username BBBB password 0 CCCC
username DDDD password 0 EEEE
username FFFF password 0 GGGG
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
--More--
It doesn't appear as though exiting out of config-if mode made any difference for the usernames/passwords. Then again, I can't connect through Telnet/SSH, so I'm not able to test it, at the moment.
I'm really sorry for the huge post, but I didn't want to start multiple threads. Any help is much appreciated.
- BFirst of all, thank you all for the helpful responses!
My PC is currently connected through the router, from which a straight-through cable is connected to port Fa0/18, and it is indeed on vlan2, which is associated with 1.107.
I ran the arp -a command, and here's a portion of it:
Interface: 192.168.1.105 --- 0xc
Internet Address Physical Address Type
192.168.1.1 00-0c-41-d4-6d-a1 dynamic
192.168.1.104 64-a3-cb-3d-07-64 dynamic
192.168.1.107 00-0a-b7-13-e5-c0 dynamic
1.105 is one of the NICs on the desktop. The BIA listed for 1.107 is one of the static "CPU" addresses on the switch. Here's my current running config:
Switch#show running-config
Building configuration...
Current configuration : 2434 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
no logging console
username CCNA password 0 CCIE
ip subnet-zero
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
interface FastEthernet0/1
switchport mode access
interface FastEthernet0/2
switchport mode access
interface FastEthernet0/18
switchport access vlan 2
switchport mode access
interface FastEthernet0/19
switchport access vlan 2
switchport mode access
interface FastEthernet0/20
switchport access vlan 2
switchport mode access
interface FastEthernet0/21
switchport access vlan 2
switchport mode access
interface FastEthernet0/22
switchport access vlan 2
switchport mode access
interface FastEthernet0/23
switchport access vlan 2
switchport mode access
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
interface FastEthernet0/25
interface FastEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan2
ip address 192.168.1.107 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.1
ip http server
line con 0
exec-timeout 0 0
password CCENT
logging synchronous
login
line vty 0 4
password NICE
login
transport input telnet ssh
line vty 5 15
password NICE
login
transport input telnet ssh
end
As you can see, I've added the VTY passwords, though I thought I had already done that. Actually, to what do the "CCNA" and "CCIE" passwords listed above apply? I'm assuming those are the local login credentials I added for the VTY lines.
I just got through disconnected the switch's straight-through cable from the router and connected it directly to my desktop's second NIC again, and I still can't connect, remotely. Where should the troubleshooting start, at this point? -
Unable to browse internet on a domain user's computer through ASA 5503 Firewall
Dear All,
I am trying to configure my new firewall for the last one month but still unable to fix it. I have a domain in windows 2012 standard edition and the firewall with unlimited license. Here is the output of show startup-config. Please note that prpgb.org is my local domain.
prpgbasa# show startup-config
: Saved
: Written by enable_15 at 02:50:45.169 PKT Thu Nov 20 2014
ASA Version 8.2(5)
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 202.142.XXX.YY 255.255.255.252
ftp mode passive
clock timezone PKT 5
dns server-group DefaultDNS
domain-name prpgb.org
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YZ 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 10.0.0.2 255.0.0.0
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:23c0af4b2ddf9e925f83ce13909ab900
prpgbasa#
You all are requested to have a look into the problem and suggest me the modifications.
ThanksDear All,
I have solved the issue. I have done the following in-order to browse internet on domain user computers. Here are the steps
1. I have disabled my internal DHCP server in the domain.
2. Then I have configured the ASA DHCP server in the default IP address scheme i.e. 192.168.1.100-200
3. I have Connected my ASA to a switch first then from there I connected a cable to my Domain's Server WAN interface. The LAN (192.168.1.2)interface of the Domain server is also plugged into the same switch.
4. I am using my Domain Server's DNS for name resolution and forward queries which are not served by my domain to open dns server.
It works perfectly so far but before applying or setting up the entire netowrk i want your help to look into the configuration file for corrections if i am making any mistakes. Thanks again for your help and here is the output of show confing.
prpgbasa# show startup
: Saved
: Written by Ghaffar at 02:11:24.319 PKT Mon Dec 8 2014
ASA Version 8.2(5)
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname PRPGB.ORG
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 202.142.XXX.YY 255.255.255.252
ftp mode passive
clock timezone PKT 5
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.2
domain-name prpgb.org
object-group network obj_any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 192.168.1.2 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
dhcpd update dns both interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ABC password FL01QCj0LaLWTID0 encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c4930a079158c0cb10a42813d3690cd
prpgbasa#
Please suggest me if there are any recomendations.
Thanks in advance.
Ghaffar
Maybe you are looking for
-
Home Hub 3 with low sync speed
Excuse a newbie who's somewhat jealous of people complaining how they only get 8Mbps! A combination of factors means that for months I have been getting a sync of 2624-3040, which equates to a profile of 2000-2500 and resultant download speeds of 16
-
Can an American iPad be synced with a European computer via USB
I know that I will need an adapter if I want to charge it via the wall socket but I was just wondering is there any special adapter I need to sync the ipad with my home computer (as in will the voltage difference in europe affect the ipad plugged in
-
HttpServlet and BPEL processes
Hi! I've created a Http Servlet in my web application (in Jdeveloper, using ADF BC, application is deployed to Oracle AS 10.1.3.3 where BPEL PM is also runnig) that has doPost method implemented. This servlet is 'listening' on defined URL for http PO
-
Where are my MTS file thumbnails?
I usually use Sony Vegas pro to do my editing of video. I often gave used the Elements Organizer to rename the cameras numbered clips to something more meaningful before I start. I have opened all of my holiday pictures into Organized & I can see t
-
TPVS - Minimum resource load constraint
Hi Friends, We are in APO 4.1 version and TPVS optimizer is being used to consolidate/schedule shipments . We have two kind of vehicle resources assigned to Transportation lane via MOT. They are Vehicle type -A with maximum capacity 10 Tons and V