Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

Similar Messages

• VPN Server with two router local network

  I just got a Mac Mini Server 2011 to set up as a home server. One of the main features I want to use is a VPN so I can access my files on my local network when I'm away from home. I live in Japan and I have a Japanese optical connection to the internet that runs through two boxes before I can use it in any form: some sort of modem, and a "gateway" which I literally just found out is also acting as a router and serving DHCP addresses. In addition, I have a 2TB Time Capsule that, until just recently, I had been using in the "Share a Public IP" mode because I didn't realize the gateway was also issuing DHCP addresses. I cannot simply plug my TC into the modem in place of the gateway - both are required to access the internet.
  Until today I had both routers using DHCP on the local networks they each created. Under that environment, I had finally configured Lion Server to file share (easy), manage network accounts (moderate), and serve Profile Manager (difficult). But despite my best efforts at mapping the ports on the Time Capsule, I just couldn't get the ports open using tools like canyouseeme.org, so the VPN was a no-go. That's when I realized the gateway could be a router too, so with some creative google searches, and extensive use of google translate, I was able to figure out how to open ports on the gateway. It does it pretty differently from the Time Capsule and other routers I've seen. It asks you define the host on the LAN (what i assume to be the target IP), the protocol (TCP vs. UDP), and then a range of ports for it to open. I plugged in the IP of the Time Capsule, opened all the UDP ports (since it was an option to just open all, and I figured 1) the TC would still protect my network and 2) it would just be a test), but I still couldn't see the ports as being open.
  So then I got desperate, and I switched the TC back to Bridge Mode, reconfigured the Server and my MBP (my client Mac) to the new IP addresses being served by the Japanese gateway, and tried again. I think I reconfigured the DNS settings in Server Admin properly to account for the change in IP, and then updated the services in Server.app, but now I can't even get to my server homepage (the apple placeholder page) using either its IP or its .private domain, and to make matters worse, I STILL can't seem to get the ports open (yes, I changed the port mapping to send it directly to the server IP as the target after the change).
  To add insult to injury, the wired ethernet connection I had been running from my TC to the MM Server is now reporting a cable unplugged (it's not), even when I plug it directly into the gateway, though I am able to connect wirelessly.
  Does anyone have any idea what's going on? Why can't I get these ports open? (By the way, I called my ISP and they said they aren't blocking any of the ones I'd want to use for VPN.)
  What is the *better* set up - using the TC as a second LAN, serving its own DHCP addresses, or using it in Bridge mode?
  Why did these changes sever my wired connection?
  I was getting even more problems (like loss of internet connectivity on all devices) using the TC in bridge mode, so I decided to go back to the dual network setup.

  Hello Eric,
  As I mentioned above.
  For external Internet access, I would create a Generation
  1 VM
  and use 2 Legacy Network Adapters for
  the Interfaces . Connect it to the External and Internal network, and then install VM Linux IPFire (How
  to install) and
  configure IPFire with RED and GREEN interface.
  You don't need router or any firewall.
  I have the same set-up that you are trying to do in your lab and it's working great.
  All my VMs / computers on the LAN have their gateway the Linux VM.
  Hope this help.
  Regards,
  Charbel Nemnom
  MCSA, MCSE, MCS, MCITP
  Blog: www.charbelnemnom.com
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Configuring Cisco Router for use with Syslog Server

  Configuring Cisco Router for use with Syslog Server:
  Does anyone know of a good doc for this?
  -Ashley

  Start with that one: http://security-planet.de/wp-content/uploads/2008/12/logging-ios.pdf
  And if you need more informations, just ask what you want to achieve.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Include multiple sub-interfaces in Cisco ASA for VPN tunnel

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

• Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

  I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
  home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

  Hi,
  Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
  Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

• How to configure Cisco ASA 5500 to work with the iPhone

  We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
  http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
  We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
  After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
  Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
  I noticed that many people are having these problems.
  Please do not post to this topic if you have ANY OTHER Cisco device.
  Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
  Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
  It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
  Thank you!
  Oleg R

  We found the solution and a bug in Cisco firmware (seems to be a bug).
  First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
  access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
  access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set iphone esp-3des esp-sha-hmac
  crypto ipsec transform-set iphone mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
  crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
  crypto map outside_map 10 match address vpn
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 20
   authentication pre-share
   encryption aes-256
   hash sha
   group 5
   lifetime 86400
  crypto isakmp nat-traversal 20
  group-policy iphone internal
  group-policy iphone attributes
   wins-server value <insert ip> <insert ip>
   dns-server value <insert ip> <insert ip>
   vpn-tunnel-protocol IPSec
   ipsec-udp enable
   ipsec-udp-port 10000
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value iphone_splitTunnelAcl
   default-domain value <insert domain name>
  tunnel-group iphone type remote-access
  tunnel-group iphone general-attributes
   address-pool VPN-Pool
   authentication-server-group ActiveDirectory2
   default-group-policy iphone
  tunnel-group iphone ipsec-attributes
   pre-shared-key <insert pre-shared key>
  For iPhone you have to be using IPSec tab for configuration.
  We tried to set up this config using the wizards, but it would not work.
  Later it turned out that wizards by default set this setting:
  "crypto isakmp nat-traversal 20"
  equal to zero and there is no way to change it from the GUI.
  Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
  Please let me know how it works out for you.
  Message was edited by: Rogik
  Message was edited by: Rogik

• Cisco jabber for mac over fortigate vpn problem

  Hi all,
  We have installed the cisco jabber for mac successfully.Jabber client able to register locally successfully.
  Calling and other features working properly. Jabber IM also working fine.
  But when we try over vpn its shows error."services are missing".All the ports are open on fortigate firewall.

  If you have detailed diagnostics from the Jabber Mac client, this would provide some more context to why it's displaying those errors.  (Help > Detailed Logging enabled) (Help > Report a problem)
  Another thing to check for would be DNS resolution of the configured servers when the Mac is VPN'd in.  If Jabber cannot resolve the DNS name, it will not know where to connect to.
  If the diagnostics are pointing towards a connectivity problem, but the firewall says it's wide open, then taking a packet capture on the Mac where Jabber is trying to register may illustrate what's going on at the network layer.

• Configuring cisco 857 for BM39

  I know that I'm doing something wrong. Tried to follow example in appnote
  http://www.novell.com/coolsolutions/appnote/7971.html
  but once I turn on the "crypto map static-map" - I can no longer ping the
  router from a PC connected to the router. I'm preparing a Cisco-857 as my
  first attempt to run a site-to-site vpn using BorderManager v3.9.
  I'm pasting the relevant portions of the cisco config below. Would greatly
  appreciate your advice.
  TIA....Gregg
  ip dhcp excluded-address 192.168.255.1
  ip dhcp pool sdm-pool
  import all
  network 192.168.255.0 255.255.255.248
  default-router 192.168.255.1
  lease 0 2
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 28800
  crypto isakmp key xx-my-key-xx address 192.168.19.13 255.255.255.252
  crypto ipsec transform-set vpn-wvtwp esp-3des esp-sha-hmac
  crypto map static local-address Vlan1
  crypto map static 1 ipsec-isakmp
  set peer 192.168.19.13
  set security-association lifetime seconds 7200
  set transform-set vpn-wvtwp
  match address vpn-static1
  interface ATM0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 192.168.19.14 255.255.255.252 secondary
  ip address 192.168.255.1 255.255.255.248
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  ip tcp adjust-mss 1452
  crypto map static-map
  ip route 172.16.0.0 255.255.248.0 192.168.19.13
  ip route 192.168.0.0 255.255.0.0 192.168.19.13
  ip access-list extended vpn-static1
  permit ip 192.168.255.0 0.0.0.7 172.16.0.0 0.0.7.255
  permit ip 192.168.255.0 0.0.0.7 192.168.0.0 0.0.255.255

  Gregg,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Cisco asa 5505: No traffic lan to wan with IPv6

  Hello everybody,
  I have a Cisco ASA 5505, public ipv6 in outside interface, private ipv6 in LAN, from router I can ping any ipv6 in Internet and ping my LAN ipv6. Traffic doesn't go through router.
  This is my configuration.
  interface Vlan1
   nameif inside
   security-level 100
   ip address PRIV-Saturn1 255.255.255.0
   ipv6 address fc00::1/7
   ipv6 enable
  interface Vlan2
   nameif outside
   security-level 0
   ip address PUBLIC26 255.255.255.248
   ipv6 address xxxx:yyyy:67:36::2/64
   ipv6 enable
   ipv6 nd suppress-ra
  access-list Dynamic_Filter_ACL extended permit tcp any6 any6
  ipv6 route outside ::/0 xxx:yyyy:67:36::1
  Am I omitting anything?
  Thanks in advance for the help.
  Jos P

  Since you're using IPv6 private addressing (fc00::) on the inside, you need a dynamic NAT entry to translate your private IPv6 addresses to a public one.
  Alternatively, you could just use a subnet of your registered IPv6 block for the inside network and not worry about NAT.

• Cisco ASA not returning traffic when wccp peering with Bluecoat.

  Experts,
  My setup has a Cisco ASA where we are doing wccp with a Bluecoat SG box. The traffic gets redirected to the Bluecoat due to the wccp settings so it's just transparent to the end users. Theye do not have to do any manual proxy settings in their IE.
  We however notice that somehow the ASA does not return these connection back to the requesting hosts and somehere the connection table breaks. The message we see on the ASA that state table is somehow not being maintained. Any idea where this connection must be breaking?
  Regards,
  Nikhil Kulkarni.

  Nikhil,
  Let me give you a little bit of backgrounf in regards to WCCP that can help you. As you stated the ASA will do transparent redirection, so the client doesn't have to configure anything on the PC.
  The traffic will get to the ASA (port 80/443 or any configured port) and then the ASA will establish a GRE tunnel with WCCP server and will redirect the traffic. After the Bluecoat receives the traffic it will "spoof" the IP address of the requested web page (the WCCP server needs to have direct comunication with the client PC without passing through the ASA). I have seen some issues where the ASA and the WCCP server are unable to establish the GRE tunnel becuase the ASA uses the highest IP address as the router ID and uses this IP address to establish the tunnel. The WCCP keepalives (Here I am, I see you) are sent using the IP address of the closest IP address to the WCCP server.
  At this point you may turn on the WCCP debugs and run some "show WCCP" commands.
  I hope it helps
  Luis Silva

• Cisco Jabber for Windows 10.5 search Contact with two lastnames

  Hey Guys,
  I have a little problem with the contact search feature of the cisco jabber for windows (Version 10.5.37889)
  In my environment I have some Users (secretary phones and users too) which have two lastnames.
  Exampleuser1: Firstname: Thomas Lastname: Meier Cisco ....
  If a user is searching for Exampleuser1 by lastname (Cisco) the correct contact won't be listed
  If a user is searching for Exampleuser1 by firstname (Thomas) the correct contact will be listed
  If a user is searching for Exampleuser1 by lastname (Meier) the correct contact will be listed
  is there a workaround or something else for resolving my problem?
  thanks for reading my question :)

  Workaround: "Cisco Meier, Thomas"
  Have you looked at enabling wild card searches in jabber-config.xml?

• Cisco ASA 8.4.2 acl hitcount issue

  Hi,
  I have some peculiar issue that my acl hit count is not getting increased. not bale to ping the public ip's
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit icmp any any
  access-group inside_access_in in interface inside
  icmp permit any inside
  icmp permit any outside
  im able to ping my inside interface but not able to ping internet. from asa im able to ping internet
  my packet tracer output below.
  packet-tracer input inside icmp 10.20.90.1 7 7 8.8.8.8 detailed
  ASA# packet-tracer input inside icmp 10.20.90.1 7 7 8.8.8.8 $
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         Outside
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x6e1ef600, priority=500, domain=permit, deny=true
          hits=171641, user_data=0x8, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=inside, output_ifc=any
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: Outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  ASA#
  my nat is like below
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj_any
  nat (inside,outside) dynamic interface
  Any suggestion really appreciated.

  Hello,
  Add the following
  fixup protocol ICMP
  If this does not make the difference do the following:
  1) Check the Ip address on your PC, make sure the ASA is the default gateway?
  2) Ping the ISP address ( The default gateway of the ASA)
  3) Share the complete output of show run nat
  Let me know the result

• Mar-2015 firmware for hp 8620 solves my issue with 6x4 paper not being picked up

  I had continual problems with my hp 8620 not picking up 6x4 photo paper.
  I tried a number of fixes as suggested elsewhere on forums. I had the most success with the "scan and copy 99 blank a4 pages" workaround, but half the time the printer would still fail to feed the 6x4 on the first go.
  Good news though, the latest firmware dated Mar 17 2015 has resolved this for me, and maybe it will improve it for others with the same problem.
  The firmware says:
  "This firmware upgrade is for HP Officejet Pro 8620/8625 e-All-in-One Printers.
  File name: OJP8620_R1502A.zip
  Release details
  Released: Mar 17, 2015
  Version FDP1CN1502AR
  Fix and enhancements
  Improvement to connectivity robustness
  Improvement to paper-path reliability"
  The link is here: http://support.hp.com/us-en/drivers/selfservice/HP-Officejet-Pro-8620-e-All-in-One-Printer-series/53...

  I just spent several hours troubleshooting this printer. My rollers were all clean. I then used a bright flashlight and monitored thru the front what it was doing when trying to load paper.. There is a grey wheel that is lowered to the paper and rotates pulling the sheet in. It simply just isn't getting lowered enough because its just spinning on top of the paper. I've tried a dozen different types of paper from heavy/thick to thin. I've tried fanning the paper and I've tried not fanning the paper. I've tried a full stack of paper down to a few sheets and everywhere in between. This is just a flawed printer and based on the hundreds of people I see having the exact same issues with this printer so soon afte purchase is an eye opener. {Content Removed: no legal discussion permitted} I'm simply this fed up with my last several HP printer purchases. Anyone else that is as fed up with me please {Personal Information Removed}. I'm going to start tracking down as many people as I can. I'll likely move this discussion to a third party forum, hopefully one with a very high volume of traffic so if this post mysteriously disappears google search for it.

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• How to configure CISCO ASA 5510 for internal remote desktop ?

  Helo,I have a client that want to install new ASA (5510) in their network.
  and then I did some experiment to implement it. the topology is like this :
  --------configuration---------
  2800 router :
  interface FastEthernet0/0
  ip address 172.16.1.1 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.11.3 255.255.255.0
  duplex auto
  speed auto
  ip route 192.168.12.0 255.255.255.0 172.16.1.2
  1841 router :
  interface FastEthernet0/0
  ip address 172.16.1.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.12.1 255.255.255.0
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 172.16.1.1
  ASA 5510 :
  : Saved
  : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
  ASA Version 8.2(1)
  hostname ciscoasa
  enable password **** encrypted
  passwd ***** encrypted
  names
  name 192.168.12.0 Branch
  dns-guard
  interface Ethernet0/0
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.11.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  management-only
  boot system disk0:/asa821-k8.bin
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
  access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
  tcp-map mssmap
    synack-data allow
    invalid-ack allow
    seq-past-window allow
    urgent-flag allow
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  asdm location Branch 255.255.255.0 inside
  no asdm history enable
  arp timeout 14400
  static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
  static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  route inside Branch 255.255.255.0 172.16.1.1 1
  timeout xlate 3:00:00
  timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ***** password ***** encrypted
  class-map mymap
  match access-list inside_access_in
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  policy-map myPolicy
  class mymap
    set connection advanced-options mssmap
  service-policy global_policy global
  service-policy myPolicy interface inside
  prompt hostname context
  Cryptochecksum:a605d94f29924e5267644dd0f4476145
  : end
  I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
  then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
  "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
  "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
  I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
  please help, any suggest would be great .
  thanks .
  sincerley yours
  -IAN WIJAYA-

  ear Ian_benderaz,
  Thank god i am not alone on this ,
  Me too having the exact same problem , i can ping to the host ,but no remote desktop .
  Somebody please help me on this , how enable remote desktop on asa 5505 
  Thanks