DNS Doctoring issue - ASA 5540
I am in the process of setting up a segrated Guest Wifi network in my office and in doing so realized that I can not access my NAT'd externally facing web servers through this network. This guest network is using 8.8.8.8 for DNS and is properly resolving the external IP for the servers, but the pages refuse to load. If I go directly to the Private IP of the servers, the pages load. These NAT'd servers are on the DMZ interface of my ASA, whereas the "Guest network" resides on the Internal interface.
I came accross this: "By default the Cisco ASA will not allow packet redirection on the same interface (outside) which is tried by the guest client trying to access the DMZ server by its NAT’d public IP address.", which perfectly describes my issue. The article goes on to say that my checking the "Translate the DNS replies that match the translation rule" box (enable DNS Doctoring) in the NAT rule, the ASA would essentially rewrite the external IP to the private IP. This however is not working and the pages still won't come up.
Am I not understanding this right? What am I missing from this set up?
Hello Tom,
If the server is on a different interface than the clients why don't you simple do a static one to one from the private to the global IP address.
EX
static (dmz,inside) public ip private ip
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Similar Messages
-
Hi Expert.
How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?
What is the configuration required on ASA 5540 ?
ThanksHi Samir,
By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.
If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.
Access-list DMZ permit tcp host host eq 80
Access-list DMZ deny ip any any
access-group DMZ in interface DMZ
Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)
WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.
Mike -
High CPU Utilization on ASA 5540
I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. Any ideas on how I can find the root cause of the CPU high utilization?
Hi rlortiz,
I ran into this issue as well on an ASA 5540 with only about 150 users. In the case if you are using large modulus operations including large key size certificates and a higher Diffie-Hellman group, it will cause for high processing.
Since the default method of processing these operations is software-based, it will cause higher CPU usage and also slower SSL/IPsec connection establishment.
If this is the scenario for you, use hardware-based processing by using the following configuration:
"crypto engine large-mod-accel" -
ASA 5505 + ASA 5540 static VPN, ssh and rdp problems
Greetings!
I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
Everything works fine, but there is a small problem that is really annoying me.
From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
What can I do to get rid of this problem?
Thanks in advance.Dear Fedor,
You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
class-map TCP_TIMEOUT
match access-list rdp_ssh
policy-map global_policy
class TCP_TIMEOUT
set connection timeout idle 0:30:00
set connection timeout half 0:30:00
* Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
Let me know.
Portu.
Please rate any post you find useful. -
ASA 5540 _ I want to ping across inside to outside for testing
ASA 5540 8.2 (5)
I have tried many combinations of command line syntax suggested in this forum but none are providing success so far.
I want to ping from the Inside Interface across to the Outside Interface and visa versa.
I have tried various ACLs as well as "inspect icmp" in the config, etc still no go.
I can ping each interface from the console command line but cannot ping across each interface.
Is this even possible ?
I am open to suggestions.
thanks
Troy
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0
ASA-5540-LAB#
ASA-5540-LAB# ping 192.168.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-5540-LAB# ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-5540-LAB# ping inside 192.168.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA-5540-LAB# ping outside 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA-5540-LAB#Hi Troy,
Remember that the ASA is a security device, so by design it does't support what you are trying to accomplish.
" For For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network."
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1059645
Even if you are trying to ping from the ASA since I see you are trying to do a "source" ping. The source of the packet will be an internal IP address going to the outside IP.
Luis Silva -
How do I get an ASA-5540 back to default config?
Is there an easy way to re-apply the default config that comes with a new ASA-5540? I'd like to have our ASA-5540 be back to its default with 192.168.1.1 on the inside interface and act as a DHCP server so I have connect a PC to it to begin initial configuration using the ASDM.
The ASA-5540 is running on asa723-k8.bin.configure factory-default
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c4_72.html#wp2039866
a simple "write erase/reload" would also do the trick. -
CiscoWorks LMS 4.0.1 and ASA 5540
I've added an ASA-5540 to the group of systems I backup each night. When the admin logs into the ASA in the morning, he sees the "save configuration" flag has been set. This started the same day CiscoWorks saved teh configuration. What is CiscoWorks doing to set this flag, and how do I stop it? It should only be reading the configuration. Thanks.
Ideally LMS should not save configuration only when LMS is taking the backup of configuration. This can be easily tested, if you try to run an instant job for Configuration Archive under Configuration > Sync Archive and see it on the ASA if it shows "save configuration" flag set.
It should be something else on either LMS or somewhere outside. In LMS it could be something like a NetConfig Job which may save configuration or other options like deploy configuration, which is very unlikely.
Before we stop it, we need to test and confirm, it is actually LMS,. You can also try to suspend the device once from LMS to see if next day you still see similar flag set.
Once we confirm it is LMS, we can test which action of LMS is doing it and how to prevent.
-Thanks
Vinod
** Encourage Contributors. RATE them** -
High CPU due to dispatch unit in cisco ASA 5540
Hi Any suggestion help
High CPU due to dispatch unit in cisco ASA 5540
ciscoasa# sh processes cpu-usage
PC Thread 5Sec 1Min 5Min Process
0805520c ad5afdf8 0.0% 0.0% 0.0% block_diag
081a8d34 ad5afa08 82.6% 82.1% 82.3% Dispatch Unit
083b6c05 ad5af618 0.0% 0.0% 0.0% CF OIR
08a60aa0 ad5af420 0.0% 0.0% 0.0% lina_int
08069f06 ad5aee38 0.0% 0.0% 0.0% Reload Control Thread
08072196 ad5aec40 0.0% 0.0% 0.0% aaa
08c76f3d ad5aea48 0.0% 0.0% 0.0% UserFromCert Thread
080a6f36 ad5ae658 0.0% 0.0% 0.0% CMGR Server Process
080a7445 ad5ae460 0.0% 0.0% 0.0% CMGR Timer Process
081a815c ad5ada88 0.0% 0.0% 0.0% dbgtrace
0844d75c ad5ad2a8 0.0% 0.0% 0.0% 557mcfix
0844d57e ad5ad0b0 0.0% 0.0% 0.0% 557statspoll
08c76f3d ad5abef8 0.0% 0.0% 0.0% netfs_thread_init
09319755 ad5ab520 0.0% 0.0% 0.0% Chunk Manager
088e3f0e ad5ab328 0.0% 0.0% 0.0% PIX Garbage Collector
088d72d4 ad5ab130 0.0% 0.0% 0.0% IP Address Assign
08ab1cd6 ad5aaf38 0.0% 0.0% 0.0% QoS Support Module
08953cbf ad5aad40 0.0% 0.0% 0.0% Client Update Task
093698fa ad5aab48 0.0% 0.0% 0.0% Checkheaps
08ab6205 ad5aa560 0.0% 0.0% 0.0% Quack process
08b0dd52 ad5aa368 0.0% 0.0% 0.0% Session Manager
08c227d5 ad5a9f78 0.0% 0.0% 0.0% uauth
08bbf615 ad5a9d80 0.0% 0.0% 0.0% Uauth_Proxy
08bf5cbe ad5a9798 0.0% 0.0% 0.0% SSL
08c20766 ad5a95a0 0.0% 0.0% 0.0% SMTP
081c0b4a ad5a93a8 0.0% 0.0% 0.0% Logger
08c19908 ad5a91b0 0.0% 0.0% 0.0% Syslog Retry Thread
08c1346e ad5a8fb8 0.0% 0.0% 0.0% Thread Logger
08e47c82 ad5a81f0 0.0% 0.0% 0.0% vpnlb_thread
08f0f055 ad5a7a10 0.0% 0.0% 0.0% pci_nt_bridge
0827a43d ad5a7620 0.0% 0.0% 0.0% TLS Proxy Inspector
08b279f3 ad5a7428 0.0% 0.0% 0.0% emweb/cifs_timer
086a0217 ad5a7230 0.0% 0.0% 0.0% netfs_mount_handler
08535408 ad5a7038 0.0% 0.0% 0.0% arp_timer
0853d18c ad5a6e40 0.0% 0.0% 0.0% arp_forward_thread
085ad295 ad5a6c48 0.0% 0.0% 0.0% Lic TMR
08c257b1 ad5a6a50 0.0% 0.0% 0.0% tcp_fast
08c28910 ad5a6858 0.0% 0.0% 0.0% tcp_slow
08c53f79 ad5a6660 0.0% 0.0% 0.0% udp_timer
080fe008 ad5a6468 0.0% 0.0% 0.0% CTCP Timer process
08df6853 ad5a6270 0.0% 0.0% 0.0% L2TP data daemon
08df7623 ad5a6078 0.0% 0.0% 0.0% L2TP mgmt daemon
08de39b8 ad5a5e80 0.0% 0.0% 0.0% ppp_timer_thread
08e48157 ad5a5c88 0.0% 0.0% 0.0% vpnlb_timer_thread
081153ff ad5a5a90 0.0% 0.0% 0.0% IPsec message handler
081296cc ad5a5898 0.0% 0.0% 0.0% CTM message handler
089b2bd9 ad5a56a0 0.0% 0.0% 0.0% NAT security-level reconfiguration
08ae1ba8 ad5a54a8 0.0% 0.0% 0.0% ICMP event handler
I want exact troubleshooting.
(1) Steps to follow.
(2) Required configuration
(3) Any good suggestions
(4) Any Tool to troubleshoot.
Suggestions are welcomeHello,
NMS is probably not the right community to t/s this. You probably want to move this to Security group (Security > Firewalling).
In the meanwhile, i have some details to share for you to check, though i am not a security/ASA expert.
The Dispatch Unit is a process that continually runs on single-core ASAs (models 5505, 5510, 5520, 5540, 5550). The Dispatch Unit takes packets off of the interface driver and passes them to the ASA SoftNP for further processing; it also performs the reverse process.
To determine if the Dispatch Unit process is utilizing the majority of the CPU time, use the command show cpu usage and show process cpu-usage sorted non-zero
show cpu usage (and show cpu usage detail) will show the usage of the ASA CPU cores:
ASA# show cpu usage
CPU utilization for 5 seconds = 0%; 1 minute: 1%; 5 minutes: 0%
show process cpu-usage sorted non-zero will display a sorted list of processes that are using the CPU usage.
In the example below, the Dispatch Unit process has used 50 percent of the CPU for the last 5 seconds:
ASA# show process cpu-usage sorted non-zero
0x0827e731 0xc85c5bf4 50.5% 50.4% 50.3% Dispatch Unit
0x0888d0dc 0xc85b76b4 2.3% 5.3% 5.5% esw_stats
0x090b0155 0xc859ae40 1.5% 0.4% 0.1% ssh
0x0878d2de 0xc85b22c8 0.1% 0.1% 0.1% ARP Thread
0x088c8ad5 0xc85b1268 0.1% 0.1% 0.1% MFIB
0x08cdd5cc 0xc85b4fd0 0.1% 0.1% 0.1% update_cpu_usage
If Dispatch Unit is listed as a top consumer of CPU usage, then use this document to narrow down what might be causing the Dispatch Unit process to be so active.
Most cases of high CPU utilization occur because the Dispatch Unit process is high. Common causes of high utilization include:
Oversubscription
Routing loops
Host with a high number of connections
Excessive system logs
Unequal traffic distribution
More t/s details can be shared by the ASA members from the community.
HTH
-Thanks
Vinod -
Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth
Hello all,
I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
We opened a TAC case with Cisco, and this is their response:
The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either. -
Seeing ASA 5540 with High CPU Utilization
I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. Please help us troubleshoot the root cause of the CPU high utilization on Cisco ASA 5540.
This doc is a good starting point:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml -
Hello
I find plenty of examples of host configurations, like...
static (dmz,inside) X.X.X.X Y.Y.Y.Y netmask 255.255.255.255 dns
Can I also configure it for networks, like...
static (dmz,inside) X.X.X.X Y.Y.Y.Y netmask 255.255.255.0 dns
The reason to deploy the network method would be when I don't know all the internal servers being targeted by clients.
Thanks you for helping meHi Bro
This is not possible. Let me explain why.
Firstly, it should be static (inside,dmz) not the other way around, unless of course you're doing a 2-way NAT which is not your case.
The statement static (inside,dmz) 10.10.10.0 20.20.20.0 netmask 255.255.255.0 means you're doing IP TRANSLATION, which is not what you're doing either.
The only reason you use DNS Doctoring, is so that LAN users are able to see the internal web servers as a private address (the real address) when the DNS client is on LAN.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#intro
P/S: if you think this comment is useful, please do rate them nicely :-) -
hi..
i have asa 5400,
can i make NTP server on asa 5540.The ASA cannot work as an NTP server, it can only use an NTP server to set its time using the "ntp server" command.
I hope it helps.
PK -
DNS Server Issues with Comcast and Airport Extreme wifi routers
I am having significant challenges with 3 Airport Extreme (latest gen) wifi routers and my Comcast Xfinitity service. It once worked just fine, but now I continually get the blinking amber lights stating "No DNS servers" for each of the Airport Extreme (AE) routers. My configuration is:
Coax cable -> Comcast Xfinity cable modem -> ethernet to 16-port gigabit ethernet switch ->->-> ethernet to 3 Airport Extremes around the house direct connected with switch
I have many wifi devices throughout the house (iPads, MacBooks, home automation devices) as well as direct-connected devices via ethernet (one PC connected to AE router).
Each Airport Extreme router is set with these settings in the Airport Utility app:
Internet tab= Connect using: DHCP
Wireless tab= Network mode: Create a wireless network
Network tab= Router mode: Off (Bridge Mode)
I have attempted to put the Xfinity cable modem in bridge mode, and use the Airport Extreme to serve up the IP addresses, but still lost internet connectivity.
I have also attempted to set the Network tab=> Router Mode to "DHCP and NAT" but get "Double NAT" error issues as well.
I have tried using the Comcast DNS server addresses (75.75.75.75;75.75.76.76) setting on the Internet tab for the routers and do end up getting a green light, but NO internet connectivity.
Lastly, I have tried using the Google DNS servers (8.8.8.8;8.8.4.4) setting on the Internet tab the routers giving me the No DNS servers amber light error and again, no Internet connectivity for either wifi-connected or even ethernet connected (directly to Airport Extreme router) devices (like my PC) despite getting a green light on the router.
Any this point, it really seems that these AE routers are NOT compatible with the Xfinity cable modem or service… (and yes, I've tried power-cycling and restarting the modem, and then the AE routers, MANY times to little avail).
Should I move one of these Airport Extreme wifi routers to before the switch, and have the other 2 in Bridge mode after the switch? Do I need to setup a specific range of DHCP reservation addresses for each different AE router?
Appreciate any insight anyone can share with this aggravating DNS server issue between Comcast & multiple Airport Extreme wifi routers.I do not see anything wrong with your basic setup.. the issue is indeed the WAN ports of the AE.. AC version are having problems with some network equipment.
You have listed a stack of things you have tried.. but I want you to move the ethernet patch cable you use on each AE to its LAN port instead of WAN.
Restart the airport when you do that.. and then see if it becomes stable.
In bridge mode the airport moves the WAN port to LAN.. but the WAN port setup itself seems more problematic than the LAN ports.
There are other methods we can try if this does not work.. but in the end.. I would be tempted to take the whole lot back to apple.. they need to start making equipment that works with standard modems and switches.
BTW what brand is the 16 port switch?? Does it happen to be managed (smart type)? -
ASA 5520 Reverse DNS lookup Issue
We are having Reverse DNS issues.
10.10.0.10 = Exchange Server
Windows 2003 = DNS server internal.
Setup: 1 to 1 NAT
10.10.0.10 smtp --> 70.89.133.218 smtp
Int gi0/2 = 70.89.133.217
Incoming Access Rule:
any --> 70.89.133.218 smtp permit
When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
It should be 70.89.133.217.
This is causing our email to be rejected from external sites due to reverse dns not returning 218. External people say are email is coming from 217. Comcast says the reverse pointer is setup correctly.
What are we doing wrong?
Thanks for any help you can offer.Correction:
When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
It should be 70.89.133.218
217 is the interface gi0/2 on the ASA. -
S2S VPN - ASA 5505 to ASA 5540 - Routing Problems
I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
Current running config:
ASA Version 8.2(5)
hostname asa15
enable password XXXXX encrypted
passwd XXXXX encrypted
names
name 10.0.0.0 remote-network
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location remote-network 255.0.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 99.X.X.7
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.5.100-172.16.5.130 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 99.X.X.7 type ipsec-l2l
tunnel-group 99.X.X.7 ipsec-attributes
pre-shared-key XXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: endjust out of curiosity, why do you have
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
You already set your default route through DHCP setroute under the interface. this could be the issue.
If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
Does the remote device have the correct default gateway?
May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
Patrick
Maybe you are looking for
-
How do you pass parameters to a Pipelined function?
I am using Oracle 10G and the ODP .NET 32 bit client. I am facing an issue trying to use variable binding with a pipeline function in Oracle. I am using ODP .NET for connecting to the database. If you want to be familiar with PIPELINED functions, you
-
SQL Server multiple data centres - Synchronization
Hello, I am new to MSSQL. We have a web application that used MSSQL 2012 as backend. We now plan to have the same application hosted in another data centre. We are able to provide the geo-redundancy/HA for the web application. But we also need to ma
-
System.log error(s)
Nov 2 13:38:03 localhost com.apple.autofsd[39]: automount: Mount for UUID=FCB********_info removed_************ has no path for the directory to mount MacBook-Pro WacomTabletDriver[159]: 3891612: (CGSLookupServerRootPort) Untrusted apps are not allow
-
Read LabVIEW shared variables ( network variables?) with VB6
Hi, i need to read some LabVIEW shared variables (network variables?) using a VB6 program. Is it possible? I think that yes, using Measurement Studio for VB6 but I don't know how and I haven't found information in the Measurement Studio for VB6 help
-
Why is page in Dashboard now displaying a different website? Hijacked?
I've been using the feature to display webpages in Dashboard, however one of these widigts is now displaying a completely different website (one i have NEVER visited). When i click on it the amazon page displays for a split second, then it defaults b