DNS Doctoring issue - ASA 5540

I am in the process of setting up a segrated Guest Wifi network in my office and in doing so realized that I can not access my NAT'd externally facing web servers through this network. This guest network is using 8.8.8.8 for DNS and is properly resolving the external IP for the servers, but the pages refuse to load. If I go directly to the Private IP of the servers, the pages load. These NAT'd servers are on the DMZ interface of my ASA, whereas the "Guest network" resides on the Internal interface.
I came accross this: "By default the Cisco ASA will not allow packet redirection on the same interface (outside) which is tried by the guest client trying to access the DMZ server by its NAT’d public IP address.", which perfectly describes my issue. The article goes on to say that my checking the "Translate the DNS replies that match the translation rule" box (enable DNS Doctoring) in the NAT rule, the ASA would essentially rewrite the external IP to the private IP. This however is not working and the pages still won't come up.
Am I not understanding this right? What am I missing from this set up?

Hello Tom,
If the server is on a different interface than the clients why don't you simple do a static one to one from the private to the global IP address.
EX
static (dmz,inside) public ip private ip
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com

Similar Messages

  • Dmz dns query on asa 5540

    Hi Expert.
    How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?
    What is the configuration required on ASA 5540 ?
    Thanks

    Hi Samir,
    By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.
    If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.
    Access-list DMZ permit tcp host host eq 80
    Access-list DMZ deny ip any any
    access-group DMZ in interface DMZ
    Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)
    WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.
    Mike

  • High CPU Utilization on ASA 5540

    I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. Any ideas on how I can find the root cause of the CPU high utilization?

    Hi rlortiz,
    I ran into this issue as well on an ASA 5540 with only about 150 users. In the case if you are using large modulus operations including large key size certificates and a higher Diffie-Hellman group, it will cause for high processing.
    Since the default method of processing these operations is software-based, it will cause higher CPU usage and also slower SSL/IPsec connection establishment.
    If this is the scenario for you, use hardware-based processing by using the following configuration:
    "crypto engine large-mod-accel"

  • ASA 5505 + ASA 5540 static VPN, ssh and rdp problems

    Greetings!
    I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
    Everything works fine, but there is a small problem that is really annoying me.
    From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
    Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
    Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
    There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
    What can I do to get rid of this problem?
    Thanks in advance.

    Dear Fedor,
    You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
    access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
    access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
    class-map TCP_TIMEOUT
          match access-list rdp_ssh
    policy-map global_policy
         class TCP_TIMEOUT
              set connection timeout idle 0:30:00
              set connection timeout half 0:30:00
    * Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
    Let me know.
    Portu.
    Please rate any post you find useful.

  • ASA 5540 _ I want to ping across inside to outside for testing

    ASA 5540 8.2 (5)
    I have tried many combinations of command line syntax suggested in this forum but none are providing success so far.
    I want to ping from the Inside Interface across to the Outside Interface and visa versa.
    I have tried various ACLs as well as "inspect icmp" in the config, etc still no go.
    I can ping each interface from the console command line but cannot ping across each interface.
    Is this even possible ?
    I am open to suggestions.
    thanks
    Troy
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 192.168.1.1 255.255.255.0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 10.10.10.10 255.255.255.0
    ASA-5540-LAB#
    ASA-5540-LAB# ping 192.168.1.1Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ASA-5540-LAB# ping 10.10.10.10
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ASA-5540-LAB# ping inside 192.168.1.1Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    ASA-5540-LAB# ping outside 10.10.10.10
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    ASA-5540-LAB#

    Hi Troy,
    Remember that the ASA is a security device, so by design it does't support what you are trying to accomplish.
    " For For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network."
    http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1059645
    Even if you are trying to ping from the ASA since I see you are trying to do a "source" ping. The source of the packet will be an internal IP address going to the outside IP.
    Luis Silva

  • How do I get an ASA-5540 back to default config?

    Is there an easy way to re-apply the default config that comes with a new ASA-5540? I'd like to have our ASA-5540 be back to its default with 192.168.1.1 on the inside interface and act as a DHCP server so I have connect a PC to it to begin initial configuration using the ASDM.
    The ASA-5540 is running on asa723-k8.bin.

    configure factory-default
    http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c4_72.html#wp2039866
    a simple "write erase/reload" would also do the trick.

  • CiscoWorks LMS 4.0.1 and ASA 5540

    I've added an ASA-5540 to the group of systems I backup each night. When the admin logs into the ASA in the morning, he sees the "save configuration" flag has been set. This started the same day CiscoWorks saved teh configuration. What is CiscoWorks doing to set this flag, and how do I stop it? It should only be reading the configuration. Thanks.

    Ideally LMS should not save configuration only when LMS is taking the backup of configuration. This can be easily tested, if you try to run an instant job for Configuration Archive under Configuration > Sync Archive and see it on the ASA if it shows "save configuration" flag set.
    It should be something else on either LMS or somewhere outside. In LMS it could be something like a NetConfig Job which may save configuration or other options like deploy configuration, which is very unlikely.
    Before we stop it, we need to test and confirm, it is actually LMS,. You can also try to suspend the device once from LMS to see if next day you still see similar flag set.
    Once we confirm it is LMS, we can test which action of LMS is doing it and how to prevent.
    -Thanks
    Vinod
    ** Encourage Contributors. RATE them**

  • High CPU due to dispatch unit in cisco ASA 5540

    Hi Any suggestion help
    High CPU due to dispatch unit in cisco ASA 5540
    ciscoasa# sh processes cpu-usage
    PC         Thread       5Sec     1Min     5Min   Process
    0805520c   ad5afdf8     0.0%     0.0%     0.0%   block_diag
    081a8d34   ad5afa08    82.6%    82.1%    82.3%   Dispatch Unit
    083b6c05   ad5af618     0.0%     0.0%     0.0%   CF OIR
    08a60aa0   ad5af420     0.0%     0.0%     0.0%   lina_int
    08069f06   ad5aee38     0.0%     0.0%     0.0%   Reload Control Thread
    08072196   ad5aec40     0.0%     0.0%     0.0%   aaa
    08c76f3d   ad5aea48     0.0%     0.0%     0.0%   UserFromCert Thread
    080a6f36   ad5ae658     0.0%     0.0%     0.0%   CMGR Server Process
    080a7445   ad5ae460     0.0%     0.0%     0.0%   CMGR Timer Process
    081a815c   ad5ada88     0.0%     0.0%     0.0%   dbgtrace
    0844d75c   ad5ad2a8     0.0%     0.0%     0.0%   557mcfix
    0844d57e   ad5ad0b0     0.0%     0.0%     0.0%   557statspoll
    08c76f3d   ad5abef8     0.0%     0.0%     0.0%   netfs_thread_init
    09319755   ad5ab520     0.0%     0.0%     0.0%   Chunk Manager
    088e3f0e   ad5ab328     0.0%     0.0%     0.0%   PIX Garbage Collector
    088d72d4   ad5ab130     0.0%     0.0%     0.0%   IP Address Assign
    08ab1cd6   ad5aaf38     0.0%     0.0%     0.0%   QoS Support Module
    08953cbf   ad5aad40     0.0%     0.0%     0.0%   Client Update Task
    093698fa   ad5aab48     0.0%     0.0%     0.0%   Checkheaps
    08ab6205   ad5aa560     0.0%     0.0%     0.0%   Quack process
    08b0dd52   ad5aa368     0.0%     0.0%     0.0%   Session Manager
    08c227d5   ad5a9f78     0.0%     0.0%     0.0%   uauth
    08bbf615   ad5a9d80     0.0%     0.0%     0.0%   Uauth_Proxy
    08bf5cbe   ad5a9798     0.0%     0.0%     0.0%   SSL
    08c20766   ad5a95a0     0.0%     0.0%     0.0%   SMTP
    081c0b4a   ad5a93a8     0.0%     0.0%     0.0%   Logger
    08c19908   ad5a91b0     0.0%     0.0%     0.0%    Syslog Retry Thread
    08c1346e   ad5a8fb8     0.0%     0.0%     0.0%   Thread Logger
    08e47c82   ad5a81f0     0.0%     0.0%     0.0%   vpnlb_thread
    08f0f055   ad5a7a10     0.0%     0.0%     0.0%   pci_nt_bridge
    0827a43d   ad5a7620     0.0%     0.0%     0.0%   TLS Proxy Inspector
    08b279f3   ad5a7428     0.0%     0.0%     0.0%   emweb/cifs_timer
    086a0217   ad5a7230     0.0%     0.0%     0.0%   netfs_mount_handler
    08535408   ad5a7038     0.0%     0.0%     0.0%   arp_timer
    0853d18c   ad5a6e40     0.0%     0.0%     0.0%   arp_forward_thread
    085ad295   ad5a6c48     0.0%     0.0%     0.0%   Lic TMR
    08c257b1   ad5a6a50     0.0%     0.0%     0.0%   tcp_fast
    08c28910   ad5a6858     0.0%     0.0%     0.0%   tcp_slow
    08c53f79   ad5a6660     0.0%     0.0%     0.0%   udp_timer
    080fe008   ad5a6468     0.0%     0.0%     0.0%   CTCP Timer process
    08df6853   ad5a6270     0.0%     0.0%     0.0%   L2TP data daemon
    08df7623   ad5a6078     0.0%     0.0%     0.0%   L2TP mgmt daemon
    08de39b8   ad5a5e80     0.0%     0.0%     0.0%   ppp_timer_thread
    08e48157   ad5a5c88     0.0%     0.0%     0.0%   vpnlb_timer_thread
    081153ff   ad5a5a90     0.0%     0.0%     0.0%   IPsec message handler
    081296cc   ad5a5898     0.0%     0.0%     0.0%   CTM message handler
    089b2bd9   ad5a56a0     0.0%     0.0%     0.0%   NAT security-level reconfiguration
    08ae1ba8   ad5a54a8     0.0%     0.0%     0.0%   ICMP event handler
    I want exact troubleshooting.
    (1) Steps to follow.
    (2) Required configuration
    (3) Any good suggestions
    (4) Any Tool to troubleshoot.
    Suggestions are welcome

    Hello,
    NMS is probably not the right community to t/s this. You probably want to move this to Security group (Security > Firewalling).
    In the meanwhile, i have some details to share for you to check, though i am not a security/ASA expert.
    The Dispatch Unit is a process that continually runs on single-core ASAs (models 5505, 5510, 5520, 5540, 5550). The Dispatch Unit takes packets off of the interface driver and passes them to the ASA SoftNP for further processing; it also performs the reverse process.
    To determine if the Dispatch Unit process is utilizing the majority of the CPU time, use the command show cpu usage and show process cpu-usage sorted non-zero
    show cpu usage (and show cpu usage detail) will show the usage of the ASA CPU cores:
    ASA# show cpu usage
    CPU utilization for 5 seconds = 0%; 1 minute: 1%; 5 minutes: 0%
    show process cpu-usage sorted non-zero will display a sorted list of processes that are using the CPU usage. 
    In the example below, the Dispatch Unit process has used 50 percent of the CPU for the last 5 seconds:
    ASA# show process cpu-usage sorted non-zero
    0x0827e731 0xc85c5bf4 50.5% 50.4% 50.3% Dispatch Unit
    0x0888d0dc 0xc85b76b4 2.3% 5.3% 5.5% esw_stats
    0x090b0155 0xc859ae40 1.5% 0.4% 0.1% ssh
    0x0878d2de 0xc85b22c8 0.1% 0.1% 0.1% ARP Thread
    0x088c8ad5 0xc85b1268 0.1% 0.1% 0.1% MFIB
    0x08cdd5cc 0xc85b4fd0 0.1% 0.1% 0.1% update_cpu_usage
    If Dispatch Unit is listed as a top consumer of CPU usage, then use this document to narrow down what might be causing the Dispatch Unit process to be so active.
    Most cases of high CPU utilization occur because the Dispatch Unit process is high. Common causes of high utilization include:
    Oversubscription
    Routing loops
    Host with a high number of connections
    Excessive system logs
    Unequal traffic distribution
    More t/s details can be shared by the ASA members from the community.
    HTH
    -Thanks
    Vinod

  • Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth

    Hello all,
    I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
    Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
    When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
    We opened a TAC case with Cisco, and this is their response:
    The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
    I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
    I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?

    My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
    I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either.

  • Seeing ASA 5540 with High CPU Utilization

    I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. Please help us troubleshoot the root cause of the CPU high utilization on Cisco ASA 5540.

    This doc is a good starting point:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

  • DNS Doctoring - network range

    Hello
    I find plenty of examples of host configurations, like...
    static (dmz,inside) X.X.X.X Y.Y.Y.Y netmask 255.255.255.255 dns
    Can I also configure it for networks, like...
    static (dmz,inside) X.X.X.X Y.Y.Y.Y netmask 255.255.255.0 dns
    The reason to deploy the network method would be when I don't know all the internal servers being targeted by clients.
    Thanks you for helping me

    Hi Bro
    This is not possible. Let me explain why.
    Firstly, it should be static (inside,dmz) not the other way around, unless of course you're doing a 2-way NAT which is not your case.
    The statement static (inside,dmz) 10.10.10.0 20.20.20.0 netmask 255.255.255.0 means you're doing IP TRANSLATION, which is not what you're doing either.
    The only reason you use DNS Doctoring, is so that LAN users are able to see the internal web servers as a private address (the real address) when the DNS client is on LAN.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#intro
    P/S: if you think this comment is useful, please do rate them nicely :-)

  • Could i make NTP on ASA 5540

    hi..
    i have asa 5400,
    can i make NTP server on asa 5540.

    The ASA cannot work as an NTP server, it can only use an NTP server to set its time using the "ntp server" command.
    I hope it helps.
    PK

  • DNS Server Issues with Comcast and Airport Extreme wifi routers

    I am having significant challenges with 3 Airport Extreme (latest gen) wifi routers and my Comcast Xfinitity service.  It once worked just fine, but now I continually get the blinking amber lights stating "No DNS servers" for each of the Airport Extreme (AE) routers.  My configuration is:
    Coax cable -> Comcast Xfinity cable modem -> ethernet to 16-port gigabit ethernet switch ->->-> ethernet to 3 Airport Extremes around the house direct connected with switch
    I have many wifi devices throughout the house (iPads, MacBooks, home automation devices) as well as direct-connected devices via ethernet (one PC connected to AE router).
    Each Airport Extreme router is set with these settings in the Airport Utility app: 
    Internet tab=  Connect using: DHCP
    Wireless tab=  Network mode: Create a wireless network
    Network tab=   Router mode: Off (Bridge Mode)
    I have attempted to put the Xfinity cable modem in bridge mode, and use the Airport Extreme to serve up the IP addresses, but still lost internet connectivity.
    I have also attempted to set the Network tab=> Router Mode to "DHCP and NAT" but get "Double NAT" error issues as well.
    I have tried using the Comcast DNS server addresses (75.75.75.75;75.75.76.76) setting on the Internet tab for the routers and do end up getting a green light, but NO internet connectivity.
    Lastly, I have tried using the Google DNS servers (8.8.8.8;8.8.4.4) setting on the Internet tab the routers giving me the No DNS servers amber light error and again, no Internet connectivity for either wifi-connected or even ethernet connected (directly to Airport Extreme router) devices (like my PC) despite getting a green light on the router.
    Any this point, it really seems that these AE routers are NOT compatible with the Xfinity cable modem or service… (and yes, I've tried power-cycling and restarting the modem, and then the AE routers, MANY times to little avail).
    Should I move one of these Airport Extreme wifi routers to before the switch, and have the other 2 in Bridge mode after the switch?  Do I need to setup a specific range of DHCP reservation addresses for each different AE router?
    Appreciate any insight anyone can share with this aggravating DNS server issue between Comcast & multiple Airport Extreme wifi routers.

    I do not see anything wrong with your basic setup.. the issue is indeed the WAN ports of the AE.. AC version are having problems with some network equipment.
    You have listed a stack of things you have tried.. but I want you to move the ethernet patch cable you use on each AE to its LAN port instead of WAN.
    Restart the airport when you do that.. and then see if it becomes stable.
    In bridge mode the airport moves the WAN port to LAN.. but the WAN port setup itself seems more problematic than the LAN ports.
    There are other methods we can try if this does not work.. but in the end.. I would be tempted to take the whole lot back to apple.. they need to start making equipment that works with standard modems and switches.
    BTW what brand is the 16 port switch?? Does it happen to be managed (smart type)?

  • ASA 5520 Reverse DNS lookup Issue

    We are having Reverse DNS issues.
    10.10.0.10 = Exchange Server
    Windows 2003 = DNS server internal.
    Setup: 1 to 1 NAT
    10.10.0.10 smtp --> 70.89.133.218 smtp
    Int gi0/2 = 70.89.133.217
    Incoming Access Rule:
    any --> 70.89.133.218 smtp permit
    When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
    It should be 70.89.133.217.
    This is causing our email to be rejected from external sites due to reverse dns not returning 218. External people say are email is coming from 217. Comcast says the reverse pointer is setup correctly.
    What are we doing wrong?
    Thanks for any help you can offer.

    Correction:
    When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
    It should be 70.89.133.218
    217 is the interface gi0/2 on the ASA.

  • S2S VPN - ASA 5505 to ASA 5540 - Routing Problems

    I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
    Current running config:
    ASA Version 8.2(5)
    hostname asa15
    enable password XXXXX encrypted
    passwd XXXXX encrypted
    names
    name 10.0.0.0 remote-network
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.5.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    ftp mode passive
    access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
    access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
    access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
    access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm location remote-network 255.0.0.0 inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 172.16.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 99.X.X.7
    crypto map outside_map 1 set transform-set ESP-AES-128-SHA
    crypto map outside_map 1 set reverse-route
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 28800
    vpn-addr-assign local reuse-delay 5
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 172.16.5.100-172.16.5.130 inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    tunnel-group 99.X.X.7 type ipsec-l2l
    tunnel-group 99.X.X.7 ipsec-attributes
    pre-shared-key XXXXX
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    : end

    just out of curiosity, why do you have
    route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
    You already set your default route through DHCP setroute under the interface. this could be the issue.
    If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
    Does the remote device have the correct default gateway?
    May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
    Patrick

Maybe you are looking for

  • How do you pass parameters to a Pipelined function?

    I am using Oracle 10G and the ODP .NET 32 bit client. I am facing an issue trying to use variable binding with a pipeline function in Oracle. I am using ODP .NET for connecting to the database. If you want to be familiar with PIPELINED functions, you

  • SQL Server multiple data centres - Synchronization

    Hello, I am new to MSSQL. We have a web application that used MSSQL 2012 as backend. We now plan to have the same application hosted in another data centre. We are able to provide the geo-redundancy/HA for the web application.  But we also need to ma

  • System.log error(s)

    Nov 2 13:38:03 localhost com.apple.autofsd[39]: automount: Mount for UUID=FCB********_info removed_************ has no path for the directory to mount MacBook-Pro WacomTabletDriver[159]: 3891612: (CGSLookupServerRootPort) Untrusted apps are not allow

  • Read LabVIEW shared variables ( network variables?) with VB6

    Hi, i need to read some LabVIEW shared variables (network variables?) using a VB6 program. Is it possible? I think that yes, using Measurement Studio for VB6 but I don't know how and I haven't found information in the  Measurement Studio for VB6 help

  • Why is page in Dashboard now displaying a different website? Hijacked?

    I've been using the feature to display webpages in Dashboard, however one of these widigts is now displaying a completely different website (one i have NEVER visited). When i click on it the amazon page displays for a split second, then it defaults b