Does Cisco ASA understand every Sun RPC applicactions?
We have a customized program using Sun RPC. The server is located on lower security interface, client on higher security interface (sorry, have to do this)
If we give IP any any rules on lower security interface, by examine all relative packets by wireshark, this program seems do all normal Sun RPC activities: client use a ephemeral port call server's 111 port, get portmap, end TCP session. Then client start a new TCP session and talk to server using this negotiated ports.
However, if we remove the ip any any rules on lower security interface (server side), we can only observe the port negotiation TCP session. The firewall seems forgot the negotiated ports and blocks all server to client (low to high) packets.
When we test this for NFS which is also using Sun RPC protocol, with the same interfaces and settings (client interface(security level 100) - ip any any, server interface (security level 0) - deny all), everything works fine. All packets pass the firewall and connection is stateful. All works good.
I don't really understand why this is happening, since all connection initialized by client side (higher security level) using only TCP, every thing should pass through and stateful.
The ONLY ABNOMORMAL thing about our customized program is: it using random port from 600-1000 as source negotiate port to talk to server ephemeral ports (32000-61000) for transfering data. And, the connection is through VPN. (there is no special rules or inspections used for VPN connection, without deny all on server side (low security interface), every thing works fine)
Is Cisco ASA 5510 doesn't support our Sun RPC application or is there anything I did is wrong?
Thanks for any help!
Just find out: It is because of VPN. VPN will not automatical allow TCP packets coming back. Is there any solution for that? Or any options I can tune wiht VPN settings?
Similar Messages
-
Does Cisco ASA support android ?
Dear all,
Does Cisco ASA 5505 support android ? for smartnet phone and other systerm use anddroid.?
Best Regards,
RechardRechard,
Just adding my two cents:
ASA and Native L2TP-IPSec Android Client Configuration Example
Android and L2TP/IPsec Clients
AnyConnect Mobile License
HTH.
Message was edited by: Javier Portuguez -
Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?
Dear All,
Anyone do you know Cisco ASA 5510 or 5520 can protect DDos attack ans sync flood ?
I have problem on this, so how can i protect on this, some time i saw on my log like this
"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
Please help me to solve this issue?
Best Regards,
RechardHi Rechard..Those are tcp connection values
ip inspect max-incomplete high value (default 500)---------------->embryonic connection upper threshold value
ip inspect max-incomplete low value (default 400)-------------------->embryonic connection lower threshold value
ip inspect one-minute high value (default 500)------------------------>total connection in 1 minute, upper threshold
ip inspect one-minute low value (default 400)--------------------------->total connection in 1 min, lower threshold
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]
Therefore by implementing IOSFW in your router and tweaking these values you may protect your internal servers from being bombwarded by SYM flood or any DOS flood, keeping in mind if there is a trrue attack then your router will proctect your internal servers however router itself will take a toll on itself, ideally to mitigate an attack the thumb rule is to mitigate by going as close to the source of the attack as possible
you may also want to read:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html -
UDP Broadcast Traffic from Cisco ASA
Hi,
I want to know that, like Cisco IOS Router, Does Cisco ASA pass the UDP Broadcast traffic e.g., TFTP etc...?
Any thoughts ???
BR,
Mubasher SultanHi Mubasher,
Unlike the router the ASA does not forward any kind of broadcast packet (with the exemption of the DHCP broadcasts when DHCP Relay is enabled).
I understand that your DHCP server is providing here the IP address for your TFTP servers. I guess you are using DHCP option 150.
So if the DHCP server is on one interface and the client is on another you can configure DHCP Relay on your ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
In regards of the TFTP requests these will be normal unicast packets as Cadet said so just make sure that you have the proper ACLs and NAT rules for that. -
Cisco ASA ( Adaptiv Security Algorithm )?
Hello,
Im french so sorry for my english , i will do my best to explain my question.
Im actually working on Cisco PIX 501 ( for school ).
I have to do some test on it , search what is able to do and how to proove it...
My question is about Cisco ASA ( Adaptiv Security Algorithm ) , what is it doing? i mean it just simply stop every information coming from outside to inside(security 0 to 100) or is it doing more? is it searching wrong/good packets or just stop everything?and if it's doing that , how it's done?
My question could be : what cisco ASA doing more than ACL?
I hope im clear enough in my questions,i search a lot on internet but didnt find an answer.
Thank you!
Amauryif i understand good what you mean , ASA/algorithm is a part of different processes which are part of stateful inspection
not really, I would say that stateful inspection is part of the adaptive security algorithm. The algroithm goes through processes such as ACL check, NAT..etc. and based on these check makes entries in the state table.
( by the way stateful inspection = stateful firewalling , right?)
Kind of. Stateful inspection is what the stateful firewall does and not what it is if you can understand that. A stateful firewall performs stateful inspection. So stateful inspection is not a firewall.
when you said "showing tcp connections and NAT xlate table entries at the firewall CLI before and after" , iam ok with that but what are the command to check table entries? i cant find it.
show conn protocol tcp will show you the TCP connections through the firewall and show xlate will show you the NAT translation that are currently active.
Aswell i will need the commands to configure ( if possible ) stateful inspection and traffic inspection , but i will try search by myself because i didnt start yet
Again, stateful inspection is not something you configure but is what the ASA does based on configured rules. so all you need to do is configure ACLs and NAT rules and routing and the ASA does all the stateful inspection stuff on its own.
Please remember to rate and select a correct answer -
Why does JRockit updates lag behind Sun's?
If I understand correctly, JRockit's class libraries are exactly the same as Sun's.
Sun has already released update 8 for their 1.5.0 JRE, and JRockit is still at update 6, which means that the class library bugs fixed in update 7 and 8 are still present in JRockit.
Why does JRockit updates lag behind Sun's? Judging by [url http://forums.bea.com/bea/message.jspa?messageID=600038245&tstart=0]this post, this lag is measured in months!
Doesn't the VM development happen separate from the class libraries? It should be possible to release a new JRE with the "stable", QA'd JRockit VM and the newest class library (with all its bug fixes) within a week or so, instead of months.The class libraries are almost identical, correct. But a JDK update from Sun almost always contains changes in other components than just the class libraries. Some of these affect JRockit, in particular the native libraries (AWT, I/O, etc). Changes in the class libraries may cause performance or stability regressions.
With every release of JRockit we certify our JDK (Sun classes + JRockit JVM + other components) on a large number of platforms. We did a count earlier this year and came up with around 80 different combinations of JDK level, OS and hardware that we have to test in every release by the end of this year.
On these platforms we run a huge set of tests, including performance and stress tests. Even though a large part of our QA is automated, it is simply not possible to run everything in parallel so there is a certain minimum amount of time this certification takes. On top of that we have a set of time-consuming tests that have to be run manually.
To summarize it is simply not possible to do this without some lag. And JRockit has a much quicker uptake than almost all other 3rd party JDK providers (many of them with JVMs based on Sun HotSpot). One example is that it took IBM almost 18 months to get their first J2SE 5.0 implementation out of the door. -
Cisco ASA 5505 Routing between internal networks
Hi,
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
Here is the running conf:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi Jouni,
Yep, Finnish would be good also =)
In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
Here is the conf now, still doesnt work:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous -
Hello,
I'm trying to set up a site to site VPN. I've never done this before and can't get it to work. I've watched training vids online and thought it looked straight forward enough. My problem appears to be that th ASA is not trying to create a tunnel. It doesn't seem to know that this traffic should be sent over the tunnel. Both the outside interfaces can ping one another and are on the same subnet.
I've pasted the two configs below. They're just base configs with all the VPN commands having been created by the wizard. I've not put any routes in as the two devices are on the same subnet. If you can see my mistake I'd be very grateful to you if you could point it out or even point me in the right direction.
Cheers,
Tormod
ciscoasa1
: Saved
: Written by enable_15 at 05:11:30.489 UTC Wed Jun 19 2013
ASA Version 8.2(5)13
hostname ciscoasa1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key ciscocisco
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:29e3cdb2d704736b7fbbc477e8418d65
: end
ciscoasa2
: Saved
: Written by enable_15 at 15:40:31.509 UTC Wed Jun 19 2013
ASA Version 8.2(5)13
hostname ciscoasa2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key ciscocisco
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:92dca65f5c2cf16486aa7d564732b0e1
: endThanks very much for your help Jouni. I came in this morning and ran the crypto map outside_map 1 set reverse-route command and everything started to work. I'm surprised the wizard didn't include that command but maybe it's because I didn't have a default route set.
However, I now have a new problem. We're working towards migrating from ASA8.2 to 9.1. In order to prepare for this I've created a mock of our environment and am testing that everything works prior to making the changes. I can't get this site to site VPN to work. (The one I posted yesterday was just to get a basic site to site VPN working so that I could go from there)
I've posted the debug from the ASA to which I'm trying to connect. To my undtrained eye it looks like it completes phase one but fails to match a vpn tunnel map. I'm coming from 10.99.99.99 going to 10.1.1.57
Hope you can help as I'm going nuts here. Although I will of course understand if you've something better to do with your time than bail me out.
access-list 1111_cryptomap extended permit ip 10.1.1.0 255.255.255.0 Private1 255.255.255.0
access-list 1111_cryptomap extended permit ip 10.99.99.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto map vpntunnelmap 1 match address 1111_cryptomap
crypto map vpntunnelmap 1 set pfs
crypto map vpntunnelmap 1 set peer 1.1.1.1
crypto map vpntunnelmap 1 set transform-set ESP-3DES-MD5
ciscoasa# debug crypto isakmp 255
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 00 00 00 00 00 00 00 00 | ...?:...........
01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 84 | ................
00 00 00 01 00 00 00 01 00 00 00 78 01 01 00 03 | ...........x....
03 00 00 24 01 01 00 00 80 04 00 02 80 01 00 05 | ...$............
80 02 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04 | ................
00 00 70 80 03 00 00 28 02 01 00 00 80 04 00 02 | ..p....(........
80 01 00 07 80 0e 00 c0 80 02 00 02 80 03 00 01 | ................
80 0b 00 01 00 0c 00 04 00 00 70 80 00 00 00 24 | ..........p....$
03 01 00 00 80 04 00 02 80 01 00 05 80 02 00 01 | ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 01 51 80 | ..............Q.
0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ........>.in.c..
ec 42 7b 1f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f | .B{.....}...S..o
2c 17 9d 92 15 52 9d 56 0d 00 00 14 4a 13 1c 81 | ,....R.V....J...
07 03 58 45 5c 57 28 f2 0e 95 45 2f 00 00 00 18 | ..XE\W(...E/....
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | @H..n...%.....
c0 00 00 00 | ....
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 244
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 132
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 120
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 3
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 192
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: MD5
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Oakley proposal is acceptable
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 02 VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 03 VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal RFC VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Fragmentation VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing IKE SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ISAKMP SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Fragmentation VID + extended capabilities payload
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
SENDING PACKET to 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 104
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 52
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 40
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 70 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
04 10 02 00 00 00 00 00 00 00 01 00 0a 00 00 84 | ................
00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3 | ..*M.c.\......a.
f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53 | ...uc#?Y..WKY.`S
0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa | ...+.1.uFW.[L...
a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0 | ..J.bh.ULT.ys...
09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4 | ...Z?.....M..{|.
cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb | .....0[/O.V.....
b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05 | .... .A:........
fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa | ......J.........
0d 00 00 18 bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04 | ........7..w....
de c9 d3 1a b0 6f ee a8 0d 00 00 14 12 f5 f2 8c | .....o..........
45 71 68 a9 70 2d 9f e2 74 cc 01 00 0d 00 00 0c | Eqh.p-..t.......
09 00 26 89 df d6 b7 12 0d 00 00 14 2e 41 69 22 | ..&..........Ai"
3a a8 e7 0a cd 38 ba 43 ed f2 db 2c 00 00 00 14 | :....8.C...,....
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00 | .....e.....T*P..
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3
f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53
0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa
a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0
09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4
cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb
b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05
fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04 de c9 d3 1a
b0 6f ee a8
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
2e 41 69 22 3a a8 e7 0a cd 38 ba 43 ed f2 db 2c
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ke payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ISA_KE payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing nonce payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Cisco Unity client VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received xauth V6 VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ke payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing nonce payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Cisco Unity VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing xauth V6 VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send IOS VID
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Generating keys for Responder...
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SENDING PACKET to 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
27 62 7f 00 84 06 59 07 28 a1 05 9f 2a 13 ad ff
47 10 99 27 68 01 2a c8 06 52 b8 55 0c 7d 82 3d
31 94 0d 68 aa 98 5e 60 ee 2b 37 a5 0f ca 06 5c
2a f7 83 bb 2e 8b 53 13 49 8b 4e 4c bf d1 34 67
df ff 50 5b ab e9 f2 12 cb bd c2 0c ab 95 3a 39
ca 60 31 7a d4 80 80 b6 0c 85 3e f5 16 fb f5 f8
27 5d 28 b9 b1 2e b3 35 79 1a 9e f7 fd 13 8f f4
5f 5d 53 93 74 6d d1 60 97 ca d2 bc b3 b4 e6 03
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
a7 f8 48 c1 98 b4 cb 02 79 de ae 6e 59 3d 23 cb
4c a1 7b 44
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
99 8a 8b d3 68 02 55 58 44 16 79 1c 51 be 23 8f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
05 10 02 01 00 00 00 00 00 00 00 64 8f a8 6e 03 | ...........d..n.
81 b9 24 e5 f0 ba ca 1a 0f fa 5a a1 3c 2d 61 1a | ..$.......Z.<-a.
7d 48 b0 0c 7f 09 bc 82 9b b1 25 b4 f6 04 45 a0 | }H......%...E.
13 12 27 ff 7a 41 9f e9 8e 96 c2 80 b9 59 b0 ec | ..'.zA.......Y..
40 e3 95 4d 96 ef eb ce e2 fb d9 45 83 50 0d e7 | @..M.......E.P..
9c c7 70 7f | ..
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 100
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 100
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 1.1.1.2
Payload Hash
Next Payload: IOS Proprietary Keepalive or CHRE
Reserved: 00
Payload Length: 24
Data:
f4 40 eb 6b 55 f0 19 cd 10 81 e6 53 cf 23 75 c5
45 ab 7f 3d
Payload IOS Proprietary Keepalive or CHRE
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Default Interval: 32767
Retry Interval: 32767
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
1.1.1.2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing VID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Received DPD VID
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing ID payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing dpd vid payload
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c | ................
01 11 01 f4 c2 9f 09 02 80 00 00 18 58 00 80 06 | ............X...
e9 66 ba 20 1e ba 79 c8 16 85 2d 2f a0 96 b4 e5 | .f. ..y...-/....
0d 00 00 0c 80 00 7f ff 80 00 7f ff 00 00 00 14 | ............
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | ....h...k...wW..
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 1.1.1.1
Payload Hash
Next Payload: IOS Proprietary Keepalive or CHRE
Reserved: 00
Payload Length: 24
Data:
58 00 80 06 e9 66 ba 20 1e ba 79 c8 16 85 2d 2f
a0 96 b4 e5
Payload IOS Proprietary Keepalive or CHRE
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Default Interval: 32767
Retry Interval: 32767
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
SENDING PACKET to 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 100
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 27360 seconds.
IKE Recv RAW packet dump
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58 | ...?:...lM,.h.UX
08 10 20 01 56 e5 a4 1e 00 00 01 4c d2 44 3e 24 | .. .V......L.D>$
87 96 a1 fe d1 a3 d3 a3 ed 59 45 2d 53 be 17 9f | .........YE-S...
42 72 2b a3 5f f8 5e 41 5a 62 25 0c 5d bf 6c 2a | Br+._.^AZb%.].l*
e6 e0 1f 77 d5 ed c8 1c 06 cb ef f2 58 07 1d 35 | ...w........X..5
a9 d5 7b 86 24 05 88 32 e7 33 6f f2 f7 9d 70 07 | ..{.$..2.3o...p.
18 40 51 77 7d 7e 6c 77 55 d9 18 7a 57 5d b9 88 | .@Qw}~lwU..zW]..
6c a6 d5 f3 60 5e 14 4f da cb 42 65 88 d6 75 0e | l...`^.O..Be..u.
22 1c bb 89 1f 57 bd c2 f2 46 30 31 30 9c 63 e6 | "....W...F010.c.
e2 e9 5b 68 71 f2 ed 69 f1 eb a7 65 2d b2 31 85 | ..[hq..i...e-.1.
31 93 0a c1 21 44 57 de ad 8b 79 5e 3d 36 5c 44 | 1...!DW...y^=6\D
88 23 a8 44 76 2c d6 c2 ed 31 2d 69 b1 50 26 9f | .#.Dv,...1-i.P&.
ee 48 3e c4 dd 0d 40 8f 65 d2 fb 82 19 42 b7 0f | .H>[email protected]..
a0 74 b3 e6 df dd 16 c4 fa ca bf d2 b6 33 b0 5f | .t...........3._
d6 59 4f 6a 84 9e 0d 76 a4 d6 d3 94 67 bc 9c df | .YOj...v....g...
33 20 48 61 d7 80 b6 97 0d a9 32 48 7d 5b 79 8b | 3 Ha......2H}[y.
7b bc e0 9b b4 5d ed 49 04 6b 5d 72 d7 5b 82 90 | {....].I.k]r.[..
47 e5 65 64 a9 25 ce 2f 3f a2 ca 98 b1 0b ff 01 | G.ed.%./?.......
9c 32 64 5c dd 9c 26 71 c4 59 cd 52 da 1f b9 23 | .2d\..&q.Y.R...#
32 dd d8 a5 d1 1c 2a d0 0f ef 2b 26 66 c0 14 48 | 2.....*...+&f..H
52 35 3a ee 36 a6 00 df a5 d6 6b 42 | R5:.6.....kB
RECV PACKET from 1.1.1.2
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 56E5A41E
Length: 332
Jun 20 16:29:42 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 56e5a41e
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
Responder COOKIE: 6c 4d 2c ce 68 03 55 58
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 56E5A41E
Length: 332
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
78 09 81 d2 54 22 37 a1 b0 a8 53 cf df d4 1e fb
4a 7b 99 f7
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 64
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: b2 c1 66 6e
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: MD5
Group Description: Group 2
Payload Nonce
Next Payload: Key Exchange
Reserved: 00
Payload Length: 24
Data:
1e 43 34 fa cc 9f 77 65 45 7c b6 18 2f 18 fd a9
86 e6 58 42
Payload Key Exchange
Next Payload: Identification
Reserved: 00
Payload Length: 132
Data:
3c 26 4c 94 68 33 4b 2d ce 37 4a d2 8c 62 ab 6b
e6 d4 d2 8a df 70 bc 67 62 ca 96 8c 3b 30 cd 58
54 55 71 0f 9e bc da 63 a9 68 86 fd ba 7a 13 f3
e9 51 e9 a4 13 b0 b0 20 45 cf 1f 36 1e 95 95 c9
dd 92 c9 cd 2b 33 2d 4b 7e bd ed d4 ec bf 54 b9
6e 13 7f 17 dc 28 61 5d 46 fe 1d ba 88 e5 ca 70
40 59 12 c1 0c 3a 51 7f ae 5f e2 95 73 bc c9 16
67 ce 38 82 e7 b3 1b 6a 39 05 46 71 b8 da c3 57
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 10.99.99.0/255.255.255.0
Payload Identification
Next Payload: Notification
Reserved: 00
Payload Length: 16
ID Type: IPv4 Subnet (4)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 10.1.1.0/255.255.255.0
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_INITIAL_CONTACT
SPI:
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=56e5a41e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 332
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.99.99.0--255.255.255.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote IP Proxy Subnet data in ID Payload: Address 10.99.99.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local IP Proxy Subnet data in ID Payload: Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 1...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 1, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 2...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 2, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 3...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 3, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 35...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 35, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 40...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 40, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 41...
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 41, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.99.99.0/255.255.255.0/0/0 local proxy 10.1.1.0/255.255.255.0/0/0 on interface thus
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, sending notify message
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing blank hash payload
Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7ecccf15) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 384
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55
IKE Recv RAW packet dump -
CISCO ASA 5505 bandwidth Controll and split
Dear All,
Below am giving the infrastructure which i like to do please help me.
I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.
Thanks
Lalu R.SThere's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
You can do some crude controls with QoS - the configuration guide chapter on doing that is here. -
Cisco ASA 5510 Content Security bundle
Hello,
please help me to understand if i buy the Cisco ASA 5510 Content Security bundle for my network found there is 1 yr subscription for the content
security features. what are services included in it. Does URL blocking and filtering includ in this subscription or its a seperate features.
Thanks,
Saroj PradhanHere is the license for CSC module and it lists what is included in Basic and Plus CSC license:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc -
Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth
Hello all,
I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
We opened a TAC case with Cisco, and this is their response:
The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either. -
Hi,
I am little confused with different models of Cisco ASA Firewalls. I am trying to understand the real benefit of ASA Next-GEN ASA Firewalls. I understand the next-gen has visibility up to layer 7 but:
- with CX the previous gen of ASA Firewall had same or similar capability?
- Is CX removed from Next-Gen FW?
- Is AVC something apart from CX and new featue in the Next-Gen FW?
- What is the real advantage of upgrading to next-gen FW from older gen ASA Firewalls?
ThanksNext Generation Firewall (NGFW) is partly a marketing term. Wikipedia has a definition (as does Gartner and a host of others). Typically it's understood to mean something more than a simple stateful firewall that only looks at packets up to the TCP session level.
Cisco ASA has had add-on features for years like IPS modules and the ability to use Identities in access-lists that could arguably called NGFW. More recently they had the CX module (now Approaching End of Sales). It had several NGFW features including AVC, Web Security Essentials (WSE) and IPS.
The current product lineup include the FirePOWER modules with technology acquired from Sourcefire being developed and integrated into the Cisco security portfolio, including ASAs. Those also have AVC (basically the ability to look deep into a flow and determine application-specific (or even "microapplication") information. You leverage that with the addition of IPS, Web filtering and/or Advanced Malware Protection (AMP) licenses on the FirePOWER modules.
The advantage is that you are able to protect your enterprise from modern-day threats. With the vast majority of malware being exploits from web pages (or at least carried over http/https), the traditional firewall with a rule allowing, say, only http from inside clients does nothing to protect against those threats. Client side anti-malware software can help, but it may be too late once the malware has been identified. -
DNS Resolution in Cisco ASA 5525
Hey all,
I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.
Current Version: Cisco ASA 5525
ASA Version: 8.6(1)
I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.
What I've done.
dns domain-lookup inside
dns domain-lookup outside
name-server x.x.x.x (Primary internal dns server)
name-server x.x.x.x (Secondary internal dns server)
name-server 8.8.8.8 (Google external dns server)
name-server 8.8.4.4 (Google external dns server)
domain-name example.com
With this config I can, however, ping hostnames of internal servers.
This is an example of me pinging an external hostname.
ciscoasa# ping google.ca
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:
No route to host 2607:f8b0:4009:803::101f
Success rate is 0 percent (0/1)
Any ideas?
Thanks!officeasa# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:
No route to host 2607:f8b0:4009:802::1012
Success rate is 0 percent (0/1)
John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?
(I know without certain information you cannot help but I need to ensure security on my end)
Thanks for understanding. -
Cisco ASA 5520 traffic between interfaces
Hello,
I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
ciscoasa# ping esx_management 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping home_network 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Thank you in advance.Hi,
Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
Static Identity NAT
static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
OR
NAT0
access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
nat (home_network) 0 access-list HOMENETWORK-NAT0
Hope this helps
- Jouni -
NPAS: How do I use Cisco ASA RADIUS attribute 146?
We have a Cisco ASA 5520 running firmware 8.4.5 and are using it for AnyConnect SSL VPN. We are using Microsoft Network Policy and Access Services (NPAS) as a RADIUS server to handle authentication requests coming from the ASA.
We have three tunnel groups configured on the ASA, and have three Active Directory security groups that correspond with each one. At this time, we are using Cisco's vendor-specific RADIUS attribute 85 (tunnel-group-lock) to send back to the ASA a string
that corresponds to a policy rule in NPAS based on the matched group membership. This works in the sense that each user can only be a member of one of the three AD security groups used for VPN, and if they pick a tunnel group in the AnyConnect client
that doesn't correspond to them, the ASA doesn't set up the session for them.
Well, Cisco added vendor-specific RADIUS attribute 146 (tunnel-group-name) in firmware 8.4.3. This is an *upstream* attribute, and is one that is sent by the ASA to the RADIUS server. We would like to use this attribute in our policies in NPAS
to help with policy matching. By doing this, we could allow people to be in more than one VPN group and select more than one of the tunnel groups in the AnyConnect client, each of which may provide different network access.
The question becomes, how can I use this upstream RADIUS attribute in my policy conditions? I tried putting it in the policy in the Vendor-Specific section under Policies (the same place where we had attribute 85 defined), but this doesn't work.
These are just downstream attributes that the NPAS server sends back to the RADIUS client (the ASA). The ASA seems to ignore attribute 146 if it is sent back in this manner and the result is that the first rule that contains a group the user is a member
of is matched and authentication is successful. This is undesirable, because it means the person could potentially select a tunnel group and successfully authenticate even though that isn't what we desire.
Here is Cisco's documentation that describes these attributes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.htmlPhilippe:
Thank you for the response, but I am already aware how to use Cisco's group-lock or tunnel-group-lock with RADIUS and, in fact, we are already using tunnel-group-lock (attribute 85).
Using tunnel-group-lock works in the sense that you have three RADIUS policies and three AD security groups (one per tunnel group configured on the ASA). Each AD group basically is designed to map to a specific tunnel group. Each RADIUS policy
contains vendor-specific attribute 85 with the name of the tunnel group. So when you connect and attempt authentication through NPAS, it goes down the RADIUS policies until the conditions match (in this case the conditions are the source RADIUS client
- the ASA - and membership in a particular AD security group), it determines if your authentication attempt is successful, and if so it sends the tunnel group name back to the ASA. If the tunnel group name matches the one associated to the user group
you selected from the list in the AnyConnect client, a VPN tunnel is established. Otherwise, the ASA rejects the connection attempt.
Frankly, tunnel-group-lock works fine so long as it is only necessary for a given individual to need to connect to only a single tunnel group. If there is a need for an individual to be able to use two out of the three or all three tunnel groups in
order to gain different access, using tunnel-group-lock or group-lock won't work. This is because the behavior will be when the RADIUS server processes the policies, the first one in the list that has the AD security group that the user is a member of
will be matched and the tunnel group name associated with that policy will be sent back to the ASA every time. If that name doesn't match the one they picked, the tunnel will not be established. This will happen every time if the tunnel group is
associated with the second or third AD group they are a member of in terms of order in the NPAS policy list.
Group-lock (attribute 25) works similarly. In such a case, the result won't be a failure to connect if the user group chosen is associated with the second or third AD group in the policy list; rather, it will just always send the ASA the first group
name and the ASA will establish the session but always apply the same policy to the client rather than the desired one.
We upgraded to firmware 8.4.5 on our ASA 5520 specifically so that we could make use of attribute 146 (tunnel-group-name). Since this is an upstream attribute sent by the ASA to the RADIUS server (rather than something send by the RADIUS server
to the ASA as part of the authentication response), we were hoping to be able to use it as an additional condition in the NPAS policies. In this way, people could be members of more than one of the AD security groups related to VPN at a time. The
problem is, I just do not know how to leverage it in the NPAS policy conditions or if it is even possible.
Maybe you are looking for
-
Right-click File then select to email
Is there an option to do this in OS X? I would like to be able to like right click a file on my desktop and then select an option to email, so then it would automatically attach the file in an email. Any help would be appreciated.
-
Save Query As - Variant not saved
We are in 3.0B and moving to 3.5 In 3.0B, when we save a query as a new one, the Variant does not get copied over. Is there a way this can be handled? Does 3.5 have this covered? Thanks, Bharath
-
X4150 hypertown won't boot after fresh install
I was able to finally install Solaris u4 on it. After install, I reboot. I booted it with -sv option and the last thing I see is: cpuid 0: initialized cpumod: cpu.generic Now it reboots. No error messages or panics. I am able to boot up going into fa
-
i have to use the user exit named userexit_save_document . through this i have to block sales order ,which is having low profitability rate. and also i have to maintain the custom table , one of the field is 'kbetr'. with the custom table field i ha
-
Suggestion for Windows Vista 64 Bit DESKTOP- Wireless Routers
Hello. I just bought a Gateway GT5694. It has Genuine Windows Vista Home Premium with Service Pack 1 (64-bit) AMD(R) Phenom 9100e Quad-core Processor (3.2GHz) 4GB DDR2 System Memory (Dual-Channel) 256MB ATI Radeon HD 3200 Video 1 HDMI, 2 FireWire (TM