EIGRP and DMZ distribution - Cisco ASA
I have been able to get EIGRP working successfully in the lab like I want.
Attached is the network overview:
We have a Data Center and Corporate office connected via Point to Point Fiber link, eventually we will have two of these
Two 4948E switches in the Data center acting as cores setup with GLBP
Corporate Office has a 3750X acting as a core
Currently two 4948E's are connected to each other via Port Channel and a L2 trunk
Two set of ASA 5520's one acting as a firewall and for Cisco Any Connect and second for site to site VPN
What is the best way/pratice that I can distribute this DMZ via EIGRP? Should I just leave it static on the core like this?
DMZ Net = 192.168.150.0/24
Inside Interface = 192.168.200.255
On the core I create a static route "ip route 192.168.150.0 255.255.255.0 192.168.200.255". Or a statement like this would be better for future DMZ additions "ip route 0.0.0.0 0.0.0.0 192.168.200.255"?
Hello Mohammad,
I would recommend you to advertise them via EIGRP, better funcionality, escalability,etc,etc,etc.
Regards
Similar Messages
-
What's the difference between 8.0 and 9.3 Cisco ASA software?
Is anyone show me the link with features of 8.0 and 9.3 Cisco ASA software? And what's the catch?
9.2(2.8) is what is known as an interim release of the software. Per Cisco interim release notes:
"They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available."
Interim release notes are not generally published on the general product support page but if you go to the downloads page, there is usually a link to the release notes specific to the interim release.
Here is a link to the ASA 9.2(2.9) interim release notes. They describe the individual bug fixes rolled up in that release. -
Manually start RADIUS, Authentication and groups for Cisco ASAs
I am testing moving a 10.7 server to 10.8.
We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past. In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service. With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service. The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
I have found the clients file in /etc/raddb and added our ASAs to the clients list. I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
I need help with:
1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
2- Can anyone tell me how to turn on RADIUS? radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
ThanksWith David's suggestion I was able to get RADIUS running. The following assumes that you are comfortable with Terminal and would be able to back up any files you edit. Here is what I did to our fresh installation of 10.8 Server:
In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window. The last line after this entry should be something similar to "Ready to process records." In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed. Scroll down in the file to the section where there are "instantiate" items. I commented out the SQL setup, by putting a # before the line that says "sql". Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor. I redid step number 1 twice and eventually RADIUS was running. Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future. OS X Server adds its clients in an SQL database according to the programming notes in the .conf files. I will only be using our Cisco ASAs so SQL is not relevant to our setup.
Testing the running RADIUS server was easy as well. In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed. This file contains details for users if you wanted to add them manually to the RADIUS server. For testing purposes I removed the # before a line referring to a user "steve." I had to get RADIUS restarted to take up the new information about Steve. I killed the process using Activity Monitor and reran step number 1.
In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t". You should get back a positive authentication message. Switching back to the original tab will show the output of the RADIUS server.
Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
RADIUS is now running and authenticating against its own users file.
Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them. In Terminal enter "sudo pico /etc/raddb/clients.conf". We added lines for our ASAs, following the samples in the code. The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius". This created the sacl for the service. Editing of the associated users and groups permitted to use the service was able to be done in Server. Be sure to select from the View menu "Show system accounts". Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created. The RADIUS sacl can then have groups and users added to it.
To ensure that RADIUS is running and stays running enter the following in Terminal. First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window. Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA. I was also able to authenticate a user which had been added to the "Users" in Server. It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
Once I have everything running properly, I will add a post here to close this discussion.
If anyone can shorten this procedure please let us know what you suggest.
-Erich -
EIGRP SHA Authentication for Cisco ASA
Hi,
I was just wondering if anyone knew if Cisco was going to implement EIGRP SHA authentication in to the ASAs? My organization is migrating from classic to named EIGRP for SHA authentication and right now I'm stuck at the ASA's. Static routing everything just to remove MD5 authentication doesn't sound very fun, if you know what I mean. :)
Thanks!Hello Mohammad,
I would recommend you to advertise them via EIGRP, better funcionality, escalability,etc,etc,etc.
Regards -
NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication
Hi everyone,
Hoping someone can help please.
We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
Has anyone implemented this before and if so, are there any guides available please?
Many Thanks,
Dean.Hi Dean,
Thanks for posting here.
Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
Checklist: Configure NPS for Dial-Up and VPN Access
http://technet.microsoft.com/en-us/library/cc754114.aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support -
Older version of openssl in cisco asa 5520
Hi,
Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have to check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
Thanks,
SridharSridhar,
W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
Marcin -
Config Cisco ASA without interaction
Hello,
I'm looking for a way to update and configure an Cisco ASA without serial connection.
I can only use an network connection.
I was wondering what my options would be.
Kind regards,
Jean-LucYou can use the web-based ASDM, ssh, and/or telnet. The initial configuration will require a serial connection, no way around that.
Hope it helps. -
I have an ASA 5520, and I have Cisco ASA SSM-10, but I'm not sure how to work with it. My problems are here:
1. What software do I need to get this to work
2. From the rj45 connection on this module, where does it connects to.
3. Give me some guide to configure it and test to see if it works.Hi,
you need to do couple of things to get this to work.
1. Configuration on ASA to forward the traffic to the module
2. Chose whether you are going to plug the IPS in inline/promiscious mode
3. Configure the IPS module
Configuring ASA to forward the traffic to the module:-
access-l IPS permit ip any any
class-IPS
match access-list IPS
policy-map global-policy
class IPS
IPS inline/promiscious fail-open/fail-close
When you do this ASa is configured to send the traffic to the module.
Now you need to get in to the IPS
you can get in to the through CLI on ASA:-
do session 1
it will ask you for username and password
both are cisco by default
run the command setup
and it will walk you through the initial configuration of the sensor.
once the sensor is configured
log in to the IDM
and need to go to configuration>> policies and assign vs0 to the backplane interface of the module so that sigs come in to the act of the traffic.
you can connect the module in front of the IPS to the switch vlan where the other interface exist from where you want to see this traffic and want ips to come into act.
Suppose you want to apply the IPS on inside network
ASA inside interface ip:-192.168.1.1
Module ip:-192.168.1.3/192.168.1.1
Here the gateway for the module is the ASA inside interface.
now all the traffic going outbound or coming in from the inside itnerface will be monitored by the IPS.
now connect the ethernet interface of the module to the same vlan on switch where your inside interface is connected.
Now you can even manage the IDM of the IPS just like you manage the ASDM for the ASA, you just need to have your host/network allowed to gain access to it.
Thanks -
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
S2S between Cisco ASA 5505 and Sonicwall TZ-170 but not able to ping across
Hi,
I am helping out a friend of mine with his Site-to-Site VPN between his companies Cisco ASA another company's SonicWall TZ-170. I have checked the screenshots proivded by the other end and tried to match with ours. The Tunnel shows but we are not able to Ping resources on the other end. The other side insists that the problem is on our end but I am not sure where the issue resides. Please take a look at our config and let me know if there is anything that I have missed. I am pretty sure I didn't but extra eyes may be of need here.
Our LAN is 10.200.x.x /16 and theirs is 192.168.9.0 /24
ASA Version 8.2(2)
terminal width 300
hostname company-asa
domain-name Company.com
no names
name 10.1.0.0 sacramento-network
name 10.3.0.0 irvine-network
name 10.2.0.0 portland-network
name x.x.x.x MailLive
name 192.168.9.0 revit-vpn-remote-subnet
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.128
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.200.200.1 255.255.0.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.22.22.1 255.255.255.0
interface Ethernet0/3
description Internal Wireless
shutdown
nameif Wireless
security-level 100
ip address 10.201.201.1 255.255.255.0
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network local_net_group
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.200.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.5.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 192.168.200.0 255.255.255.0
object-group network NACIO123
network-object 1.1.1.1 255.255.255.224
object-group service MAIL_HTTPS_BORDERWARE tcp
port-object eq smtp
port-object eq https
port-object eq 10101
object-group service SYSLOG_SNMP_NETFLOW udp
port-object eq syslog
port-object eq snmp
port-object eq 2055
object-group service HTTP_HTTPS tcp
port-object eq www
port-object eq https
object-group network OUTSIDECO_SERVERS
network-object host x.x.x.34
network-object host x.x.x.201
network-object host x.x.x.63
object-group network NO-LOG
network-object host 10.200.200.13
network-object host 10.200.200.25
network-object host 10.200.200.32
object-group service iPhoneSync-Services-TCP tcp
port-object eq 993
port-object eq 990
port-object eq 998
port-object eq 5678
port-object eq 5721
port-object eq 26675
object-group service termserv tcp
description terminal services
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DTI tcp
description DCS CONTROL PROTOCOL
port-object eq 3333
object-group service H.245 tcp
description h.245 signaling
port-object range 1024 4999
object-group service RAS udp
port-object eq 1719
port-object range 1718 1720
object-group service XML tcp
port-object range 3336 3341
object-group service mpi tcp
port-object eq 2010
object-group service mvp_control tcp
port-object eq 2946
object-group service rpc tcp-udp
port-object eq 1809
object-group service tcp8080 tcp
port-object eq 8080
object-group service tcp8011 tcp
port-object eq 8011
object-group service rtp_rtcp_udp udp
port-object range 1024 65535
object-group service ecs_xml tcp-udp
port-object eq 3271
object-group service rtp20000 udp
description 10000-65535
port-object range 20000 25000
port-object range 10000 65535
object-group service tcp5222 tcp
port-object range 5222 5269
object-group service tcp7070 tcp
port-object eq 7070
object-group network videoco
network-object host x.x.x.144
network-object host x.x.x.145
object-group service video tcp
port-object range 1718 h323
object-group service XML2 tcp-udp
port-object range 3336 3345
object-group service tcp_tls tcp
port-object eq 5061
object-group service Autodesk tcp
port-object eq 2080
port-object range 27000 27009
access-list outside_policy remark ====== Begin Mail From Postini Network ======
access-list outside_policy extended permit tcp x.x.x.x 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.240 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Mail From Postini Network ******
access-list outside_policy remark ====== Begin Inbound Web Mail Access ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group HTTP_HTTPS
access-list outside_policy remark ****** End Inbound Web Mail Access ******
access-list outside_policy remark ====== Begin iPhone Sync Rules to Mail Server ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group iPhoneSync-Services-TCP
access-list outside_policy remark ****** End iPhone Sync Rules to Mail Server ******
access-list outside_policy remark ====== Begin MARS Monitoring ======
access-list outside_policy extended permit udp x.x.x.x 255.255.255.128 host x.x.x.x object-group SYSLOG_SNMP_NETFLOW
access-list outside_policy extended permit icmp x.x.x.x 255.255.255.128 host x.x.x.x
access-list outside_policy remark ****** End MARS Monitoring ******
access-list outside_policy extended permit tcp object-group NACIO123 host x.x.x.141 eq ssh
access-list outside_policy extended permit tcp any host x.x.x.x eq www
access-list outside_policy extended permit tcp any host x.x.x.x eq https
access-list outside_policy extended permit tcp any host x.x.x.x eq h323
access-list outside_policy extended permit tcp any host x.x.x.x range 60000 60001
access-list outside_policy extended permit udp any host x.x.x.x range 60000 60007
access-list outside_policy remark radvision 5110 port 80 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq www
access-list outside_policy remark radvision
access-list outside_policy extended permit tcp any object-group videoco object-group termserv
access-list outside_policy remark radvision 5110 port21 out
access-list outside_policy extended permit tcp any object-group videoco eq ftp
access-list outside_policy remark rad5110 port22 both
access-list outside_policy extended permit tcp any object-group videoco eq ssh
access-list outside_policy remark rad 5110 port161 udp both
access-list outside_policy extended permit udp any object-group videoco eq snmp
access-list outside_policy remark rad5110 port443 both
access-list outside_policy extended permit tcp any object-group videoco eq https
access-list outside_policy remark rad5110 port 1024-4999 both
access-list outside_policy extended permit tcp any object-group videoco object-group H.245
access-list outside_policy remark rad5110 port 1719 udp both
access-list outside_policy extended permit udp any object-group videoco object-group RAS
access-list outside_policy remark rad5110 port 1720 both
access-list outside_policy extended permit tcp any any eq h323
access-list outside_policy remark RAD 5110 port 3333 tcp both
access-list outside_policy extended permit tcp any object-group videoco object-group DTI
access-list outside_policy remark rad5110 port 3336-3341 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group XML2
access-list outside_policy remark port 5060 tcp/udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq sip
access-list outside_policy remark rad 5110port 1809 rpc both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group rpc
access-list outside_policy remark rad 5110 port 2010 both
access-list outside_policy extended permit tcp any object-group videoco object-group mpi
access-list outside_policy remark rad 5110 port 2946 both
access-list outside_policy extended permit tcp any object-group videoco object-group mvp_control
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8080
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8011
access-list outside_policy remark 1024-65535
access-list outside_policy extended permit udp any object-group videoco object-group rtp_rtcp_udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group ecs_xml
access-list outside_policy extended permit udp any object-group videoco object-group rtp20000
access-list outside_policy extended permit tcp any object-group videoco eq telnet
access-list outside_policy remark port 53 dns
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq domain
access-list outside_policy remark 7070
access-list outside_policy extended permit tcp any object-group videoco object-group tcp7070
access-list outside_policy remark 5222-5269 tcp
access-list outside_policy extended permit tcp any object-group videoco range 5222 5269
access-list outside_policy extended permit tcp any object-group videoco object-group video
access-list outside_policy extended permit tcp any object-group videoco object-group tcp_tls
access-list outside_policy remark ====== Begin Autodesk Activation access ======
access-list outside_policy extended permit tcp any any object-group Autodesk
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.248 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list inside_policy extended deny tcp host 10.200.200.25 10.1.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.3.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.2.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.4.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.5.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny udp object-group NO-LOG any eq 2967 log disable
access-list inside_policy extended deny tcp object-group NO-LOG any eq 2967 log disable
access-list inside_policy remark ====== Begin Outbound Mail Server Rules ======
access-list inside_policy extended permit udp host 10.200.200.222 any eq 5679
access-list inside_policy extended permit tcp host 10.200.200.222 any eq smtp
access-list inside_policy remark ****** End Outbound Mail Server Rules ******
access-list inside_policy extended permit ip object-group local_net_group any
access-list inside_policy extended permit icmp object-group local_net_group any
access-list OUTSIDECO_VPN extended permit ip host x.x.x.x object-group OUTSIDECO_SERVERS
access-list company-split-tunnel standard permit 10.1.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.2.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.3.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.4.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.200.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.5.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.6.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.7.0.0 255.255.0.0
access-list company-split-tunnel standard permit 172.22.22.0 255.255.255.0
access-list company-split-tunnel remark Video
access-list company-split-tunnel standard permit 192.168.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.1.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.2.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.3.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.200.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.4.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.5.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.6.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.7.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 172.22.22.0 255.255.255.0
access-list SSL_SPLIT remark Video
access-list SSL_SPLIT standard permit 192.168.0.0 255.255.0.0
access-list NONAT_SSL extended permit ip object-group local_net_group 172.20.20.0 255.255.255.0
access-list NONAT_SSL extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
access-list tom extended permit tcp host x.x.x.x any eq smtp
access-list tom extended permit tcp host 10.200.200.222 any eq smtp
access-list tom extended permit tcp any host x.x.x.x
access-list aaron extended permit tcp any any eq 2967
access-list capauth extended permit ip host 10.200.200.1 host 10.200.200.220
access-list capauth extended permit ip host 10.200.200.220 host 10.200.200.1
access-list DMZ extended permit icmp any any
access-list dmz_access_in extended permit tcp any eq 51024 any eq 3336
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp any any eq ftp
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in remark rad5110 port 162 out
access-list dmz_access_in extended permit udp any any eq snmptrap
access-list dmz_access_in remark port 23 out
access-list dmz_access_in extended permit tcp any any eq telnet
access-list dmz_access_in remark port 53 dns out
access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list dmz_access_in extended permit tcp any any eq h323
access-list dmz_access_in extended permit tcp any any object-group XML
access-list dmz_access_in extended permit udp any any object-group RAS
access-list dmz_access_in extended permit tcp any any range 1718 h323
access-list dmz_access_in extended permit tcp any any object-group H.245
access-list dmz_access_in extended permit object-group TCPUDP any any eq sip
access-list dmz_access_in extended permit udp any any object-group rtp_rtcp_udp
access-list dmz_access_in extended permit object-group TCPUDP any any object-group XML2
access-list dmz_access_in extended permit ip object-group local_net_group any
access-list dmz_access_in remark port 5061
access-list dmz_access_in extended permit tcp any any object-group tcp_tls
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
pager lines 24
logging enable
logging buffered warnings
logging trap informational
logging history informational
logging asdm warnings
logging host outside x.x.x.x
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Wireless 1500
mtu management 1500
ip local pool SSL_VPN_POOL 172.20.20.1-172.20.20.75 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_SSL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.12 10.200.200.15 netmask 255.255.255.255
static (inside,outside) x.x.x.15 10.5.0.11 netmask 255.255.255.255
static (inside,outside) x.x.x.13 10.200.200.240 netmask 255.255.255.255
static (inside,outside) x.x.x.16 10.200.200.222 netmask 255.255.255.255
static (inside,outside) x.x.x.14 10.200.200.155 netmask 255.255.255.255
static (inside,dmz) 10.200.200.0 10.200.200.0 netmask 255.255.255.0
static (inside,dmz) 10.4.0.0 10.4.0.0 netmask 255.255.0.0
static (dmz,outside) x.x.x.18 172.22.22.15 netmask 255.255.255.255
static (dmz,outside) x.x.x.19 172.22.22.16 netmask 255.255.255.255
static (inside,dmz) 10.3.0.0 10.3.0.0 netmask 255.255.0.0
static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 10.6.0.0 10.6.0.0 netmask 255.255.0.0
static (inside,dmz) 10.7.0.0 10.7.0.0 netmask 255.255.0.0
static (inside,dmz) 10.5.0.0 10.5.0.0 netmask 255.255.0.0
access-group outside_policy in interface outside
access-group inside_policy in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.12 1
route inside 10.1.0.0 255.255.0.0 10.200.200.254 1
route inside 10.2.0.0 255.255.0.0 10.200.200.254 1
route inside 10.3.0.0 255.255.0.0 10.200.200.254 1
route inside 10.4.0.0 255.255.0.0 10.200.200.254 1
route inside 10.5.0.0 255.255.0.0 10.200.200.254 1
route inside 10.6.0.0 255.255.0.0 10.200.200.254 1
route inside 10.7.0.0 255.255.0.0 10.200.200.150 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside 192.168.1.0 255.255.255.0 10.200.200.254 1
route inside 192.168.2.0 255.255.255.0 10.200.200.254 1
route inside 192.168.3.0 255.255.255.0 10.200.200.254 1
route inside 192.168.4.0 255.255.255.0 10.200.200.254 1
route inside 192.168.5.0 255.255.255.0 10.200.200.254 1
route inside 192.168.6.0 255.255.255.0 10.200.200.254 1
route inside 192.168.7.0 255.255.255.0 10.200.200.254 1
route inside 192.168.200.0 255.255.255.0 10.200.200.254 1
route inside 192.168.201.0 255.255.255.0 10.200.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 2:00:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server COMPANY-NT-AUTH protocol nt
aaa-server COMPANY-NT-AUTH (inside) host 10.200.200.220
nt-auth-domain-controller DC
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.200.200.0 255.255.255.0 inside
http 10.200.0.0 255.255.0.0 inside
http 10.3.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 5 match address outside_cryptomap
crypto map OUTSIDE_MAP 5 set pfs
crypto map OUTSIDE_MAP 5 set peer x.x.x.53
crypto map OUTSIDE_MAP 5 set transform-set 3DES-SHA
crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 match address OUTSIDECO_VPN
crypto map OUTSIDE_MAP 10 set peer x.x.x.25
crypto map OUTSIDE_MAP 10 set transform-set AES256-SHA
crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 10.200.200.220 10.200.200.225
dhcpd wins 10.200.200.220 10.200.200.225
dhcpd lease 18000
dhcpd domain company.com
dhcpd dns 10.200.200.220 10.200.200.225 interface Wireless
dhcpd wins 10.200.200.220 10.200.200.225 interface Wireless
dhcpd lease 18000 interface Wireless
dhcpd domain company.com interface Wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.40 source outside prefer
ssl trust-point vpn.company.com outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSL_Client_Policy internal
group-policy SSL_Client_Policy attributes
wins-server value 10.200.200.220
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
webvpn
sso-server none
auto-signon allow uri * auth-type all
group-policy no-split-test internal
group-policy no-split-test attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelall
default-domain value company.com
group-policy DfltGrpPolicy attributes
dns-server value 10.200.200.220
default-domain value company.com
group-policy company internal
group-policy company attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
username ciscoadmin password xxxxxxxxxxx encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH
default-group-policy SSL_Client_Policy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias company_SSL_VPN enable
tunnel-group company_group type remote-access
tunnel-group company_group general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH LOCAL
default-group-policy company
tunnel-group company_group ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.53 type ipsec-l2l
tunnel-group x.x.x.53 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect tftp
inspect esmtp
inspect ftp
inspect icmp
inspect ip-options
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect mgcp
inspect h323 h225
inspect h323 ras
inspect sip
service-policy global_policy global
privilege cmd level 5 mode exec command ping
privilege cmd level 6 mode exec command write
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command version
privilege show level 5 mode exec command conn
privilege show level 5 mode exec command memory
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command xlate
privilege show level 5 mode exec command traffic
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command failover
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command route
privilege show level 5 mode exec command blocks
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0689b4c837c79a51e7a0cfed591dec9
: end
COMPANY-asa#Hi Sian,
Yes on their end the PFS is enabled for DH Group 2.
Here is the information that you requested:
company-asa# sh crypto isakmp sa
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: x.x.x.87
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: x.x.x.53
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
3 IKE Peer: x.x.x.25
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG4
company-asa# sh crypto ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 5, local addr: x.x.x.13
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
current_peer: x.x.x.53
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10744, #pkts decrypt: 10744, #pkts verify: 10744
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13, remote crypto endpt.: x.x.x.53
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 500EC8BF
current inbound spi : 8DAE3436
inbound esp sas:
spi: 0x8DAE3436 (2377004086)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3914946/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x500EC8BF (1343146175)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3915000/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.13
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.20.20.8/255.255.255.255/0/0)
current_peer: x.x.x.87, username: ewebb
dynamic allocated peer ip: 172.20.20.8
#pkts encaps: 16434, #pkts encrypt: 16464, #pkts digest: 16464
#pkts decaps: 19889, #pkts decrypt: 19889, #pkts verify: 19889
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16434, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 30, #pre-frag failures: 0, #fragments created: 60
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 60
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13/4500, remote crypto endpt.: x.x.x.87/2252
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 2D712C9F
current inbound spi : 0EDB79C8
inbound esp sas:
spi: 0x0EDB79C8 (249264584)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18262
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2D712C9F (762391711)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18261
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
Cisco ASA 5520 Failover with DMZ
I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.
Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...
PRIMARY ASA
Primary-ASA# sh run failover
failover
failover lan unit primary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Primary-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Primary - Active
Active time: 69648 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.254): Normal
Interface inside (192.168.218.252): Normal
Interface dmz (192.168.215.254): Normal (Waiting)
Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Primary-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
STANDBY ASA
Standby-ASA# sh run failover
failover
failover lan unit secondary
failover lan interface stateful1 GigabitEthernet0/3
failover key *****
failover link stateful1 GigabitEthernet0/3
failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
Standby-ASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 20:39:23 CDT Sep 3 2013
This host: Secondary - Standby Ready
Active time: 2119 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.253): Normal
Interface inside (192.168.218.253): Normal
Interface dmz (192.168.215.252): Normal (Waiting)
Interface management (192.168.1.2): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Primary - Active
Active time: 70110 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (184.61.38.254): Normal
Interface inside (192.168.218.252): Normal
Interface dmz (192.168.215.254): Normal (Waiting)
Interface management (192.168.1.1): Normal (Not-Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Standby-ASA# sh run interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
ospf cost 10
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf cost 10
management-only
Does anyone see something I might be missing? I am at a loss...I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.
-
Error Routing protocol - EIGRP between Cisco ASA with Switch 4506
Dear Cisco Team,
I have problem when I configed EIGRP between cisco ASA 5510 with core switch 4506. This is below error
*Nov 4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov 4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
quang huy2004: *Nov 4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov 4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
the tech Spec
ASA, IOS : 8.0.2
4506, License IP Base; OS: Unisal 15 M.2
I checked between ASA with Router ok; but between ASA with 4506 error
Can you help me ?Hello,
This logs means that the hold time expired so the hello packets are not being received, usually means multicast packets are missed-224.0.0.10)
I would recommend you to try another cable because this ussualy is a phisical or congestion issue.
Can you try that and let us know the result, also if that does not help can you send us the following outputs:
-Show ip EIGPR neighbors
-Debug EIGRP packet hello
Regards,
Julio -
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik -
VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)
Hi, I've been pulling my hair out trying to get simple vlan trunking working between these devices.
Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200. I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc). Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
VLAN 1 - inside (has separate dhcp scope assigned by ASA)
VLAN 99 - guest (has separate dhcp scope assigned by ASA)
SG200
purpose
ASA 5505 (Sec Plus license)
purpose
g2
Trunk 1UP,99T
Ubiquiti AP (VLAN 1 works, VLAN 99 does not
g3
Access port 99T
vlan 99 does not work
g8
Trunk 1UP, 99T
< Trunk between switch and ASA >
Int e0/2
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Int e0/3
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Second ubiquiti AP
Both VLAN 1 and VLAN 99 clients work properlyFrustrated - yes. Confused - maybe not as much, but I could have put some more effort into the overall picture.
There are two VLANs (1 - native) and (99 - guest). There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.
No clients connected to the SG200 on VLAN 99 are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP. The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
Anything connected to the SG200 on the native VLAN works properly.
Anything connected to the ASA VLANs (1 or 99) works properly
I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
SG200 g2 - trunk port (1UP, 99T) -- Access Point
SG200 g2 - access port (99U)
SG200 g8 - trunk port (1UP, 99T) connected to ASA5505 e0/3
ASA5505 e0/3 (switchport trunk allowed vlan 1,99, switchport trunk native vlan 1, switchport mode trunk)
Thanks, -
Cisco ASA 5505, Cisco VPN Client and Novell Netware
Hi,
Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.
Maybe you are looking for
-
More than one join condition for 2 tables in obiee
Hello, I am using obiee 11g. There are 2 tables tableA and tableB where the join condition is like (tableA.col1=tableB.col1) or (tableA.col1 is null and tableB.col1 is null) where should i do these type of joins. I tried putting in physcial layer->f(
-
Problem accessing https Web service from behind proxy
Hi all, I have this constant timeout issue which occurs whenever I try to access the Web service from behind a proxy. Find below the error logs - AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: fault
-
How to put title or labels on top of row headding of Cross Tab
Hello.. I created one cross tab.I put labels in the top row,these labels are coming only in first page only,I tried repeat row label also,But not working....I need all the labels in all pages..
-
How to maintain the state(opened/closed) of a Hierarchical expanding list
Hi, I've created a list with template "hierarchical expanding". When I click on the list node to go to a page, page related to the node appears but the tree doesn't remain expanded. It always shrinks back to the highest level. Please suggest a soluti
-
I just got the New 10.2.1.3062 update and my apps keep closing whenever I listen to music my music app closes by its self within 5mins it's really irritating please help