Error Routing protocol - EIGRP between Cisco ASA with Switch 4506

Dear Cisco Team,
I have problem when I configed EIGRP between cisco ASA 5510 with core switch 4506. This is below error
*Nov  4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov  4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov  4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov  4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov  4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov  4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
quang huy2004: *Nov  4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov  4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov  4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov  4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov  4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov  4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
the tech Spec
ASA,  IOS : 8.0.2
4506, License IP Base; OS: Unisal 15 M.2
I checked between ASA with Router ok; but between ASA with 4506 error
Can you help me ?

Hello,
This logs means that the hold time expired so the hello packets are not being received, usually means multicast packets are missed-224.0.0.10)
I would recommend you to try another cable because this ussualy is a phisical or congestion issue.
Can you try that and let us know the result, also if that does not help can you send us the following outputs:
-Show ip EIGPR neighbors
-Debug EIGRP packet hello
Regards,
Julio

Similar Messages

  • Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                       Dear Experts,
    Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

    Hi,
    Check out this document for the information
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
    Its lists the following for software level 9.0(1)
    Multiple   Context Mode Features
    Dynamic routing in Security   Contexts
    EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
    Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
    I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
    Hope this helps
    - Jouni

  • Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

    Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
    I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
    Please help me to find where is the issue.
    I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
    192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
    Here is my current configuration.
    Thanks for your help.
    IOS Configuration
    version 15.2
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key cisco address 198.0.183.225
    crypto isakmp invalid-spi-recovery
    crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
    mode transport
    crypto map static-map 1 ipsec-isakmp
    set peer S2.S2.S2.S2
    set transform-set AES-SET
    set pfs group2
    match address 100
    interface GigabitEthernet0/0
    ip address S1.S1.S1.S1 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map static-map
    interface GigabitEthernet0/1
    ip address 192.168.17.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
    ASA Configuration
    ASA Version 8.4(3)
    interface Ethernet0/0
    switchport access vlan 2
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.83.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address S2.S2.S2.S2 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object network inside-network
    subnet 192.168.83.0 255.255.255.0
    object network datacenter
    host S1.S1.S1.S1
    object network datacenter-network
    subnet 192.168.17.0 255.255.255.0
    object network NETWORK_OBJ_192.168.83.0_24
    subnet 192.168.83.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any log
    access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source dynamic inside-network interface
    nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
    nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
    crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set vpn-transform-set mode transport
    crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set L2L_SET mode transport
    crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
    crypto map vpn 1 match address outside_cryptomap
    crypto map vpn 1 set pfs
    crypto map vpn 1 set peer S1.S1.S1.S1
    crypto map vpn 1 set ikev1 transform-set L2L_SET
    crypto map vpn 20 ipsec-isakmp dynamic dyno
    crypto map vpn interface outside
    crypto isakmp nat-traversal 3600
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    group-policy GroupPolicy_S1.S1.S1.S1 internal
    group-policy GroupPolicy_S1.S1.S1.S1 attributes
    vpn-tunnel-protocol ikev1
    group-policy remote_vpn_policy internal
    group-policy remote_vpn_policy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
    username admin password rqiFSVJFung3fvFZ encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn_pool
    default-group-policy remote_vpn_policy
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group S1.S1.S1.S1 type ipsec-l2l
    tunnel-group S1.S1.S1.S1 general-attributes
    default-group-policy GroupPolicy_S1.S1.S1.S1
    tunnel-group S1.S1.S1.S1 ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f55f10c19a0848edd2466d08744556eb
    : end

    Thanks for helping me again. I really appreciate.
    I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
    Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
    Because on Cisco ASA I guess I have everything.
    Here is show crypto session detail
    router(config)#do show crypto session detail
    Crypto session current status
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
    X - IKE Extended Authentication, F - IKE Fragmentation
    Interface: GigabitEthernet0/0
    Session status: DOWN
    Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
    Should I see something in crypto isakmp sa?
    pp-border#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    IPv6 Crypto ISAKMP SA
    Thanks again for your help.

  • PortChannel in Cisco ASA with subinterface vlan

    Dear Cisco Expert,
    I have problem with portchannel in cisco ASA with subinterface, My asa create port channel two link with switch :
    my asa configuration (PO3 == int gi0/1 & int gi0/0 ASA) :
    interface Port-channel3
    no nameif
    no security-level
    no ip address
    interface Port-channel3.20
    vlan 20
    nameif XXXX
    security-level 50
    ip address 172.27.3.1 255.255.255.224
    my switch configuration (PO3 == int gi0/19 & int gi0/20 switch) :
    interface Port-channel3
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 20,30,40,50
    switchport mode trunk
    end
    I also tried create int vlan 20 in switch,
    interface Vlan20
    ip address 172.27.3.2 255.255.255.224
    end
    but it doesn't work
    the etherchannel status is still in waiting :
    show etherchannel sum :
    3      Po3(SD)         LACP      Gi0/19(w)   Gi0/20(w)  
    Do you have any clue ?
    Thank u guys, ...
    Btw, if i create ASA port chanel withoout subinterface it's work.
    Best Regards
    Rizal Ferdiyan

    You ASA cofniguration should look like this. You havnt posted the full config so no comment on that
    interface GigabitEthernet0/0
    channel-group 10 mode active
    speed 1000
    duplex full
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/1
    channel-group 10 mode active
    speed 1000
    duplex full
    no nameif
    no security-level
    no ip address
    interface Port-channel3
    speed 1000
    duplex full
    no nameif
    no security-level
    no ip address
    interface Port-channel3.20
    vlan 20
    nameif XXXX
    security-level 50
    ip address 172.27.3.1 255.255.255.224
    Thanks
    Ajay

  • VPN Between Cisco ASA 5505 and Cisco Router 881

    Hi All,
    I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?
    Cisco ASA 5505.
    Version 8.4(3)
    HQ-ASA5505(config)# crypto ikev1 policy 888
    HQ-ASA5505(config-ikev1-policy)# authentication pre-share
    HQ-ASA5505(config-ikev1-policy)# encryption 3des
    HQ-ASA5505(config-ikev1-policy)# hash md5
    HQ-ASA5505(config-ikev1-policy)# lifetime 86400
    HQ-ASA5505(config-ikev1-policy)# group 2
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
    HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
    HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test
    HQ-ASA5505(config)#object network HQ-Users
    HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0
    HQ-ASA5505(config)# object-group network HQ.grp
    HQ-ASA5505(config-network-object-group)# network-object object HQ-Users
    HQ-ASA5505(config)#object network FSP_DATA
    HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0
    HQ-ASA5505(config)#object-group network FSP.grp
    HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA
    HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp
    HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
    HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
    HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
    HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
    HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2
    HQ-ASA5505(config)# crypto ikev1 enable outside
    HQ-ASA5505(config)# crypto map ouside_map interface outside
    Router 881
    Version 12.4
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    LAB_ROuter(config)#object-group network HQ
    LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0
    LAB_ROuter(config)#object-group network FSP
    LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0
    ip access-list extended FSP_VPN
     permit ip object-group FSP object-group HQ
    LAB_ROuter(config)#crypto isakmp policy 888
    LAB_ROuter(config-isakmp)#encryption 3des
    LAB_ROuter(config-isakmp)#authentication pre-share
    LAB_ROuter(config-isakmp)#hash md5
    LAB_ROuter(config-isakmp)#group 2
    LAB_ROuter(config-isakmp)#lifetime 86400
    LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
    LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
    crypto map outside_map 888 ipsec-isakmp
     set peer 2.2.2.2
     set transform-set TS
     match address FSP_VPN
    interface fast4 --> Outside Interface (where public IP address is assigned) 
    crypto map outside_map
    Thank you in advance for your prompt advice!

    If you do a show crypto map in the router you will see the VPN traffic to be "any to any".
    This is due a known bug on Cisco routers. The router does not support object-groups network for the VPN traffic. Use a regular ACL instead.

  • S2S between Cisco ASA 5505 and Sonicwall TZ-170 but not able to ping across

    Hi,
    I am helping out a friend of mine with his Site-to-Site VPN between his companies Cisco ASA another company's SonicWall TZ-170.  I have checked the screenshots proivded by the other end and tried to match with ours.  The Tunnel shows but we are not able to Ping resources on the other end.  The other side insists that the problem is on our end but I am not sure where the issue resides.  Please take a look at our config and let me know if there is anything that I have missed.  I am pretty sure I didn't but extra eyes may be of need here.
    Our LAN is 10.200.x.x /16 and theirs is 192.168.9.0 /24
    ASA Version 8.2(2)
    terminal width 300
    hostname company-asa
    domain-name Company.com
    no names
    name 10.1.0.0 sacramento-network
    name 10.3.0.0 irvine-network
    name 10.2.0.0 portland-network
    name x.x.x.x MailLive
    name 192.168.9.0 revit-vpn-remote-subnet
    dns-guard
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.128
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.200.200.1 255.255.0.0
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 172.22.22.1 255.255.255.0
    interface Ethernet0/3
    description Internal Wireless
    shutdown
    nameif Wireless
    security-level 100
    ip address 10.201.201.1 255.255.255.0
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    no ip address
    management-only
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name company.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network local_net_group
    network-object 10.1.0.0 255.255.0.0
    network-object 10.2.0.0 255.255.0.0
    network-object 10.200.0.0 255.255.0.0
    network-object 10.3.0.0 255.255.0.0
    network-object 10.4.0.0 255.255.0.0
    network-object 10.5.0.0 255.255.0.0
    network-object 10.6.0.0 255.255.0.0
    network-object 10.7.0.0 255.255.0.0
    network-object 192.168.200.0 255.255.255.0
    object-group network NACIO123
    network-object 1.1.1.1 255.255.255.224
    object-group service MAIL_HTTPS_BORDERWARE tcp
    port-object eq smtp
    port-object eq https
    port-object eq 10101
    object-group service SYSLOG_SNMP_NETFLOW udp
    port-object eq syslog
    port-object eq snmp
    port-object eq 2055
    object-group service HTTP_HTTPS tcp
    port-object eq www
    port-object eq https
    object-group network OUTSIDECO_SERVERS
    network-object host x.x.x.34
    network-object host x.x.x.201
    network-object host x.x.x.63
    object-group network NO-LOG
    network-object host 10.200.200.13
    network-object host 10.200.200.25
    network-object host 10.200.200.32
    object-group service iPhoneSync-Services-TCP tcp
    port-object eq 993
    port-object eq 990
    port-object eq 998
    port-object eq 5678
    port-object eq 5721
    port-object eq 26675
    object-group service termserv tcp
    description terminal services
    port-object eq 3389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DTI tcp
    description DCS CONTROL PROTOCOL
    port-object eq 3333
    object-group service H.245 tcp
    description h.245 signaling
    port-object range 1024 4999
    object-group service RAS udp
    port-object eq 1719
    port-object range 1718 1720
    object-group service XML tcp
    port-object range 3336 3341
    object-group service mpi tcp
    port-object eq 2010
    object-group service mvp_control tcp
    port-object eq 2946
    object-group service rpc tcp-udp
    port-object eq 1809
    object-group service tcp8080 tcp
    port-object eq 8080
    object-group service tcp8011 tcp
    port-object eq 8011
    object-group service rtp_rtcp_udp udp
    port-object range 1024 65535
    object-group service ecs_xml tcp-udp
    port-object eq 3271
    object-group service rtp20000 udp
    description 10000-65535
    port-object range 20000 25000
    port-object range 10000 65535
    object-group service tcp5222 tcp
    port-object range 5222 5269
    object-group service tcp7070 tcp
    port-object eq 7070
    object-group network videoco
    network-object host x.x.x.144
    network-object host x.x.x.145
    object-group service video tcp
    port-object range 1718 h323
    object-group service XML2 tcp-udp
    port-object range 3336 3345
    object-group service tcp_tls tcp
    port-object eq 5061
    object-group service Autodesk tcp
    port-object eq 2080
    port-object range 27000 27009
    access-list outside_policy remark ====== Begin Mail From Postini Network ======
    access-list outside_policy extended permit tcp x.x.x.x 255.255.240.0 host x.x.x.x eq smtp
    access-list outside_policy extended permit tcp x.x.x.x 255.255.255.240 host x.x.x.x eq smtp
    access-list outside_policy extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.x eq smtp
    access-list outside_policy remark ****** End Mail From Postini Network ******
    access-list outside_policy remark ====== Begin Inbound Web Mail Access ======
    access-list outside_policy extended permit tcp any host x.x.x.x object-group HTTP_HTTPS
    access-list outside_policy remark ****** End Inbound Web Mail Access ******
    access-list outside_policy remark ====== Begin iPhone Sync Rules to Mail Server ======
    access-list outside_policy extended permit tcp any host x.x.x.x object-group iPhoneSync-Services-TCP
    access-list outside_policy remark ****** End iPhone Sync Rules to Mail Server ******
    access-list outside_policy remark ====== Begin MARS Monitoring ======
    access-list outside_policy extended permit udp x.x.x.x 255.255.255.128 host x.x.x.x object-group SYSLOG_SNMP_NETFLOW
    access-list outside_policy extended permit icmp x.x.x.x 255.255.255.128 host x.x.x.x
    access-list outside_policy remark ****** End MARS Monitoring ******
    access-list outside_policy extended permit tcp object-group NACIO123 host x.x.x.141 eq ssh
    access-list outside_policy extended permit tcp any host x.x.x.x eq www
    access-list outside_policy extended permit tcp any host x.x.x.x eq https
    access-list outside_policy extended permit tcp any host x.x.x.x eq h323
    access-list outside_policy extended permit tcp any host x.x.x.x range 60000 60001
    access-list outside_policy extended permit udp any host x.x.x.x range 60000 60007
    access-list outside_policy remark radvision 5110   port 80 both
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq www
    access-list outside_policy remark radvision
    access-list outside_policy extended permit tcp any object-group videoco object-group termserv
    access-list outside_policy remark radvision 5110  port21 out
    access-list outside_policy extended permit tcp any object-group videoco eq ftp
    access-list outside_policy remark rad5110   port22 both
    access-list outside_policy extended permit tcp any object-group videoco eq ssh
    access-list outside_policy remark rad 5110  port161 udp both
    access-list outside_policy extended permit udp any object-group videoco eq snmp
    access-list outside_policy remark rad5110 port443 both
    access-list outside_policy extended permit tcp any object-group videoco eq https
    access-list outside_policy remark rad5110 port 1024-4999  both
    access-list outside_policy extended permit tcp any object-group videoco object-group H.245
    access-list outside_policy remark rad5110 port 1719 udp both
    access-list outside_policy extended permit udp any object-group videoco object-group RAS
    access-list outside_policy remark rad5110 port 1720 both
    access-list outside_policy extended permit tcp any any eq h323
    access-list outside_policy remark RAD 5110 port 3333 tcp both
    access-list outside_policy extended permit tcp any object-group videoco object-group DTI
    access-list outside_policy remark rad5110 port 3336-3341 both
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group XML2
    access-list outside_policy remark port 5060 tcp/udp
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq sip
    access-list outside_policy remark rad 5110port 1809 rpc both
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group rpc
    access-list outside_policy remark rad 5110 port 2010 both
    access-list outside_policy extended permit tcp any object-group videoco object-group mpi
    access-list outside_policy remark rad 5110 port 2946 both
    access-list outside_policy extended permit tcp any object-group videoco object-group mvp_control
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp8080
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp8011
    access-list outside_policy remark 1024-65535
    access-list outside_policy extended permit udp any object-group videoco object-group rtp_rtcp_udp
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group ecs_xml
    access-list outside_policy extended permit udp any object-group videoco object-group rtp20000
    access-list outside_policy extended permit tcp any object-group videoco eq telnet
    access-list outside_policy remark port 53 dns
    access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq domain
    access-list outside_policy remark 7070
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp7070
    access-list outside_policy remark 5222-5269 tcp
    access-list outside_policy extended permit tcp any object-group videoco range 5222 5269
    access-list outside_policy extended permit tcp any object-group videoco object-group video
    access-list outside_policy extended permit tcp any object-group videoco object-group tcp_tls
    access-list outside_policy remark ====== Begin Autodesk Activation access ======
    access-list outside_policy extended permit tcp any any object-group Autodesk
    access-list outside_policy remark ****** End Autodesk Activation access ******
    access-list outside_policy extended permit tcp x.x.x.x 255.255.255.248 host x.x.x.x eq smtp
    access-list outside_policy remark ****** End Autodesk Activation access ******
    access-list inside_policy extended deny tcp host 10.200.200.25 10.1.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.3.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.2.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.4.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny tcp host 10.200.200.25 10.5.0.0 255.255.0.0 eq 2967 log disable
    access-list inside_policy extended deny udp object-group NO-LOG any eq 2967 log disable
    access-list inside_policy extended deny tcp object-group NO-LOG any eq 2967 log disable
    access-list inside_policy remark ====== Begin Outbound Mail Server Rules ======
    access-list inside_policy extended permit udp host 10.200.200.222 any eq 5679
    access-list inside_policy extended permit tcp host 10.200.200.222 any eq smtp
    access-list inside_policy remark ****** End Outbound Mail Server Rules ******
    access-list inside_policy extended permit ip object-group local_net_group any
    access-list inside_policy extended permit icmp object-group local_net_group any
    access-list OUTSIDECO_VPN extended permit ip host x.x.x.x object-group OUTSIDECO_SERVERS
    access-list company-split-tunnel standard permit 10.1.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.2.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.3.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.4.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.200.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.5.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.6.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 10.7.0.0 255.255.0.0
    access-list company-split-tunnel standard permit 172.22.22.0 255.255.255.0
    access-list company-split-tunnel remark Video
    access-list company-split-tunnel standard permit 192.168.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.1.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.2.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.3.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.200.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.4.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.5.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.6.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 10.7.0.0 255.255.0.0
    access-list SSL_SPLIT standard permit 172.22.22.0 255.255.255.0
    access-list SSL_SPLIT remark Video
    access-list SSL_SPLIT standard permit 192.168.0.0 255.255.0.0
    access-list NONAT_SSL extended permit ip object-group local_net_group 172.20.20.0 255.255.255.0
    access-list NONAT_SSL extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
    access-list tom extended permit tcp host x.x.x.x any eq smtp
    access-list tom extended permit tcp host 10.200.200.222 any eq smtp
    access-list tom extended permit tcp any host x.x.x.x
    access-list aaron extended permit tcp any any eq 2967
    access-list capauth extended permit ip host 10.200.200.1 host 10.200.200.220
    access-list capauth extended permit ip host 10.200.200.220 host 10.200.200.1
    access-list DMZ extended permit icmp any any
    access-list dmz_access_in extended permit tcp any eq 51024 any eq 3336
    access-list dmz_access_in extended permit icmp any any
    access-list dmz_access_in extended permit tcp any any eq ftp
    access-list dmz_access_in extended permit tcp any any eq https
    access-list dmz_access_in remark rad5110 port 162 out
    access-list dmz_access_in extended permit udp any any eq snmptrap
    access-list dmz_access_in remark port 23 out
    access-list dmz_access_in extended permit tcp any any eq telnet
    access-list dmz_access_in remark port 53 dns out
    access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
    access-list dmz_access_in extended permit object-group TCPUDP any any eq www
    access-list dmz_access_in extended permit tcp any any eq h323
    access-list dmz_access_in extended permit tcp any any object-group XML
    access-list dmz_access_in extended permit udp any any object-group RAS
    access-list dmz_access_in extended permit tcp any any range 1718 h323
    access-list dmz_access_in extended permit tcp any any object-group H.245
    access-list dmz_access_in extended permit object-group TCPUDP any any eq sip
    access-list dmz_access_in extended permit udp any any object-group rtp_rtcp_udp
    access-list dmz_access_in extended permit object-group TCPUDP any any object-group XML2
    access-list dmz_access_in extended permit ip object-group local_net_group any
    access-list dmz_access_in remark port 5061
    access-list dmz_access_in extended permit tcp any any object-group tcp_tls
    access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered warnings
    logging trap informational
    logging history informational
    logging asdm warnings
    logging host outside x.x.x.x
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu Wireless 1500
    mtu management 1500
    ip local pool SSL_VPN_POOL 172.20.20.1-172.20.20.75 mask 255.255.255.0
    ip verify reverse-path interface outside
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT_SSL
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) x.x.x.12 10.200.200.15 netmask 255.255.255.255
    static (inside,outside) x.x.x.15 10.5.0.11 netmask 255.255.255.255
    static (inside,outside) x.x.x.13 10.200.200.240 netmask 255.255.255.255
    static (inside,outside) x.x.x.16 10.200.200.222 netmask 255.255.255.255
    static (inside,outside) x.x.x.14 10.200.200.155 netmask 255.255.255.255
    static (inside,dmz) 10.200.200.0 10.200.200.0 netmask 255.255.255.0
    static (inside,dmz) 10.4.0.0 10.4.0.0 netmask 255.255.0.0
    static (dmz,outside) x.x.x.18 172.22.22.15 netmask 255.255.255.255
    static (dmz,outside) x.x.x.19 172.22.22.16 netmask 255.255.255.255
    static (inside,dmz) 10.3.0.0 10.3.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.6.0.0 10.6.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.7.0.0 10.7.0.0 netmask 255.255.0.0
    static (inside,dmz) 10.5.0.0 10.5.0.0 netmask 255.255.0.0
    access-group outside_policy in interface outside
    access-group inside_policy in interface inside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 x.x.x.12 1
    route inside 10.1.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.2.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.3.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.4.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.5.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.6.0.0 255.255.0.0 10.200.200.254 1
    route inside 10.7.0.0 255.255.0.0 10.200.200.150 1
    route inside x.x.x.0 255.255.255.0 10.200.200.2 1
    route inside x.x.x.0 255.255.255.0 10.200.200.2 1
    route inside 192.168.1.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.2.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.3.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.4.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.5.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.6.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.7.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.200.0 255.255.255.0 10.200.200.254 1
    route inside 192.168.201.0 255.255.255.0 10.200.200.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 2:00:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server COMPANY-NT-AUTH protocol nt
    aaa-server COMPANY-NT-AUTH (inside) host 10.200.200.220
    nt-auth-domain-controller DC
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 10.200.200.0 255.255.255.0 inside
    http 10.200.0.0 255.255.0.0 inside
    http 10.3.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
    crypto map OUTSIDE_MAP 5 match address outside_cryptomap
    crypto map OUTSIDE_MAP 5 set pfs
    crypto map OUTSIDE_MAP 5 set peer x.x.x.53
    crypto map OUTSIDE_MAP 5 set transform-set 3DES-SHA
    crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 28800
    crypto map OUTSIDE_MAP 10 match address OUTSIDECO_VPN
    crypto map OUTSIDE_MAP 10 set peer x.x.x.25
    crypto map OUTSIDE_MAP 10 set transform-set AES256-SHA
    crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 28800
    crypto map OUTSIDE_MAP 10 set security-association lifetime kilobytes 4608000
    crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map OUTSIDE_MAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 20
    console timeout 0
    dhcpd dns 10.200.200.220 10.200.200.225
    dhcpd wins 10.200.200.220 10.200.200.225
    dhcpd lease 18000
    dhcpd domain company.com
    dhcpd dns 10.200.200.220 10.200.200.225 interface Wireless
    dhcpd wins 10.200.200.220 10.200.200.225 interface Wireless
    dhcpd lease 18000 interface Wireless
    dhcpd domain company.com interface Wireless
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 192.5.41.40 source outside prefer
    ssl trust-point vpn.company.com outside
    webvpn
    enable outside
    anyconnect-essentials
    svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy SSL_Client_Policy internal
    group-policy SSL_Client_Policy attributes
    wins-server value 10.200.200.220
    dns-server value 10.200.200.220
    vpn-tunnel-protocol IPSec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SSL_SPLIT
    default-domain value company.com
    webvpn
      sso-server none
      auto-signon allow uri * auth-type all
    group-policy no-split-test internal
    group-policy no-split-test attributes
    banner value Welcome to company and Associates
    banner value Welcome to company and Associates
    dns-server value 10.200.200.220
    vpn-tunnel-protocol IPSec
    ipsec-udp enable
    split-tunnel-policy tunnelall
    default-domain value company.com
    group-policy DfltGrpPolicy attributes
    dns-server value 10.200.200.220
    default-domain value company.com
    group-policy company internal
    group-policy company attributes
    banner value Welcome to company and Associates
    banner value Welcome to company and Associates
    dns-server value 10.200.200.220
    vpn-tunnel-protocol IPSec
    ipsec-udp enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SSL_SPLIT
    default-domain value company.com
    username ciscoadmin password xxxxxxxxxxx encrypted privilege 15
    tunnel-group DefaultWEBVPNGroup general-attributes
    address-pool SSL_VPN_POOL
    authentication-server-group COMPANY-NT-AUTH
    default-group-policy SSL_Client_Policy
    tunnel-group DefaultWEBVPNGroup webvpn-attributes
    group-alias company_SSL_VPN enable
    tunnel-group company_group type remote-access
    tunnel-group company_group general-attributes
    address-pool SSL_VPN_POOL
    authentication-server-group COMPANY-NT-AUTH LOCAL
    default-group-policy company
    tunnel-group company_group ipsec-attributes
    pre-shared-key *****
    tunnel-group x.x.x.53 type ipsec-l2l
    tunnel-group x.x.x.53 ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect tftp
      inspect esmtp
      inspect ftp
      inspect icmp
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect xdmcp
      inspect mgcp
      inspect h323 h225
      inspect h323 ras
      inspect sip
    service-policy global_policy global
    privilege cmd level 5 mode exec command ping
    privilege cmd level 6 mode exec command write
    privilege show level 5 mode exec command running-config
    privilege show level 5 mode exec command version
    privilege show level 5 mode exec command conn
    privilege show level 5 mode exec command memory
    privilege show level 5 mode exec command cpu
    privilege show level 5 mode exec command xlate
    privilege show level 5 mode exec command traffic
    privilege show level 5 mode exec command interface
    privilege show level 5 mode exec command clock
    privilege show level 5 mode exec command ip
    privilege show level 5 mode exec command failover
    privilege show level 5 mode exec command arp
    privilege show level 5 mode exec command route
    privilege show level 5 mode exec command blocks
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:a0689b4c837c79a51e7a0cfed591dec9
    : end
    COMPANY-asa#

    Hi Sian,
    Yes on their end the PFS is enabled for DH Group 2.
    Here is the information that you requested:
    company-asa# sh crypto isakmp sa
       Active SA: 3
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 3
    1   IKE Peer: x.x.x.87
        Type    : user            Role    : responder
        Rekey   : no              State   : AM_ACTIVE
    2   IKE Peer: x.x.x.53
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    3   IKE Peer: x.x.x.25
        Type    : user            Role    : initiator
        Rekey   : no              State   : MM_WAIT_MSG4
    company-asa# sh crypto ipsec sa
    interface: outside
        Crypto map tag: OUTSIDE_MAP, seq num: 5, local addr: x.x.x.13
          access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
          local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
          current_peer: x.x.x.53
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 10744, #pkts decrypt: 10744, #pkts verify: 10744
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: x.x.x.13, remote crypto endpt.: x.x.x.53
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: 500EC8BF
          current inbound spi : 8DAE3436
        inbound esp sas:
          spi: 0x8DAE3436 (2377004086)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 2, }
             slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
             sa timing: remaining key lifetime (kB/sec): (3914946/24388)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x500EC8BF (1343146175)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 2, }
             slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
             sa timing: remaining key lifetime (kB/sec): (3915000/24388)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.13
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (172.20.20.8/255.255.255.255/0/0)
          current_peer: x.x.x.87, username: ewebb
          dynamic allocated peer ip: 172.20.20.8
          #pkts encaps: 16434, #pkts encrypt: 16464, #pkts digest: 16464
          #pkts decaps: 19889, #pkts decrypt: 19889, #pkts verify: 19889
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 16434, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 30, #pre-frag failures: 0, #fragments created: 60
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 60
          #send errors: 0, #recv errors: 0
          local crypto endpt.: x.x.x.13/4500, remote crypto endpt.: x.x.x.87/2252
          path mtu 1500, ipsec overhead 66, media mtu 1500
          current outbound spi: 2D712C9F
          current inbound spi : 0EDB79C8
        inbound esp sas:
          spi: 0x0EDB79C8 (249264584)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
             sa timing: remaining key lifetime (sec): 18262
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x2D712C9F (762391711)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
             sa timing: remaining key lifetime (sec): 18261
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

  • Which routing protocols are supported on ASA 5585

    Hi,
    I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
    I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
    I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
    if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
    Thanks

    You're welcome.
    Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
    ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
    FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

  • Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

    Hi,
    I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
    The scanario:
    Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
    Any help or advice is much appreciated.
    Thanks.

    Hello Bernard,
    What you are looking for is a Remote Ipsec VPN mode not a L2L.
    Here is the link you should use to make this happen:)
    https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
    Regards,
    Julio

  • Site to site VPN between cisco asa 5550 and checkpoint r75

    Hi all ,
    below is cisco asa config for our customer end:
    crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto isakmp policy 10
      authentication pre-share
      encryption 3des
      hash sha
      group 2
      lifetime 86400
    What should i configure on checkpoint for first phase and second phase ?
    Regards,
    Suhail

    In checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there.  Phase II default is 28,800 so  you need to edit the parameter and change it to 3600.  the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
    Easy right?

  • Cisco ASA with IMAP4S proxy

    Hi,
    we want to access our mail server (Lotus Domino) with an iPhone through a Cisco ASA configured as a IMAP-SSL proxy.
    I have no problem accessing the server with Apple Mail, but not with the iPhone!
    After the successful SSL handshake and AAA authetification the SSL connection is terminated with "client channel close"
    Any ideas?

    hello Vinish
    recommending you to place this question to Security -> Firewalling forum instead of Small Business Security. Cisco ASA devices are not part of Small Business portfolio and ASA knowledgeable users are probably not checking this Small Business. That's reason why nobody responded yet probably.

  • Configuring - Cisco 2921 with Switch Module/POE PS and 3750-x 24 port switch

    This is what I have
    - Cisco 2921 router
             with SM-ES2-24-P switch module and
                     POE power supply
    -Cisco 3750x- 24 port Switch
    I have port G1/0 (which connects to 24p Switch Module port g0/26 logically) configured with 3 sub interfaces (management, User and VOIP)
    I want to connect 3750x to G0/1 on 2921 via fiber GBIC but want to use same three VLANs
    I can not daisy chain 3750x via the switch module because it does not have fiber port.
    I do not want to create another routed (g0/1) interface because I want to keep Users on both switches on the same subnet without further splitting the subnet in two.
    I hope I am not making this confusing.
    How can I bridge g1/0 and g0/1 so I can pass vlan traffic between two switches?
    Second problem i have is ...
    I have a VOIP connected to switch module (SM) and it is not getting any power.
    I went in to all the interfaces on SM and issued power inline auto command
    On the SM (sh power inline) - available is 0.0(w)
    on the 2921 (sh power inline)
       - power supply status is good,
       - maximun power available is 280.
       - interface G1/0( which connects to SM)
          *device is unknown
          * powered off
         * allocated 0.0 watts.
    I already tried resetting SM
    Is there any other command I need to issue?
    thanks for your help.

    I'm having a similar issue. I can get trunked connectivity between the switch module and the router if I put the IP address on the router sub interface, but not if I put it on a VLAN interface. I was hoping to have it on a VLAN sub interface on the router so I could use Gig0/1 and Gig0/2 to connect other switches and have them on the same VLANs. I'm using Gig1/0 on the router side and Gig0/51 on the switch side (48-port module).
    Any help? Am I on the wrong track altogether?

  • Need help - Cisco ASA with FirePOWER

    hi 
    currently we are using asa 5510 without firepower feature. our aim is to publish web servers and microsoft lync with reverse proxy method. control internet traffic , apply particular extensions file not to download , bandwidth management etc.
    Is it possible when we add firepower on asa 5510 ..... please guide me.... thanks

    Thanks for your detailed reply brother. actually we have deployed lync server 2013 with reverse proxy so it is must.  see the comparison . i should go with Sophos UTM Firewall what you advice me...
    Feature
    Cisco Firepower
    Fortinet
    Sophos Utm
    Firewall 



    IPS



    Antivirus Gateway


    AntiMalware*


    Antispam


    HTTP Proxy


    Reverse Proxy
    Partially


    Web Filtering



    Email Protection


    Wireless Controller

    Bandwidth Control
    Expected in Next Year
    Limited

    Application Visibility and control



    Data Loss Prevention


    Advance Threat Prevention



    On BOX reporting
    Limited

    External Reporting



    Web Reputation defence



    Failover


  • CISCO ASA WITH FORTIMAIL

    Hi
    Recently we want to replace the CSC for a Fortimail, my quetion is how I redirect the smtp trafic to the Fortimail Appliance from the ASA because the ASA received the traffic SMTP.

    You don't redirect the traffic from the ASA to the Fortimail. That's (to my knowledge) not a possible design. You have probably two ways to deploy the Fortimail in your environment:
    Gateway mode
    For that you configure your internal mail-server with the Fortimail as a smarthost. On the ASA you change the port-forwarding which is configured to your internal Mailserver to the Fortigate.
    Transparent mode
    Here you place the FortiMail inline between your Mail-Server and the ASA.
    For the rest it is probably better to ask in a Fortinet-support-forum.

  • STS Tunnel in between Cisco ASA and Meraki Firewall

    Hello Experts,
    We are in process of configuring the syslog server which is placed at remote site and the STS Tunnel is established to send the Meraki syslogs over the Tunnel which is working fine. The local LANS of both sites can communicate each other without issue but we are facing an issue wherein when the traffic leaves the traffic from Meraki firewall then it uses the Meraki wan interface IP and in syslog it's being used as a source which can't be added in encryption list on Meraki firewall unfortunately as there is no option available to get the wan IP added to encryption list. Can somebody please advise on how to solve this issue? I also searched an option to get the source IP changed from wan to Inside interface IP which is still not possible on Meraki firewall.

    I am not very familiar with Meraki, but I did come across this document...hope it will help you out.
    https://kb.meraki.com/knowledge_base/syslog-server-overview-and-configuration
    Please remember to select a correct answer and rate helpful posts

  • Integrating Microsoft NAP with Cisco ASA

    Hello everyone,
    I'm quite new to the Cisco world. I wonder if and how it is possible to marry Cisco ASA with Microsoft NAP (in Terms of VPN Enforcement). Does anybody know some helpful documents? Is an ACS Server/Appliance necessary?
    Thanks in advance and kind regards

    Hello Jatin,
    thanks for your reply.
    Microsoft states that authentication via PEAP is necessary for NAP to work:
    "One security feature of PEAP is the transmission of Statement of Health (SoH) messages."
    (see http://blogs.msdn.com/b/openspecification/archive/2009/06/05/peap-phase-2-encapsulation-examples-for-a-client-authenticating-with-ms-chapv2.aspx?Redirected=true)
    However, I found this topic which states that PEAP auth. is not possible with the ASA: https://supportforums.cisco.com/thread/2028742
    Is that true?

Maybe you are looking for

  • Vertical Lines on iMac Late 2006 Models!

    Hi Everyone! I know theres a lot of threed about it but I wan't to make this one very clear and simple for every user that will read it. I have two and Late 2006 iMac Based Intel Core 2 Duo and I have the famous on both mac. I know that last year App

  • Itunes 7.0.1 skipping problem with audigy soundcard

    Hi, I have an audigy se soundcard and running itunes 7.0.1. Whenever the cpu usage spikes (opening applications and loading animations on webpages) and I'm playing music in itunes, the music skips and cracks. I don't think it's issue with soundcard/d

  • Ipod mini hard drive goes crunch and now get Sad face with IPOD

    I've notice that after I installed new ITUNES and Updater software, my mini has the following problems: 1. Click to the song and it just sits there and then it might skip over a the next song or songs before playing, like it is frozen 2. I hear the h

  • Automatic release of notification

    Hai PM gurus , Is it possible to release PM notification automaically when created , as create and release person are same . Thanks in advance gmr

  • HR_GET_QUOTA_DATA error

    hi guys, im trying to use this FM, and i need the ABWKO table with the quota absences, the problem is that the table ABWKO that im using is incompatible, but i get the data definition from pt_qta10. here is the code: data definition TYPES: BEGIN OF F