Help open port on ASA5510 (version 8.3)
Hi all,
I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900
If i configured with only one port 5900 or 3389, is't ok, i don't undesrtand what 's the problem?
ASA5510>
ASA5510> ena
Password: ***********************
ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password *********************** encrypted
passwd *********************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no na
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network Remote_Desktop
host 192.168.100.29
object network VNC
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_in extended permit tcp any host 192.168.100.29
access-list outside_in extended permit tcp any host 192.168.100.4
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network Remote_Desktop
nat (inside,outside) static interface service tcp 3389 3389
object network VNC
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password *********************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:667cb3ec729681c78ccab9a57abd89df
: end
ASA5510#
ASA5510# show run
: Saved
ASA Version 8.3(1)
hostname ASA5510
domain-name lohoi.local
enable password ****************** encrypted
passwd ****************** encrypted
names
interface Ethernet0/0
description Connect_to_Modem
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/1
description Connect_to_Router2911
nameif inside
security-level 100
ip address 172.16.17.2 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description Management
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name lohoi.local
object network obj-any
subnet 0.0.0.0 0.0.0.0
object network ftpserver
host 192.168.88.90
description FTP server
object network remote_desktop
host 192.168.100.2
object network remote_vnc
host 192.168.100.4
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list outside_access_in extended permit tcp any host 192.168.100.4 eq 5900
access-list outside_access_in extended permit tcp any host 192.168.100.2 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asd
asdm history enable
arp timeout 14400
object network obj-any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
object network remote_desktop
nat (inside,outside) static interface service tcp 3389 3389
object network remote_vnc
nat (inside,outside) static interface service tcp 5900 5900
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 192.168.88.64 255.255.255.224 172.16.17.1 1
route inside 192.168.100.0 255.255.255.0 172.16.17.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate inside
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ****************** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4f061a213185354518601f754e41494c
: end
ASA5510#
So i configured again, but i'm not to access to 5900 port
Similar Messages
-
Help Opening PORT 6112 for WarCraftIII Hosting
I'm trying to help my son use WarCraftIII to host a game in our iMac G5, but no one can join. Successful hosting is supposed to be an issue of opening port 6112 but no success yet.
What I have done so far:
1) Set Linksys BEFSR41 router to forward port 6112 both ways. Contacted blizzard tech support today and they told me I needed to open the port in Linksys router by following instructions at http//:www.portforward.com for my router, and the WarCraft III game (fyi this is a very nice site, anyone with router setting issues should check it out). I went to the site, clicked on "Forward", found my router (Linksys BEFSR41v1.39)in the list below, then found my game WarCraft III in game list and followed instructions at this website: http://www.portforward.com/english/routers/portforwarding/Linksys/BEFSR41v1.40.2/WarcraftIII.htm
2) Opened port 6112 in Mac OS FileSharing FireWall. I'm not so sure I got this part right. I went to System Prefs, File Sharing, FireWall and clicked New. Then I entered 6112 in both TCP and UDP (cause I don't know which it is) and selected Other and gave it the name WarcraftIII1 (used this name, because we were helping a friend set up his router (Linksys WRT54G) to pass 6112, and the portforward.com instructions had us enter that text in Application field for the port forwarding range: http://www.portforward.com/english/routers/portforwarding/Linksys/WRT54G/WarcraftIII.htm So, I figured this was as good a name as any to use in FireWall setting.
Ideas I have not tried yet:
1) Maybe I need to update my Linksys firmware? I noticed that the Portforward instructions were for Linksys firmware 1.40.2 My firmware is 1.39 (going to Linksys site I see there's a newer version v1.46.02 available). So, maybe I need to download and apply (but I don't want to screw up my current router settings - since the work! - and I'm figuring it's likely to lose all current settings with a firmware update).
2) Maybe I need a different name in the FireWall port than "WarcraftIII1"? Maybe one of the pull-down options are what I should have used.
Any help would be greatly appreciated!
iMac G5 Mac OS X (10.4.6) 1.5 Gb RAMHey Tim,
Thanks for tip on preparing for firmware update. As it turns out, all settings were wiped when I did the update. But I like the approach of having 'clean' setup before update (sort of like running Disk Utility before and after new sofware installs).
I tried turning off the Mac OS firewall, but it didn't help (so I don't think that's the root cause - but a good thing to test). Part of the www.portforward.com instructions for using my Linksys router with WarCraftIII include setting to DISABLE the "Block WAN Request" option. I don't know much about router security, but this makes me feel more vulnerable. So, I prefer to keep Mac OS firewall enabled, as long as it doesn't get in the way (also MacWorld's most recent issue recommended firewall ON, and activate Advanced settings turning ON options for Block UDP Traffic, and Enable Stealth Mode). Having my firewall set up in this way hasn't been any problem for me at all for past 1.5 yrs, until just recently when I tried hosting WarCraftIII Custom Game (reason I want to do that, is it allows my son to play online against only friends we know - call me overprotective, and I'll happily plead guilty). As a case in point, I was on the Battle.Net USEast Open Tech Support chat channel last night (you get to this from within the WarCraftIII application), asking if someone would do a quick test and join my Custom Game. During that brief interchange, one of the other people on the channel types in all caps "I want to f**k your mother" (without the *'s)". I'm thinking, yeah Custom Game is the way to go, I'd don't want my son out here with the likes of you. Thankfully, someone else agreed to the test. Unfortunately it failed.
I think I've about got it beat though. I found on the blizzard.com support site, a way to use Terminal to run a traceroute by typing (without the quotes) "traceroute us.logon.worldofwarcraft.com > ~/Desktop/tracert.txt" and press the Return key. Previously I was getting all *'s back in the results (which means no recognized connections). Now, I'm getting IP addresses and ms timing for hops so it appears I'm getting through. http://www.blizzard.com/support/wow/?id=aww0827p5
But, I've got to go and won't be able to test ability to join a Custom Game with my son's friend until later tonight.
Thanks again. C -
Help opening ports ...
i have high speed DSL and i wireless linksys router that i use to play a PS3 online. i can play games online just fine but when i attempt to connect directly to other players (attempting to join squads, parties, one on one football matches, etc.) i am unable to. but like i said, i can play the game online without trying to connect to someone else ... i've read where i should try to open some ports on my router to enable me to connect to others. i have a list of ports to try but i have no idea where to go or how to open them up. if you can't tell, i'm really uneducated when it comes to wireless internet connections. can anyone offer some help? thanks
Definitely I can help you but what is the model number of the router?
-
Help opening ports on my WRT2GS2 Router
I went into the web based page and set the ports to what i needed, then clicked enable, but when I try to run the Minecraft server and allow others to connect, only I can connect. Help please.
Who is your Internet service provider?
Try to upgrade/re-flash the firmware on your router.
Connect the computer to the router with the Ethernet cable. Download the latest firmware from Linksys website and save it on your computer. Open the setup page of the router and upgrade the firmware on your router.
After upgrading the firmware on your router, press and hold the reset button on the router for 30 seconds. Release the reset button and wait for 30 seconds. Power cycle the router and reconfigure it. -
my keynote has frozen and wont open but the saved version wont open either. if i restart my laptop i am afraid that it will erase my work. please help me
Try this repair for Keynote 6.2, ensure you complete all the tasks and in the order shown:
1
delete all the iWork applications if you have them, not just Keynote, using Appcleaner from Mac Update, its a freeware application
2
empty the trash: Finder > Empty Trash
3
Shut down your Mac, wait 30 seconds, then power on the Mac, immediately after the start chime, hold down the Shift key
When you see the grey Apple symbol and progress indicator (a spinning gear), release the Shift key.
If you are prompted to log in, type your password, then hold down the Shift key again as you click Log in.
Let the Mac fully boot up, it will take longer as the OS is repairing the drive
4
when fully booted, go to Applications > Utilities > Disc Utility; click on the boot drive then First Aid tab and click repair disc permissions
5
when complete, restart the Mac normally, Apple menu > Restart
6
install Keynote from the Mac App Store
let us know if this helped -
Pages app unexpectedly quit whilst I was in the middle of a document. I can now not open it AT ALL. I find it's not just that particular document that won't open, but any of my Pages docs will not open using the current version of Pages. The reports of the app unexpectedly closing each time, automatically went to Apple, but I am not sure what happens with them then. Does anyone know how to help me with this? We live in a very isolated region so rely on internet help. Thanks
I also managed to read a few other discussions about Pages and files not being able to open. I actually went to the last back-up and restored the computer from that and everything seemed to work ok again, which is great!...advice from another discussion I think you may have been involved in PeterB. Thanks for the advice...also this advice, as I will make a note of trying to open using the Shift key if it happens again and see what happens...might be an easier first option than restoring from a back-up. Thans heaps for the help!
I was interested to read some of the other discussions where it was stated that Pages '09 seems to be a better option to use. I have both installed, so I will lkeep this in mind. Thanks heaps! -
Trying to open itunes but a window opens and says , this version of itunes has not been correctly localised for this language. Please run the English version. Please help.
Hey mcooper156,
I would try the troubleshooting steps in this first article:
iTunes for Windows Vista or Windows 7: Troubleshooting unexpected quits, freezes, or launch issues
http://support.apple.com/kb/TS1717
If that doesn't resolve the issue, then I would try and remove iTunes (and its related software) then reinstall:
Removing and reinstalling iTunes and other software components for Windows Vista, Windows 7, or Windows 8
http://support.apple.com/kb/HT1923
Regards,
Delgadoh -
Help!! Updated new version of iTunes but I can't open it
Help!! Updated new version of iTunes but I can't open it nw. It pop up a window said: [the file "iTunes Library.it" cannot be read because it was created by a newer version of iTunes. ] what is it?Tried to remove and install old version iTunes also can't work..
Manually download from here and install http://support.apple.com/downloads/#
-
I'm in syria and they blocked me from using any VPN service please help without VPN i can't open the store help please ( using iphone 5 version 9.1.4 )
There is nothing that anyone here on a user forum can do to help you. If it is a local issue in Syria, then you need to take it up with your phone company or authorities there who have prevented you from using VPN.
Nobody here can help you. -
Help with opening port 10000 on a pix 501
I am attempting to open port 10000 so that I can remotely VPN using tcp port 10000. This is a pix 501 running version 6.3.5.
What commands do I need to enter for this to happen?Remote vpn access can be configured on a pix 501 by using the configuration guide present in the links given below:
Site-to-Site VPN Configuration Examples is present in the url below:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
Managing VPN Remote Access giude is present in the following url:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html -
Cant Open Port 3659 on Home Hub! Please help!
Im having problems with playing Battlefield 3 online. After contacting EA they told me I needed to forward the following ports on my new BT Home Hub 3.0 Firmware Version: 4.7.5.1.83.8.94.1.11 (Type A):
TCP: 80, 443, 9988, 20000-20100, 22990, 17502, 42127
UDP: 3659, 14000-14016, 22990-23006, 25200-25300
All of them were applied fine apart from port 3659 where it gives the following error:
It says theres a conflict even if I try only applying this one rule. According to another forum 3659 is actually the most important as it relates to the 'EA Tunnel' so could explain the issues Im having?
If I use an online Port Scanner, some tell me that its blocked and the following one shows that its (TCP version) filtered to 'apple-sasl'. So it looks like maybe its been pre-reserved for Apple products and hence why it cant be forwarded to a more general rule?
Do BT block or throttle any ports? How can I fix this issue?
Thanks.Use the IP address not the device name.
This page should help.
Port forwarding problems
There are some CCTV example on this page.
Help with setting up routers, repeaters, Smart TVs, printers, CCTV, NAS, VOIP
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
I need to open ports, and nothing I've read seems to help me
I have an aiport express, it's my only router. it's connected directly to my cable modem (TWC). I have no firewall for incoming (there's no options for outgoing) no matter what combination of settings I use, I can't seem to get more than port 5000 open. Why 5000? and why can't I get any other port open?
There are heaps of posts here about how to open ports on apple routers specifically for xboxes.
AirPort Extreme and xbox 360 -
Need help with opening ports on airport extreme
My vonage phone is connected to airport extreme router, voice quality of phone calls was poor. Vonage tech support says vonage port on my airport extreme was closed and i need to open it.
Here is my chat details with vonage tech support-
The following ports are needed for Internet communication between the Vonage adapters and the Vonage servers.
SIP: Port 5061 UDP
RTP (Voice) Traffic: Ports 10000-20000 UDP. When a call is made, a random port between 10000 and 20000 is used for RTP (Voice) traffic. If any of these ports are blocked, you may experience one way or no audio.
Please do suggest me the way to open the ports on airport extreme
Thanks
VenkiInstructions for opening ports is here.
https://discussions.apple.com/docs/DOC-3415
You should be fine opening the whole range, 10000-20000 -
I have a Lorex DVR that I want to monitor from my IPhone and IPad. I used to be able to do this when I had a Belkin router (easy to open ports) but I bought the AirPort Extreme router and no longer have that capability. When I use "canyouseeme" they can NOT see 80, 9000 or 1025. Lorex says I need them all available in order to access. Help! And all the help I see refers to a earlier version of the AirPort Utility so I cant use those to look at anything, I cant find the same screens, I have version 6.1 (610.31). I also don't really understand how ports work, so I need a pretty basic explanation.
Well...I went to the modem (Westell, WireSpeed), found the NAT settings, once again, I'm WAY over my head, I am assuming this is a TCP connection (as opposed to a UDP) and per Lorex my mobile devices will use port 1025. So I gave it a "global port range" of 1-10 and I indicated that the "base host port" was 80, 1025, & 9000 (ports 1,2,3). When I selected the 'enable' it asked for a "host devise" my choices are my IPhone, IMac and the IP address for the dvr, so I choose the dvr. I still cannot connect and canyouseeme still can NOT find these open ports. This is taking up my whole day! I don't know how people figure this stuff out.
-
Hi everyone.
I'm trying to open ports on a specific host but I can't make it work.
I tried to make it clear as possible,
Thanks for helping.
There is my config:
Result of the command: "show run"
: Saved
ASA Version 9.1(3)
hostname ciscoasa
enable password *** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd *** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address MY-FIREWALL-IP 255.255.255.240
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-SITE-B
subnet 1.1.2.0 255.255.255.0
object network LAN-SITE-A
subnet 1.1.1.0 255.255.255.0
object network Firewall-SITE-B
host VPN-SITE-B-IP
object network SERVER01
host 1.1.1.2 (MY SERVER THAT I WANT TO ACCESS FROM OUTSIDE)
object-group service ALL-IP tcp-udp
description ALL-IP
port-object range 1 65535 (FOR TESTING PURPOSE, I'M TRYING TO OPEN ALL PORTS ON THIS HOST)
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
access-list outside_access_in extended permit object-group TCPUDP any host MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE) object-group ALL-IP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN-SITE-A LAN-SITE-B destination static LAN-SITE-B LAN-SITE-A no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER01
nat (inside,outside) static MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE)
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 MY-GATEWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 1.1.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer SITE-B
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 1.1.1.100-1.1.1.125 inside
dhcpd dns 24.200.241.37 24.201.245.77 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_SITE-B internal
group-policy GroupPolicy_SITE-B attributes
vpn-tunnel-protocol ikev1 ikev2
username MY-USER password *** encrypted privilege 15
tunnel-group SITE-B type ipsec-l2l
tunnel-group SITE-B general-attributes
default-group-policy GroupPolicy_SITE-B
tunnel-group SITE-B ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f5d698f2b08e98028f2d487a42c7187e
: endHi Jouni,
Thanks for helping again,
Looks like i'm getting the same problem.
ciscoasa# show run access-list
access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
access-list OUTSIDE-IN extended permit ip any object SERVER01
ciscoasa#
ciscoasa# show run access-group
access-group OUTSIDE-IN in interface outside
ciscoasa#
ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 MY-SERVER01-PUBLIC-IP 12345
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SERVER01
nat (inside,outside) static MY-SERVER01-PUBLIC-IP
Additional Information:
NAT divert to egress interface inside
Untranslate MY-SERVER01-PUBLIC-IP/12345 to 1.1.1.2/12345
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Maybe you are looking for
-
How do i upload an image in the netweaver developer studio
Can anybody gimme a detailed description of uploading an image in the netweaver developer studio.
-
pics from my iphone and ipad show up on photostream, but not pics downloaded from my camera. all attempts to move or share with photostream do not work.
-
App store there are several software can not update because my ID is disabled, and to update software ID to download.I applied for a new ID.I would like to ask now we how to update my software! Thank you!
-
Editing flex CSS in FB on Eclipse
I have FB3 installed on Eclipse, which has been working nicely until I started messing around with skins and CSS. Eclipse wants to validate CSS as normal CSS, so it shows an error on every line of my flex skin CSS file ('Property xxx doesn't exist').
-
Macbook Air with Intel HD Graphics 3000 384 MB. When attempting to open 3D file Photoshop cc14.2.1 receive error message "Could not complete your request because 3D functionality is currently disabled due to OpenGL being disabled." Cannot enable OPEN