How to Add Cisco 861's behind ASA 5505

I will be setting up a VPN with a client soon.  They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505.  They are set up to be NATed.
I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505.
Our ASA has a public IP of 2.1.2.14/30 assigned to it's outside interface.
The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29.
1. How can I assign this seperate public IP block to the ASA? Is it even possible?
2. If not possible, what would other options be?
3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
Appreciate any help or suggestions.

Hi,
I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.
If you HAVE to do this as you described I would need some additional information
What software version is your ASA?
Do you have a Base License version of the ASA5505?Can confirm this with "show version" command
In the original post, do you mean that you have a small link network (/30) with the ISP and that the ISP has also provided you with a small subnet for NAT purposes (/29)
The first thing mentioned above would be needed to confirm what NAT format to use.
Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.
There are 2 ways to go.
Option 1.
Make sure that the ISP has routed the additional /29 network towards your ASA5505 "outside" IP address
Now just configure the needed NAT configurations (can naturally help with the configurations when I know the software level of the ASA)Notice that the additional public subnet doesnt need to be configured on any interface of the ASA. You can just configure NATs using those IP addresses as usual. The critical thing here is that the ISP has routed the network towards your ASA and HAS NOT configured this additional /29 subnet on their gateway as a secondary network.
Option 2.
Even if you have the ASA5505 at Base License you can still configure 3 interfaces on the ASA5505. The one thing to notice here is that you need to configure the "no forward interface Vlanx" to the third Vlan interface which will prevent this third Vlan from connecting to networks behind the interface Vlanx. This however doesnt stop Vlanx from connecting to networks behind third Vlan interface.This might provide a possibility to use the WAN side of the VPN routers on the third interface of the ASA since they you can limit their connectivity to the "inside" Vlan and this would mean they could still connect to "outside"
Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )
- Jouni

Similar Messages

  • How to set up Split Tunneling on ASA 5505

    Good Morning,
    I have an ASA 5505 with security plus licensing.  I need to set up split tunneling on the ASA and not sure how.  I am very new to Cisco but am learning quickly.   What I want to accomplish, if possible is to send all traffic to our corporate web site (static ip address) straight out to the internet and all other traffic to go though the tunnel as normal.  Basically we have a remote office that is using a local ISP to provide internet service.  IF our connection at the main office goes down, we want the branch office to still be able to get to our corporate website without having to unplug cables and connect their computer directly to the local ISP modem.   Any help with be greatly appriciated.   Thanks in advance.  Below is a copy of our current config.
    ASA Version 7.2(4)
    hostname TESTvpn
    enable password rBtWtkaB8W1R3ub8 encrypted
    passwd rBtWtkaB8W1R3ub8 encrypted
    names
    name 10.0.0.0 Corp_LAN
    name 192.168.64.0 Corp_Voice
    name 172.31.155.0 TESTvpn
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    nameif Corp_Voice
    security-level 100
    ip address 172.30.155.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 3
    ftp mode passive
    object-group network SunVoyager
    network-object host 64.70.8.160
    network-object host 64.70.8.242
    object-group network Corp_Networks
    network-object Corp_LAN 255.0.0.0
    network-object Corp_Voice 255.255.255.0
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
    access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
    access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 any
    access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0 any
    access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
    access-list VPN extended permit ip TESTvpn 255.255.255.0 any
    access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
    access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging buffer-size 10000
    logging monitor debugging
    logging buffered informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu Corp_Voice 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list data-vpn
    nat (inside) 1 TESTvpn 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (Corp_Voice) 0 access-list voice-vpn
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group Corp_Voice_access_in in interface Corp_Voice
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http TESTvpn 255.255.255.0 inside
    http Corp_LAN 255.0.0.0 inside
    http 65.170.136.64 255.255.255.224 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set VPN esp-3des esp-md5-hmac
    crypto map outside_map 1 match address VPN
    crypto map outside_map 1 set peer 66.170.136.65
    crypto map outside_map 1 set transform-set VPN
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    telnet timeout 5
    ssh Corp_LAN 255.0.0.0 inside
    ssh TESTvpn 255.255.255.0 inside
    ssh 65.170.136.64 255.255.255.224 outside
    ssh timeout 20
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd option 150 ip 192.168.64.4 192.168.64.3
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 10.10.10.7 10.10.10.44 interface inside
    dhcpd domain sun.ins interface inside
    dhcpd enable inside
    dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
    dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
    dhcpd domain sun.ins interface Corp_Voice
    dhcpd enable Corp_Voice
    username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
    tunnel-group 66.170.136.65 type ipsec-l2l
    tunnel-group 66.170.136.65 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:953e50e9cbc02e1b264830dab4a3f2bd
    : end

    So I tried to use the exclude way that you suggested.   Here is my new config.   It is still not working.  The address I put in for the excluded list was 4.2.2.2  and when I do a trace route to it from the computer, it still goes though the vpn to the main office and out the switch at the main office and not from the local isp.   Any other suggestions?
    hostname TESTvpn
    domain-name default.domain.invalid
    enable password rBtWtkaB8W1R3ub8 encrypted
    passwd rBtWtkaB8W1R3ub8 encrypted
    names
    name 10.0.0.0 Corp_LAN
    name 192.168.64.0 Corp_Voice
    name 172.31.155.0 TESTvpn
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.31.155.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    nameif Corp_Voice
    security-level 100
    ip address 172.30.155.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 3
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group network SunVoyager
    network-object host 64.70.8.160
    network-object host 64.70.8.242
    object-group network Corp_Networks
    network-object Corp_LAN 255.0.0.0
    network-object Corp_Voice 255.255.255.0
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
    access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
    access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 a
    ny
    access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0
    any
    access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
    access-list VPN extended permit ip TESTvpn 255.255.255.0 any
    access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
    access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    access-list TEST standard permit host 4.2.2.2
    pager lines 24
    logging enable
    logging buffer-size 10000
    logging monitor debugging
    logging buffered informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu Corp_Voice 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list data-vpn
    nat (inside) 1 TESTvpn 255.255.255.0
    nat (Corp_Voice) 0 access-list voice-vpn
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group Corp_Voice_access_in in interface Corp_Voice
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http TESTvpn 255.255.255.0 inside
    http Corp_LAN 255.0.0.0 inside
    http 65.170.136.64 255.255.255.224 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set VPN esp-3des esp-md5-hmac
    crypto map outside_map 1 match address VPN
    crypto map outside_map 1 set peer 66.170.136.65
    crypto map outside_map 1 set transform-set VPN
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh Corp_LAN 255.0.0.0 inside
    ssh TESTvpn 255.255.255.0 inside
    ssh 65.170.136.64 255.255.255.224 outside
    ssh timeout 20
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd option 150 ip 192.168.64.4 192.168.64.3
    dhcpd address 172.31.155.10-172.31.155.30 inside
    dhcpd dns 10.10.10.7 10.10.10.44 interface inside
    dhcpd domain sun.ins interface inside
    dhcpd enable inside
    dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
    dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
    dhcpd domain sun.ins interface Corp_Voice
    dhcpd enable Corp_Voice
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy excludespecified
    split-tunnel-network-list value TEST
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have not
    been met or due to some specific group policy, you do not have permission to us
    e any of the VPN features. Contact your IT administrator for more information
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
    tunnel-group 66.170.136.65 type ipsec-l2l
    tunnel-group 66.170.136.65 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8b3caaecf2a0dec7334633888081c367
    : end

  • How Many Watts Do We Need? ASA 5505

    My ASA 5505 getting pretty hot after a while and so I used a wattmeter to find out what´s happening.
    260 watts is quite a lot if the device is running in idle mode and has no active device attached nor any config has been installed.
    What's your experience of the ASA 5505 power consumption ?
    Thanks

    The PSU says output 48V DC 2.08A, which gives me around 100watts usage, so that would create alot of heat if the psu is burning 160 watts of in the ac/dc conversion. I have no measurements on my own, but i am definately not expecting that level of power usage

  • How to add a delay step

    Hi,
    we have come across a issue in work flow. And we have very little idea on work flow.
    Can any one please let me know how to add a delay step behind existing step X.
    Also let me know how to do below options to perform this operation like 
    1. Like in ABAP delay for few seconds
    2. Or simply making use of desired start time logic.
    Thanks in advance.
    PRaneeth

    Delay?
    You mean that you want to stop the execution of the workflow for a specific period, right?
    Like in ABAP delay for few seconds
    This can be handled by using a WAIT STEP  of the workflow, I meanthe use of this wait step is , in brief, if at all you want to stop the execution of the workflow  until a specific Event is raisedthe workflow execution stops and as soon as the specified event is raised then the remaining part of the workflow is executed.

  • ASA 5505 + ASA 5540 static VPN, ssh and rdp problems

    Greetings!
    I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
    Everything works fine, but there is a small problem that is really annoying me.
    From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
    Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
    Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
    There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
    What can I do to get rid of this problem?
    Thanks in advance.

    Dear Fedor,
    You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
    access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
    access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
    class-map TCP_TIMEOUT
          match access-list rdp_ssh
    policy-map global_policy
         class TCP_TIMEOUT
              set connection timeout idle 0:30:00
              set connection timeout half 0:30:00
    * Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
    Let me know.
    Portu.
    Please rate any post you find useful.

  • ASA 5505: unable to ping external hosts

    Hi,
    I have a LAN behind ASA 5505, interface NAT/PAT is configured.
    External interface is configured for PPPoE.
    Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:
    icmp permit any inside
    icmp permit any outside
    access-list outside_access_in extended permit icmp any any
    Protocol inspections and fixups are default.
    When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:
    302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
    302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
    313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session
    313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside
    302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
    302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
    Where 202.xx.yy.zz is IP of external interface of ASA.
    This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?
    Any help will be highly appreciated.
    Thank you.
    Alex

    Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any source-quench
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-group outside_access_in in interface outside
    or icmp inspection instead of acl.
    policy-map global_policy
    class inspection_default
    inspect icmp
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
    HTH
    Jorge

  • How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

    I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
    What do I need to configure on the Actiontec to make this work?
    Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.
    Thanks for any help.
    Steve
    Solved!
    Go to Solution.

    http://www.dslreports.com/faq/verizonfios/3.0_Networking
    those are the best sample config's and resources on how to set the FiOS network
    Bridging is possible but difficult.  That link will give you great info on it.
    Are you a FiOS customer that has phone/internet/tv
    or no tv?   or no phone?    You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
    Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue.  You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too.

  • Cisco ASA 5505: How to change the default OS

    Hello,
    I'm learning how to work on the Cisco ASA 5505. My machine has two OS images: the old 7. whatever image and a more recent 8.2 image. The 8.2 image is lower in the index on disk0 so whenever I reboot the machine, the start up points it towards the older image and I have to go into ROMMON to boot the newer OS. Could someone please guide me on how to change the position of the newer OS so that it's the default image? I'd like to do this without deleting the older image so that I can have a proof of concept.
    Thank you!

    Hi Colin,
    You could use the 'boot system' global command to force the ASA to the pointed image file.
    boot system flash:/image.bin
    Sent from Cisco Technical Support iPhone App

  • How to sync clock of Cisco ASA 5505 from NTP Server on internet

    Hi there!
    i've setup a site, with cisco ASA 5505. It has public ip also.
    i want to sync the clock of firewall from on ntp server on internet, or with internal domain controller that is inside LAN.
    The firewall has public IP also.
    how can i do this?
    Regards!

    Hello Lasandro,
    This should do it!
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1236530
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • Cisco ASA 5505 IPSEC, one endpoint behind NAT device

    We have two Cisco ASA 5505 devices.
    Both are identical, however, one of them is behind a NAT device.
    We are attempting to create an IPSEC network.
    Site fg:
    <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
    ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
    Site be:
    <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
    ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
    USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
    USG1: UDP port 500/4500 forwarded to 192.168.4.50
    It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
    Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
    We verified / attempted the following:
    - NAT excemption on both sides for IPSEC subnets
    - Mirror image crypto maps
    - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
    - Toggled between static to dynamic crypto maps on ASA1
    Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
    Does anyone have any idea?
    195.txt contains show running-config of ASA3
    212.txt contains show running-config of ASA1
    log.txt contains somewhat entire log snipper of ASA1

    Hi,
    on 212 is see
    tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 195.xxx.xxx.xxx ipsec-attributes
    pre-shared-key
    When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
    If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
    Regards,
    Abaji.

  • How do I add mpg background video behind a psd menu in Encore?

    How do I add mpg background video behind a psd menu in Encore? The psd file is transparent and it still comes out as pitch black behind the menu. I'm inexperienced with these products so any help is greatly appreciated.

    If you have done what Russ describes and it does not work...
    Encore replaces the background layer with your motion video. So make sure you have a) a layer at the bottom (in Photoshop layer order) that is named "background," and b) no other full layer above that (for example, an image in another layer you've used instead of the original background layer).
    Also keep in mind that setting transparency in Photoshop is overridden by various Encore processes.

  • How to add new group entry in Cisco Vpn using powershell

    I am working on a powershell script to connect cisco vpn using powershell, I am able to connect to vpn but not sure how to add new group to vpn. I am using the following script$vpn_profile = 'Test'
    $username = 'TestUser'
    $userPassword = ConvertTo-SecureString -String "Password" -AsPlainText -Force
    $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist
    $username,$userPassword
    $password = $credentials.GetNetworkCredential().Password
    Set-Location 'c:\Program Files (x86)\Cisco Systems\VPN Client'
    .\vpnclient.exe connect $vpn_profile user $username pwd $password
    Write-Host "You Are Connected"
    cd "C:\"

    Have you entered .\vpnclient.exe /? to see if it will return information about other switches you can use with this executable? Other than connect, I was able to track down a few without actually having the executable (http://www.scribd.com/doc/40108893/Cisco-VPN-Client-Command-Line).
    That said, I do not believe that there is a switch that will help you create a connection. These are either done manually through the GUI, or can be likely be added by supplying a properly formatted file in the proper place.
    If you're using the version of the Cisco VPN client I think you are, then your connection settings, or profiles, are stored in individual .pcf files somewhere on your computer (likely in the Cisco directory). These are simple, text-based files. Find one
    on your computer, save it with another name, and then modify it manually. If you really want to use PowerShell, then use this opportunity to learn how to create and edit basic text files using PowerShell. If you have a standard connection file, then you can
    put that file onto remote computers any number of ways. If a .pcf file exists in the proper place when the VPN client is opened, then it likely will not prompt for a new connection.
    Update: Added more info; clarified

  • How to add our own applications to Cisco Connect Cloud?

    How to add our own applications to Cisco Connect Cloud?

    You might find this interesting.
    http://newsroom.cisco.com/press-release-content?type=webcontent&articleId=926074
    Interested developers are invited to visit the Linksys Developer Community at http://developer.cisco.com/web/ldc to register and develop apps for Linksys Smart Wi-Fi Routers. Cisco empowers developers with technical, marketing, and sales resources to help support every phase of their developmental and business cycles.

  • How to add VLAN to trunk port on Cisco SF200-24

    Hello All,
    I have question want to ask: 
    I have Cisco switch SF200-24 I want to configuration VLAN as below:
    Port 1 to 10 = Vlan 100
    Port 11 to 21 = Vlan 200
    Port 22 to 24 = Vlan 300
    Port GE1 = Trunking (Primary)
    Port GE2 = Trunking (Secondary)
    How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
    Which port can I connect for management switch?
    Thanks 

    > How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
    firstly set those ports as trunks via "VLAN Management" -> "Interface settings" - click on corresponding port, click on "edit.." button and select "Trunk" from list.
    Once those ports (GE1 and GE2) are as trunks, you can now assign them all desired VLANs via "VLAN Management" -> "Port VLAN Membership". Select first port (GE1), click "join VLAN" and select all desired VLANs from left list and put them to right list.
    and you are done.
    > Which port can I connect for management switch?
    by default, switch management IP is a part of default VLAN1. If you wanted to keep access to your switch, assign "VLAN1" to one of access ports, or change management VLAN to different number than 1 - but in this case dont forget to apply correct IP settings in order to meet subnet assigned in new VLAN.

Maybe you are looking for

  • RMI : error on JRE 1.6 but not on JRE 1.5 ???

    Hello, I've got a problem with my application since i use JRE 1.6 My application run perfectly with JRE 1.5 !!! My code is first : LocateRegistry.createRegistry(port); NamingManager.setInitialContextFactoryBuilder(new InitialServerContextFactory());

  • Using Message built-in

    Hello! I am trying to utilize the message built-in function in Forms6i to accomplish the following: Create and display a message w/ OK & Cancel buttons. If user selects CANCEL, return to the form and make no changes. If user selects OK, run a predefi

  • Abaon gl account

    hi, from abaon i have this posting. it means the resale value is 1500 and this amount i enter in manual value field in abaon. 70 LA08000 accum depre                            2000 75 LA08100 asset                                       (3000) 40 LA54

  • Is posible to do a choosefromlist in a user defined column of system matrix

    Hi all, I have a question that i can´t solve. Is posible to do a choosefromlist in a user defined column of system matrix?How can i do it?and i can use a datatable?How?  Thank you all again! Regard.

  • Iphone sync Calendar does not work

    I just loaded OS X 10.9 and iPhone 7.0.3 NOW I cannot get my iPhone to sync with my calendar using itunes. If i add an entry to the phone calendar app, it does not sync to the iMac calendar and vice versa. What to do ???