How to configure ASA 5510 V9.1(5) to send Netflow packets to Netflow Analyser 8.0
Hi guys,
I've configured my ASA 5510 Version 9.1(5) to send flow to Netflow Analyser. I think I've done it correctly but what happened is that I can see the ASA in netflow and netflow packets are receiving and increasing every time I refresh the page but there are no traffic as you can see in the attachment file. Also how can I figure out which ifindex is which interface to rename it?
BTW, my netflow version is 8.0 and below is the netflow config:
access-list NETFLOWMONITOREDTRAFFIC extended permit ip any any
flow-export destination INSIDE A.B.C.D 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
flow-export active refresh-interval 2
class-map NETFLOW
match access-list NETFLOWMONITOREDTRAFFIC
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
class NETFLOW
flow-export event-type all destination A.B.C.D
class class-default
flow-export event-type all destination A.B.C.D
Hope someone can help me here.
Cheers,
Joe
I did find a workaround by keeping a connection open for communication between the client and server. However, I wish I did not have to do this. Ideally, I would like to be able to establish connections to the server only when needed and have the client JRE remember what certificate the user selected.
Browsers have this feature based on a user session. (i.e. once a user offers up a certificate to a server, the browser will not ask the user which certificate to send for the duration of the session to a given server).
Similar Messages
-
How to configure the file adaptor so as to send an sample XML message.
Hi all ,
I had done the configuration and now i want to test the scenario but i dont now how to do that ?.
how to configure the file adaptor so as to send an sample XML message to the integration server ?.
I am totally new to XI.
please help me out how to do it.
its an urgent.
Thanks,
shujaHi,
I think you should post your question Process Integration (PI) & SOA Middleware.
Regards
Message was edited by:
Shehryar Khan -
Looking for Recommendation for Redundant or Backup ISP configuration: ASA 5510
Good Day,
Currently I have two ASA 5510's version 8.2(5) with the security plus license in my environment. These are configured to failover with the SAME ISP in the event of hardware failure. We are currently trying to introduce ISP backup configuration. I've already engaged ISP's for services, However, I was wonder what this configuration may entail additionally. Can anyone advise on a best practice/configuration in this regard?
I am trying to achieve high availability for services provided by another company location. Looking forward to any assistance that can be provided.
Thanks much.Cisco has a whitepaper on setting this up. It's a bit dated but mostly applicable.
With an HA pair of ASAs, we typically setup a switch (or stack for higher availability) between the HA pair and upstream routers. Other than that, the whitepaper is followed.
The only significant issue is whether you have any incoming services exposed via public IP and don't have you own provider-independent address block. In that case, you need to account for how those services will be reachable in the event that your are using the address of your secondary provider. This usually involves some DNS changes or other such work.
Some people offload the whole setup to an external device like a FatPipe Warp appliance. -
I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :ASA5510# show run
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed .need your help to resolvr this issue
Posted by WebUser Mugisha VianneyCan I access both the FW and IPS through the dedicated management port via SSH and ASDM/IDM?
Sorta, you can ssh to the ASA and from there establish a backplane connection to the module.
Can I assign the management port an external IP address and to establish a L2L VPN tunnel for remote management and tunnel syslog and IPS logs through it?
Would I be able to route Syslog and IPS event through the Management port to a remote event collector?
Yes, but you can't do the IPS part though.
The IPS is an independant unit and will use its own management interface to send logs, the only way you can do this is to log into the ASA, then into the IPS and get the logs you are looking for.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1198794
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1214750
Cabling clarification: internal switch connected to the ASA's management interface and to the IPS' management interface.
This is ok, if you want the units to communicate make sure they are part of the same vlan. -
Move CA from Win2K3 to Win2012R2 - how to configure ASA
Hi Guys,
i've a littel problem with a ASA in combination with a Microsoft CA.
First, i will describe you the enviroment we have which works
CERTSRV => A Windows Server 2003 Server, with CA in Standanlone, activated NDES / SCEP Service and a RADIUS / IAS Service to let the ASA authenticate VPN User against the local Window User. The CA Root Cert has a key lenght of 512bit
Our goal is the move the CA and the RADIUS to a Windows 2012 R2 Server. Due the restriction of the windows 2012 ca to reject ca certs which less the 1024 bit we cannot simply import the current ca cert-pair into the new ca.
Also we wont upgrade the ca key-pair on our current win2k3 ca, because we cannot estimate the side-effects and the ASA VPNs must work.
So we came to fabulos idea to clone the win2k3 CERTSRV into VM. there we generate a new key-pair with 1024bit length. Then export this key, export the database from live system and import both successfully into the new 2012 R2 CA. SCEP and NAP Services are installed and tested succesfully. We are able to create a new client cert with SCEP.
Our actual problem is that we dont know how to handle the new, upgraded CA in the ASA Configuration.
I added the new CA in the CA Certificates Menu
Here is the relevant part of the ASA log (debug level)
7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE SENDING Message (msgid=6b028bd2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing qm hash payload
7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing IKE delete payload
7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing blank hash payload
7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], sending delete/delete with reason message
7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE SA MM:49765104 terminating: flags 0x0105c002, refcnt 0, tuncnt 0
7|Feb 27 2014|11:56:58|715065|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE MM Responder FSM error history (struct &0xadcda9c0) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_CERT_FAIL-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ACTIVATE_NEW_SA-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT
5|Feb 27 2014|11:56:58|713904|||||Group = DefaultRAGroup, IP = [CLIENT_IP], Certificate Validation Failed
3|Feb 27 2014|11:56:58|717027|||||Certificate chain failed validation. Certificate chain is either invalid or not authorized.
7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.
7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
7|Feb 27 2014|11:56:58|717029|||||Identified client certificate within certificate chain. serial number: 1F00000951EB42CE6BD7157E2E000400000951, subject name: [CERT ATTRIBUTES].
7|Feb 27 2014|11:56:58|717025|||||Validating certificate chain containing 1 certificate(s).
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Connection landed on tunnel_group DefaultRAGroup
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via default group...
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IP ADDR...
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IKE ID...
3|Feb 27 2014|11:56:58|713020|||||IP = [CLIENT_IP], No Group found by matching OU(s) from ID payload:
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via OU...
4|Feb 27 2014|11:56:58|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
7|Feb 27 2014|11:56:58|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via cert rules...
6|Feb 27 2014|11:56:58|713172|||||IP = [CLIENT_IP], Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing notify payload
7|Feb 27 2014|11:56:58|713906|||||Dump of received Signature, len 256:
7|Feb 27 2014|11:56:58|715076|||||IP = [CLIENT_IP], Computing hash for ISAKMP
7|Feb 27 2014|11:56:58|715001|||||IP = [CLIENT_IP], processing RSA signature
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert request payload
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert payload
7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], DER_ASN1_DN ID received, len 145
7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing ID payload
7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 3111
7|Feb 27 2014|11:56:58|715063|||||IP = [CLIENT_IP], Successfully assembled an encrypted pkt from rcv'd fragments!
Do you know which is the best practise for us ?
best regards from germany
Edit: I see. I missed some more informationen. Old VPN Client, with certs created on the old Win2k3 CertSrv are working
6|Feb 27 2014|13:27:52|717028|||||Certificate chain was successfully validated with revocation status check.
6|Feb 27 2014|13:27:52|717022|||||Certificate was successfully validated. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTRB] .
7|Feb 27 2014|13:27:52|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.
7|Feb 27 2014|13:27:52|717029|||||Identified client certificate within certificate chain. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTR].
7|Feb 27 2014|13:27:52|717025|||||Validating certificate chain containing 1 certificate(s).
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Connection landed on tunnel_group DefaultRAGroup
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via default group...
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IP ADDR...
7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IKE ID...
Here are the configuration of the trustpoints
crypto ca trustpoint ASDM_TrustPoint0
revocation-check crl
enrollment url http://U.X.Y.Z:80/certsrv/mscep/mscep.dll
fqdn xxxxx
subject-name [CERT_ATTRB]
keypair asa01.key
crl configure
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
revocation-check crl none
enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
no client-types
crl configure
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint4
revocation-check crl none
enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll
no client-types
crl configure
no protocol ldap
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2a5a90e900010000083c
quit
certificate ca 1e185567c7bc7e91473edd472e033d78
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 10acffbf9fb6429947e0cdea136cf8eb
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 10acffbf9fb6429947e0cdea136cf8eb
quit
crypto ca certificate chain ASDM_TrustPoint4
certificate ca 10acffbf9fb6429947e0cdea136cf8eb
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate ca 3ae8ce8cf1619498418f9982315e6ad9
quitThis seems to be very useful answer but can you provide me with some code of some link where I can find some help. actually I am new to SSIS
Here are some good examples for filling variables with an Execute SQL Task:
http://dataqueen.unlimitedviz.com/2012/08/how-to-set-and-use-variables-in-ssis-execute-sql-task/
http://dwbi1.wordpress.com/2011/06/06/ssis-updating-a-variable-based-on-database/
And here is how you set the value of a property of the foreach loop with an expression:
Please mark the post as answered if it answers your question | My SSIS Blog:
http://microsoft-ssis.blogspot.com |
Twitter -
How to configure ASA to allow activesync connections ?
To allow Activesync connections (between smartphones and an internal Exchange server) thru an ASA, I think about 3 or 4 potential solutions :
1) do a NAT on the Exchange server and allow activesync TCP connections from any IP to the Exchange server : I tested that and this works, but it is not the most secure solution we can imagine;
2) use a Clienless VPN SSL ASA configuration : I tried it, but got problems certaintly related to the fact that the Activesync client, installed on my Android/Samsung smartphone, does not seem to be able vto pass properly thru the ASA Portal to reach the Exchange server;
3) use an Anyconnect VPN ASA configuration : I tried it , but did not manage to install or use any of the Samsung Anyconnect client available on Android Market; by the way, I saw, in the Anyconnect VPN Client Admin Guide 2.4, that an ActiveSync MSI is available from CISCO (
anyconnect-wince-ARMv4I-activesync-AnyConnectRelease_Number-k9.msi), but I don't see any details about how it is supposed to be used except that it is for Windows environment only, so, not for an Android phone, but I have Windows Mobile smartphones to integrate too, so, maybe it can help me in this case ;
4) if Clientless nor Anyconnect solutions can't work, it might be better to use the ASA Cut-Through proxy function to get a more secure solution than the first one listed above; but I was not successful either with this cut-through proxy function
Any ideas or examples about how to allow activesync connections thru ASA would be welcomed
thanks in advanceHi,
Generally ASA with CSC will support HTTP,FTP,SMTP,POP3 Scaning and Filtering.
From version ASA IOS 8.4.2 and CSC 6.6.1125.0, it will support HTTPS filtering also.
But here one limitation is that Https filtering will not support earlier versions of internet explorer 9, i.e if you want HTTPS filtering you must use Internet explorer 9 or after versions( As you know that Windows XP machines won't support internet explorer 9). But with firefox HTTPS filtering will support from versions 4.
For your reference use below 8.4.2 release guide
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
Release notes for CSC version 6.6.1125
http://www.cisco.com/en/US/docs/security/csc/csc66/release/notes/cscrn66.pdf
Basic configuration of the CSC
http://www.cisco.com/en/US/docs/security/csc/csc6.1.1569.0/administration/guide/cscappa.pdf
Sending traffic to the CSC module (using ASDM and CLI)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml
The troubleshooting guide:
http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc8.html#wp1147829
Hope this will help you...
Do rate help ful posts..
Regards,
Janardhan -
How to configure and publish Webservice (WMS Redprairie) to SAP using RFC
Hi XI Techno Savies,
I know how to configure SAP RFC, SAP IDOC adapters for sending and receiving. I want to know the step by step procedure to configure and Publish Webservices for Ware House Management System "REDPRAIRIE" for sending and receiving message to SAP R3/BW. Kindly help me.
Thanks,
Sridhara Addala.Hi,
This doc may help you-general
http://help.sap.com/saphelp_nw04/helpdata/en/0d/2eac5a56d7e345853fe9c935954ff1/content.htm
/people/durairaj.athavanraja/blog/2004/09/20/consuming-web-service-from-abap
in XI-
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/befdeb90-0201-0010-059b-f222711d10c0
Regards,
Moorthy -
Configuring port mirroring on the MA561x to capture voice packets?
How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!
How to configure port mirroring on the MA561x to capture voice packets? Now I use the MA5616. Any help would be appreciated!
I use the MA5616,too,and I bought from www.huanetwork.com
, nice price. The configuration of this problem, please visit: http://momopp.blogdetik.com/ -
How to configure QOS on certain IP in the Cisco ASA 5510
Hi,
I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
Can this done on a ASA 5510 series? if yes can you help me how ?
Regards,
VenkatYes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
I hope it helps.
PK -
How to configure CISCO ASA 5510 for internal remote desktop ?
Helo,I have a client that want to install new ASA (5510) in their network.
and then I did some experiment to implement it. the topology is like this :
--------configuration---------
2800 router :
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.11.3 255.255.255.0
duplex auto
speed auto
ip route 192.168.12.0 255.255.255.0 172.16.1.2
1841 router :
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ASA 5510 :
: Saved
: Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
ASA Version 8.2(1)
hostname ciscoasa
enable password **** encrypted
passwd ***** encrypted
names
name 192.168.12.0 Branch
dns-guard
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
tcp-map mssmap
synack-data allow
invalid-ack allow
seq-past-window allow
urgent-flag allow
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm location Branch 255.255.255.0 inside
no asdm history enable
arp timeout 14400
static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside Branch 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ***** password ***** encrypted
class-map mymap
match access-list inside_access_in
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map myPolicy
class mymap
set connection advanced-options mssmap
service-policy global_policy global
service-policy myPolicy interface inside
prompt hostname context
Cryptochecksum:a605d94f29924e5267644dd0f4476145
: end
I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
"1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
"1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
please help, any suggest would be great .
thanks .
sincerley yours
-IAN WIJAYA-ear Ian_benderaz,
Thank god i am not alone on this ,
Me too having the exact same problem , i can ping to the host ,but no remote desktop .
Somebody please help me on this , how enable remote desktop on asa 5505
Thanks -
How to configure Cisco ASA 5500 to work with the iPhone
We have Cisco ASA 5510 (latest firmware version), and apparently, according to Cisco website it is compatible with new iPhone 3G's IPSec client:
http://www.cisco.com/en/US/docs/security/vpnclient/cisco_vpnclient/iPhone/2.0/connectivity/guide/iphone.html
We've setup our first iPhone properly. It connects fine to the network, shows VPN connection as active. Gets a private IP address. But does not let any traffic go to the internal network. We thought it might be DNS problem, but it cannot connect to Exchange server even when using IP address instead of DNS. No luck either.
After checking ASA logs, we found that iPhone goes through Phase 1 authentication correctly. But then gives some kind of error, mentioning "Attribute 5".
Has anybody been successful configuring ASA5500 series (in particular 5510) to be used with iPhone?
I noticed that many people are having these problems.
Please do not post to this topic if you have ANY OTHER Cisco device.
Cisco specifies that iPhone is compatible only with Cisco ASA 5500 Security Appliances and PIX Firewalls. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.
Let's keep this topic only for users of ASA 5500 series and PIX Firewalls.
It would be extremely helpful for a large number of users if somebody posted a list of settings for ASA5500 or PIX firewall that DO work with iPhone 2.0
Thank you!
Oleg RWe found the solution and a bug in Cisco firmware (seems to be a bug).
First of all, thanks to our Chief Systems Architect Seb, here is a config that worked for us on a Cisco 5520 (latest firmware).
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
access-list iphone_splitTunnelAcl standard permit <insert ip> <insert mask>
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set iphone esp-3des esp-sha-hmac
crypto ipsec transform-set iphone mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set pfs
crypto dynamic-map SYSTEMDEFAULT_CRYPTOMAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 iphone
crypto map outside_map 10 match address vpn
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEMDEFAULT_CRYPTOMAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
group-policy iphone internal
group-policy iphone attributes
wins-server value <insert ip> <insert ip>
dns-server value <insert ip> <insert ip>
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value iphone_splitTunnelAcl
default-domain value <insert domain name>
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool VPN-Pool
authentication-server-group ActiveDirectory2
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key <insert pre-shared key>
For iPhone you have to be using IPSec tab for configuration.
We tried to set up this config using the wizards, but it would not work.
Later it turned out that wizards by default set this setting:
"crypto isakmp nat-traversal 20"
equal to zero and there is no way to change it from the GUI.
Only after we changed it (increased the value from 0 to 20) through the command line the connection started working perfectly.
Please let me know how it works out for you.
Message was edited by: Rogik
Message was edited by: Rogik -
ASA 5510 ignoring configured acl entry?
Greetings,
I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
interface Ethernet0/0.200
vlan 200
nameif SITECORP
security-level 90
ip address 10.1.4.1 255.255.254.0
interface Ethernet0/0.207
vlan 207
nameif SITESERVER
security-level 90
ip address 10.1.7.1 255.255.255.128
interface Ethernet0/1.311
vlan 311
nameif MOD1BMS
security-level 100
ip address 10.1.144.1 255.255.252.0
I have the following access-lists configured and applied:
access-list SITECORP_access_in extended permit ip any any
access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
fw# show run object-group
object-group network SITECORP
network-object 10.1.4.0 255.255.254.0
object-group network MOD1BMS
network-object 10.1.144.0 255.255.252.0
object-group network SITESERVER
network-object 10.1.7.0 255.255.255.128
fw# show run nat-control
no nat-control
packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
<snip>
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group SITECORP_access_in in interface SITECORP
access-list SITECORP_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd5641ec8, priority=12, domain=permit, deny=false
hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
<snip>
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd544e8c8, priority=110, domain=permit, deny=true
hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
Regards,
PhilHello Phil,
That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
But you do not have to change the Security level, of course that is one work-around but again the solution is :
- same-security-traffic permit inter-interface
Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
Regards,
Julio -
How to copy contents of ASA 5510 to another ASA 5510?
Hello,
I want to copy contents of 1 ASA 5510 to another 5510.
Both ASA has same license.
-I tried to connect to 2nd ASA via console cable
-Went to "Conf t" and copied config of 1st ASA. [ using paste tab from Hyper Terminal ]
- used commands like copy running config disk0:/startup.config.cfg
- also used write memory all , wr mem commands
- But after reboot config was gone.
As of now I have ASA 8.3.x version in both ASA's.
How can I save config to 2nd ASA via Hyper Terminal?I am trying to save basic config.
Basic config also not getting saved.
Steps followed as follows :-
- Given private IP to eth 0/1
- no shut
- speed auto
- wr
- exit
- wr
- exit
- hostname asasec
- wr
- reload
After reload firewall is not saving configuration. -
ASA 5510 - how many concurrent VOIP calls can pass through?
Hi all,
I wonder how many concurrent VOIP calls can handle Cisco ASA 5510, any idea?
Geghamhi Gegham,
Basically what the values of 50,000 and 130000 connections indicate are lab values tested with 80% TCP and 20% udp traffic. (according to table a-2 in the doc below)
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1170941
RTP is udp traffic but in case of an asa and considering a customer scenario what happens is...
1 voip call = 1 control connection (h323,sip,sccp) + 2 or 4 rtp connections
-so a call will in total easily consume 5 or more connections depending on control connections you have set up .
-also this number differs depending on if the call is voice only or video.
So to simply answer your questions...
1>the number of connections that a call consumes depends on the above factors.
2>Also there is no hard number on the number of calls an asa can handle because this depends on the controls you use ...including nat and inspections.
Thanks,
Karthik -
I have ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
Or as something else to implement it?
My configuration for SLA monitor:
sla monitor 123
type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachabilityHey cadet alain,
thank you for your answer :-)
I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
3
Nov 21 2011
18:29:56
77.xxx.xxx.99
59068
80.xxx.xxx.180
80
TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
The attached file is only the show running-config
Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
Regards.
Chris
Maybe you are looking for
-
Isub not working with new imac
the help menu is telling me to make sure that the isub is plugged in, and then to make certain it is selected under sound preferences... the only problem is that the imac is not picking up that the usb is even plugged in- there is no isub option that
-
Collect Files Error - Folder Nested too deeply?
I'm getting a new error when trying to collect files. "Folders are too deeply nested to create full path for file "filename"" 3:32 I'm a little puzzled because this source folder isn't more deeply nested than any other source file in my project. How
-
How to add customer account in the existing variant
Hi In the customer outstanding balance report, we are using a variant with relavent customer accounts. if we need to add some more customers in the variant how can we do. please help
-
DVD burn Result - to much red in all pictures
I am using iPhoto to adjust pics; using iMovie to make a movie incorporating transitions, music, effects and zoom and pan; very satifisfied with result also did chapter markers; Went to iDvd; created my theme; dragged my movie into iDvd; previewed mo
-
I have a large event with over 1000 images to choose from to produce a book. My question is; Do I have to search through the whole folder of images on the right hand side of "book mode" or is there some simpler way of doing this? I suspect I have to