Input and CRC errors on ASA 5505 outside interface
All,
I see input and crc errors on my ASA 5505 eth0/0(outside) interface and packet drops. There is very slow connection though we have 20mb line. ISP also sees the issue on the Lan interface side. We have the speed and duplex configured same on both ISP and our end.
I am suspecting if this is Physical cable issue. Please suggest.
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 001a.b4c9.f3d9, MTU not set
IP address unassigned
158138067 packets input, 141061681082 bytes, 0 no buffer
Received 183037 broadcasts, 0 runts, 0 giants
19642 input errors, 19642 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
144684 switch ingress policy drops
124291353 packets output, 38197278051 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Hello Ravi,
This kind of issues CRCs/ Input Errors are tipically known as L1 issues so make sure you check the cable and if that does not make a difference change the port on each side to see if there is a difference.
Unfortunetly the ASA does not support the Time-Domain Reflectometer feature so we must do the test of L1 by ourselfs.
Can you clear the counters of the interface, test the changes provided and provide us some feedback?
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Similar Messages
-
ASA 5505: Outside Interface Becomes Inaccessible
Greetings --
I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side. AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA. Internally, I can ping the IP address and I can ssh into the ASA.
The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM. To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.
Any ideas why the lockouts are occuring? Is it possible my ISP is shutting down the IP?
Below is the configs to the ASA:
hostname psa-asa
enable password IqUJj3NwPkd63BO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Net-10
name 192.168.1.20 dbserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.43 255.255.255.0
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list outside_access_in extended permit ip host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 162.134.70.20
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PSA-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
username user1 password ks88YmM0AaUUmhfU encrypted privilege 0
username user1 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user2 password 1w1.F5oqiDOWdcll encrypted privilege 0
username user2 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user3 password lQ8frBN8p.5fQvth encrypted privilege 15
username user4 password w4USQXpU8Wj/RFt8 encrypted privilege 15
username user4 attributes
vpn-group-policy SSLClientPolicy
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
service-type admin
username user5 password PElMTjYTU7c1sXWr encrypted privilege 0
username user5 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user6 password /zt/9z7XUifQbEsA encrypted privilege 0
username user6 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username user7 password aEGh.k89043.2NUa encrypted privilege 0
username user7 attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PSA-SSL-VPN type remote-access
tunnel-group PSA-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PSA-SSL-VPN webvpn-attributes
group-alias PSA_VPN enable
group-url https://xxx.xxx.xxx.43/PSA_VPN enable
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2298b0ae64f8ff7a5e25d97fe3f02841Hi,
I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.
I sometime use it personally when testing different stuff on my home ASA.
It naturally isnt a real option if you actuall setup a separate Syslog server.
You wouldnt really need to add much to your logging configuration
logging device-id hostname
logging trap informational
logging host
Where is the name of the interface behind which the server is and the is naturally the IP address of the server.
Though the above would generate a lot of logging.
I am not even 100% sure it would log anything when you are facing the problem.
Best would be to also troubleshoot while the problem is there.
Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?
If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.
- Jouni -
How do I block pings from the outside to the ASA 5505 outside interface?
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connectionYou are allowing echo-reply, thus it will reply to a ping
try this ACL:
icmp deny any echo-reply outside
From:
https://supportforums.cisco.com/thread/223769
Eric -
ASA 5505 - Outside Outbound Bandwidth Issue
ZyXel DSL modem (10MB download and 768Kbps or so upload)
DSL modem is operating in bridge mode
Cisco ASA 5505 in routed mode with ten users behind the ASA. Nothing fancy about the ASA setup.
Each user relies on their own FirePass or Cisco VPN client (outbound, no configuration required in the ASA) continously from 8am to 5pm. Outlook and light application usage over the VPN only.
On Friday, 05/17/13, the outbound connections were working well. Latency was good throughout the day (less than 40ms to Google). On the outside interface, output bandwidth was less than 500Kbps (much less for large portions of the day!). Three users were using streaming Internet radio.
On Monday, 05/20/13, the outbound connections were working poorly. Latency was bad (170ms and higher to Google). On the outside interface, output bandwidth was remaining steady throughout the day between 800Kbps and 850Kbps. Occasionally, the outside output bandwidth would drop to 40Kbps, then 600Kbps and then back to 800Kbps or so. No user on Monday was uploading any large files, no cloud backup or anything of the sort. No users were listening to Internet radio.
On Monday afternoon, I shut down five client machines and the outside output bandwidth was still around 800Kbps.
On Monday evening, I stopped by the office after each user had left the building and checked the outside interface output bandwidth and it was between 0Kbps and 45Kbps (virtually no load). I verified that all machines were powered on, but the VPN clients were disconnected.
On Friday and Monday, for the outside interface, the input bandwidth was between 200Kbps and 500Kbps with occasional higher spikes when users downloaded something.
What could cause the difference between Friday and Monday? Is the DSL upload simply maxed out? If the DSL upload is maxed out, why did it work well on Friday when I had a greater demand on the connection?
Thank youHello Modulus,
Did you take captures on the outside interface or the ASA ( This to check what is leaving the ASA ) as you are using VPN clients traffic will go encrypted so you will not be able to determine what is the traffic used for but at least you might notice some extra-traffic (outside the VPN traffic) as this does not look right or normal,
Regards
Julio -
DONE does not go HIGH on spartan6 but ghigh is 1 and crc error is 0
hi all,
I use the USB platform cable to configurate the Spartan6 FPGA from the JTAG,but the done does not go high.
I had a 330Ω pull up on done pin
a 4.7K pull up on program_b
a 4.7K pull up on init_b
please help me
Thanks!
INFO:iMPACT - Current time: 2015-7-19 14:57:23
PROGRESS_START - Starting Operation.
Maximum TCK operating frequency for this device chain: 25000000.
Validating chain...
Boundary-scan chain validated successfully.
'1': Programming device...
LCK_cycle = NoWait.
LCK cycle: NoWait
done.
'1': Reading status register contents...
[0] CRC ERROR : 0
[1] IDCODE ERROR : 0
[2] DCM LOCK STATUS : 1
[3] GTS_CFG_B STATUS : 0
[4] GWE STATUS : 0
[5] GHIGH STATUS : 1
[6] DECRYPTION ERROR : 0
[7] DECRYPTOR ENABLE : 0
[8] HSWAPEN PIN : 1
[9] MODE PIN M[0] : 1
[10] MODE PIN M[1] : 0
[11] RESERVED : 0
[12] INIT_B PIN : 1
[13] DONE PIN : 0
[14] SUSPEND STATUS : 0
[15] FALLBACK STATUS : 0
INFO:iMPACT:2219 - Status register values:
INFO:iMPACT - 0010 0100 1100 1000
INFO:iMPACT:579 - '1': Completed downloading bit file to device.
INFO:iMPACT:188 - '1': Programming completed successfully.
LCK_cycle = NoWait.
LCK cycle: NoWait
INFO:iMPACT - '1': Checking done pin....done.
'1': Programmed successfully.
PROGRESS_END - End Operation.
Elapsed time = 3 sec.tiboy wrote:
Thanks!
The fpga done pin also connectied on a pin of MCU which is Low during not program.
So When MCU initialized and Hi-Z the done pin
The fpga configuration is still time to success?
If I understand you, the MCU drives the DONE signal low when you first power-on the system, but should release the pin (go hi-Z) when it has finished its own startup initialization? It is OK for the DONE pin to be pulled low by an external source. That is one way to prevent the FPGA from starting up until other board circuitry is ready. However once the external device is no longer driving low, the DONE signal should go high. I would double-check your MCU software to be sure you are not still driving the signal low after initialization. If possible, try to disconnect the MCU from the circuit to see if DONE goes high. -
Hello,
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now.
But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
Thanks before..
My configuration is:
ASA Version 8.2(1)
hostname cisco
domain-name default_domain
enable password ********* encrypted
passwd ********* encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.10.10.10 255.255.255.0
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 172.20.10.10 255.255.255.0
interface Ethernet0/0
switchport access vlan 1
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default domain
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group backup_in in interface backup
route outside 0.0.0.0 0.0.0.0 172.10.10.1 1
route backup 0.0.0.0 0.0.0.0 172.20.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:24af050f332deab3e38eb578f8081d05
: endHi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun -
Asa 5505 sub interface plus ports
I have never used 5505 I gave used higher firewalls and all of them can do sub interfaces normally we make sub interfaces and vlans are assigned to them I m trying to config 5505 can someone tell me how I can create sub interfaces ? As I saw few config and it seems that you config vlans like switch ??? Secondly all interfaces have to b part of vlan ? Ie outside which is g0/0 ....can I config it as normall routed port ?
The 5505 is configured nearly the same a a L3-switch. You configure the Vlan-interfaces and assign these to your switch-ports. The switch ports can be configured as access- or as trunk-ports (if you have a SecPlus license).
You find more on this topic on the Config-Guide:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html -
Firewall Cisco ASA 5505 new interface license problem
Hi
I have one ASA 5505 with a Base License
The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
And the question is if with this base license the interface cannot be used or only cannot be named?
here the output of my firewall:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is e02f.6de6.7843, irq 11
1: Ext: Ethernet0/0 : address is e02f.6de6.783b, irq 255
2: Ext: Ethernet0/1 : address is e02f.6de6.783c, irq 255
3: Ext: Ethernet0/2 : address is e02f.6de6.783d, irq 255
4: Ext: Ethernet0/3 : address is e02f.6de6.783e, irq 255
5: Ext: Ethernet0/4 : address is e02f.6de6.783f, irq 255
6: Ext: Ethernet0/5 : address is e02f.6de6.7840, irq 255
7: Ext: Ethernet0/6 : address is e02f.6de6.7841, irq 255
8: Ext: Ethernet0/7 : address is e02f.6de6.7842, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledHi,
The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
For an interface on the ASA to operate it must have a name with the command "nameif"
If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
- Jouni -
ASA 5505 external interface dying
Hi,
We have an ASA 5505 ( version 9.1(2) ) that frequently stopped functioning ie the external interface refuses to pass any traffic , ASDM wont connect,etc.
The internal interface does continue to function and if we SSH into the unit and do a reload , everything springs back into life again.
What are the best steps to troubleshooting and finding a fix to this problem?
ChrisHi Amrin,
you can configure SLA monitoring on ASA and that woudl work fine for you:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Hope that helps.
Thanks,
Varun -
Cisco ASA 5505 - outside can't DHPC as router use same range
Hi
Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC.
(Or i guess its not as the router use the same ip range as ASA does inside).
I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside".
So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".
I tried to change the inside range of the ASA but if I change the inside IP i loose connection.
(Had to restore factory-default useing the console).
I guess I could setup another range using the console, but how?
How can I setup this test net?If I need to save I did not. (I have not used the console before).
Found the: "write memory" and reload command.
I cant connect to the asa using ADSM-IDM Launcher (from PC connected to the inside lan).
It seems that the asa DHPC server does not work.
And: show running-config
ciscoasa# show running-config
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
no ip address
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5085ad55b43198c7490b2edfee450906
: end -
Asa 5505 transparent firewall issue
hi i am having uc560 with voice and data vlan and i am having 3560 layer3 switch and my network is working fine the dhcp for voice and data both are running in uc560.
now i add asa 5505 between uc560 and switch in transparent mode means from uc560 to asa 5505 outside interface and from asa inside interface to switch,
i conigured vlan1 -- inside and vlan 2 as outside in asa 5505
in my uc 560 data is vlan 1 and my voice is vlan 100.
when i connect my network with transparent mode firewall no dhcp amd no phones are working . but if i remove asa and i connect with uc560 to switch everything is fine.
is there anyway to work multiple voice and data vlan in asa 5505 transparent mode.hi rojas,
here is my problem,
my internet and voice all connected in the uc 560 so wat i am doing i am connecting firewall outside to uc 560 trunk port and the from inside to my switch.
when i connec to my switch it is giving message inconsistant vlan and it is port is blocked. and my phones are not working.
my data vlan1 is 192.168.123.x
and my voice vlan100 is 10.1.1.x
and the firewall ip 192.168.123.3 -
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
Router CRC error and IP conflict
Hi All,
I just setup my Cisco router 1921/K9 router via lease line. I managed to reach both end using ping command via local network. After an hour, my local LAN with different subnet starting to act weird, IP conflict error message pop up on the screen. It gradually spread over the network, PC by PC.
By issuing #sh int s0/0/0 and #sh int giga0/0 , I can see an input error, and CRC error. "Reliability" was perfect 255/255. Duplex and Speed all set to 100Mbps full duplex.
I have been looking into this matter for a few days, but still no idea what is actually going on. When I unplug LAN cable from giga interface to my local LAN cisco switch, IP conflict has disappeared.
Has anyone encounter this issue before? Kindly assist.Hi,
As per my understanding you are facing 2 different issues one is related to IP conflict and other is CRC and i don't think both have any co-relation as such.
- Are you using DHCP to assign IP address to the users or static? Check if anyone is using the same IP addresses causing this problem.
- For CRC error check with your provider. To isolate any hardware related problem you can try loop test.
If you feel your query has been answered please mark this as answered. In case you have any additional query please feel free to contact.
Thanks & Regards
Sandeep -
Crc error between 2950 and 3620 router
I have connected the 2950 to the 3620, and the running-config of 2950 below:
2950#show running-config
Building configuration...
Current configuration : 1279 bytes
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname 2950
enable secret xxxx
no ip subnet-zero
no ip finger
no ip domain-lookup
interface FastEthernet0/1
duplex half
speed 10
interface FastEthernet0/2
interface FastEthernet0/23
interface FastEthernet0/24
interface FastEthernet0/24.122
interface FastEthernet0/24.123
interface Vlan1
bandwidth 10000
ip address 192.168.10.200 255.255.255.0
no ip route-cache
delay 100
ip default-gateway 192.168.10.254
no ip http server
line con 0
transport input none
line vty 0 4
password xxx
login
line vty 5 15
login
end
And the 3620 router just set the interface ethernet0/3:
interface Ethernet0/3
ip address 192.168.10.254 255.255.255.0
half-duplex
I have connected the f0/1 of switch to the eth0/3 of router. There are many crc errors between the switch and router, and try to change the duplex and speed rate, but it didn't take effect. I ensure the cable is good.
Thank you for your suggestion!First, thank you for your notice of my problems.
Yes. When I ping from both directions, I'm seeing the CRC error only in the switch. And I have cleared the counters in both ends.
And I try to connect to another port of the router, It exists the same problem.
I'm seeing both of the input errors and CRC errors.
The interface of f0/1 (in switch)is following:
2950#show int f0/1
FastEthernet0/1 is up, line protocol is up
Hardware is Fast Ethernet, address is 0007.84fc.d1c1 (bia 0007.84fc.d
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 219/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:03:10, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:11:25
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 1000 bits/sec, 3 packets/sec
299 packets input, 39511 bytes, 0 no buffer
Received 5 broadcasts, 0 runts, 0 giants, 0 throttles
164 input errors, 164 CRC, 0 frame, 0 overrun, 33 ignored
0 input packets with dribble condition detected
1058 packets output, 81544 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
2950# -
Hi,
I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
Here is my configuration:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname xxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.48 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name processia.com
access-list outside_access_in extended permit ip any any
access-list icmp_out_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group icmp_out_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd dns 80.10.246.2 80.10.246.129 interface inside
dhcpd ping_timeout 5000 interface inside
dhcpd domain xxxxxxxxxxxxxxxxx interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map global_policy
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
: end
Thank you for your helpHi Sylla,
The static route you have configured for Internet access needs to be corrected:
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
-Mike
Maybe you are looking for
-
Dear Colleagues, Like Report-Report interface (RRI) in BW, wherein detailed report can be invoked from chart/graph, can similar thing is possible in Visual Composer? Please advice. Regards Pankaj
-
How to enable note names in piano roll in Logic Pro X?
Hello, I am trying to understand how to enable the note names in the piano roll editor, according to some posts it should works creating a mapped instrument, I follow up each step but for me this solution does not work. Basically I have created a sof
-
It also says if I continue to sync it will pretty much wipe my iPhone clear. Is there any way I can fix this, or do I have to start from scratch?
-
Error : Oops.. there was a problem
Hi, While trying to login in into Skype from my Windows 8 Pro desktop machine, it throws an error "Oops there was a problem, Try again." Can you please advise how to resolve this one. S.Ramesh Attachments: Screenshot 2014-11-15 10.37.06.png 24 KB
-
hi, could you pls help me that what is the all process for bfile into blob and then how to see image in apex