Inside interfaces only participate in EIGRP

Similar Messages

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• Help with Slow access or NAT to Inside Interface on ASA 9.1

  I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
  In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
  Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
  However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
  So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
  Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
  Attached a diagram of what I am currently doing?
  Any help is appreciated.
  Thanks.
  P.S. Addresses in attached picture config are not real, but I know what they translate to.

  Hi,
  To me you it would seem that you are looking for a NAT configurations something like this
  object network SERVER-PUBLIC
  host 197.162.127.6
  object network SERVER-LOCAL
  host 10.0.1.25
  nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
  It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
  I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
  Hope this helps
  Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
  Ask more if needed
  - Jouni

• Can't SSH to inside interface on ASA

  Hi there
  I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
  TIA
  Sent from Cisco Technical Support iPhone App

  Hi there,
  Here it is -
  asa01(config)# sh cap capin
  4 packets captured
     1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
     2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
     3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
     4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
  4 packets shown
  asa01(config)#
  asa01(config)# sh cap asp
  0 packet captured
  0 packet shown
  asa01(config)#
  Can you ping the Switch interface from the ASA?          - Yes
  Can you ping the ASA from the switch? - Yes

• I can Ping FW inside interface but can not connect to remote resources

  dear all
  i configer my asa 5520 through ASDM to enable VPN Connection , i follow the cisco steps and it works fine and the anyconnect version 3.1 in Windows 8 - one day troubleshoot for this point only - can connect and have an IP address from the range , but i have something wrong in NAT may be because all guides talking about old ASDM ( NAT Exempt) but i am confeused to apply it on the new ASDM.
  i can ping the inside interface  from my labtop which using anyconnect , but i can not access anything else inside my network
  Please anyone has a solution , please describe it using ASDM , thanks for help
  This is my configuration
  interface GigabitEthernet0/1
  description
  nameif SRV_ZONE
  security-level 50
  ip address 192.168.1.1 255.255.255.0
  interface GigabitEthernet0/2
  description
  nameif TRUST_ZONE
  security-level 100
  ip address 172.17.200.1 255.255.255.0
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif MGMT
  security-level 0
  ip address 10.10.10.1 255.255.255.0
  dns server-group DefaultDNS
  domain-name xxx.xxx.xxx
  object network obj-192.168.1.11
  host 192.168.1.11
  object network obj-xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object service obj-tcp-source-eq-25
  service tcp source eq smtp
  object network obj-192.168.1.12
  host 192.168.1.12
  object network obj-xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object service obj-tcp-eq-25
  service tcp destination eq smtp
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-0.0.0.0
  host 0.0.0.0
  object network obj_any-01
  subnet 0.0.0.0 0.0.0.0
  object network obj-172.17.8.8
  host 172.17.8.8
  object network obj-172.17.0.0
  subnet 172.17.0.0 255.255.0.0
  object network obj_any-02
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-03
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-04
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-05
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-06
  subnet 0.0.0.0 0.0.0.0
  object network obj.172.17.8.115
  host 172.17.8.115
  object network obj.xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object service http
  service tcp source eq www destination eq www
  object network obj.xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object service https
  service tcp source eq https destination eq https
  object service newservice
  service tcp source eq pop3 destination eq pop3
  object network mail
  host 172.17.8.8
  description mail     
  object network 192.168.1.11
  host 192.168.1.11
  description smtp     
  object service smtpnew
  service tcp source eq 587 destination eq 587
  object network VPN_RANGE
  description VPN ACCESS RANGE  
  object network VPN_PoOL
  subnet 172.17.16.0 255.255.255.0
  description vpn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.1.11
  network-object host 192.168.1.12
  object-group network Eighth_Floor
  network-object 172.17.8.0 255.255.255.0
  object-group service WEB_SERVICES
  service-object tcp destination eq www
  object-group network ENT_SERVERS
  network-object host 192.168.1.11
  network-object host 192.168.1.1
  object-group network DM_INLINE_NETWORK_2
  network-object 172.17.200.0 255.255.255.0
  network-object 172.17.8.0 255.255.255.0
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  port-object eq smtp
  object-group service web tcp
  port-object eq www
  port-object eq xxx
  port-object eq ftp
  port-object eq xxx
  port-object eq xxx
  object-group service xxx_Web_and_Email
  service-object object http
  service-object tcp destination eq pop3
  service-object tcp destination eq smtp
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0
  access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 any
  access-list justice_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
  access-list xxx-VPN_splitTunnelAcl remark vpn
  access-list xxx-VPN_splitTunnelAcl standard permit 172.17.16.0 255.255.255.0
  access-list xxx-VPN_splitTunnelAcl standard permit any
  access-list cap extended permit tcp any host xxx.xxx.xxx.xxx eq smtp log
  access-list cap1 extended permit tcp host 192.168.1.11 any eq smtp
  access-list SRV_ZONE_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp
  access-list SRV_ZONE_nat_outbound extended permit ip host 192.168.1.11 any
  access-list TRUST_ZONE_access_in extended permit ip host 172.17.88.108 any
  access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.3.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.10.50.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit ip 172.17.8.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit ip 172.17.200.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.1.12
  access-list TRUST_ZONE_cryptomap extended permit ip xxx.xxx.xxx.xxx 255.255.255.248 any
  access-list outside_access_in extended permit tcp any host 192.168.1.11 eq smtp
  access-list outside_access_in extended permit tcp any host 172.17.8.8 eq www
  access-list outside_access_in extended permit tcp any host 192.168.1.12 object-group web
  access-list outside_access_in extended permit tcp any host 172.17.8.8 eq pop3
  access-list outside_access_in extended permit ip 172.17.16.0 255.255.255.0 any inactive
  access-list vpn remark vpn
  access-list vpn standard permit 172.17.16.0 255.255.255.0
  pager lines 24
  logging enable
  logging trap informational
  logging asdm informational
  logging host TRUST_ZONE 172.17.8.100
  mtu INT_ZONE 1500
  mtu SRV_ZONE 1500
  mtu TRUST_ZONE 1500
  mtu MGMT 1500
  ip local pool VPN_POOL 172.17.16.100-172.17.16.254 mask 255.255.255.0
  ip verify reverse-path interface INT_ZONE
  ip verify reverse-path interface SRV_ZONE
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any SRV_ZONE
  icmp permit any TRUST_ZONE
  asdm image disk0:/asdm-635.bin
  no asdm history enable
  arp timeout 14400
  nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.11 obj-xxx.xxx.xxx.xxx service any obj-tcp-source-eq-25
  nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.12 obj-xxx.xxx.xxx.xxx
  nat (SRV_ZONE,INT_ZONE) source dynamic obj-192.168.1.0 interface service obj-tcp-eq-25 obj-tcp-eq-25
  nat (INT_ZONE,SRV_ZONE) source static any any destination static 192.168.1.11 obj-172.17.8.8 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
  nat (TRUST_ZONE,INT_ZONE) source static VPN_PoOL VPN_PoOL destination static VPN_PoOL VPN_PoOL
  object network obj_any
  nat (SRV_ZONE,INT_ZONE) dynamic obj-0.0.0.0
  object network obj_any-01
  nat (SRV_ZONE,MGMT) dynamic obj-0.0.0.0
  object network obj-172.17.8.8
  nat (TRUST_ZONE,INT_ZONE) static xxx.xxx.xxx.xxx service tcp www www
  object network obj-172.17.0.0
  nat (TRUST_ZONE,SRV_ZONE) static 172.17.0.0
  object network obj_any-02
  nat (TRUST_ZONE,INT_ZONE) dynamic interface
  object network obj_any-03
  nat (TRUST_ZONE,SRV_ZONE) dynamic interface
  object network obj_any-04
  nat (TRUST_ZONE,INT_ZONE) dynamic obj-0.0.0.0
  object network obj_any-05
  nat (TRUST_ZONE,SRV_ZONE) dynamic obj-0.0.0.0
  object network obj_any-06
  nat (TRUST_ZONE,MGMT) dynamic obj-0.0.0.0
  object network obj.172.17.8.115
  nat (TRUST_ZONE,INT_ZONE) static obj.xxx.xxx.xxx.xxx service tcp www www
  object network mail
  nat (TRUST_ZONE,INT_ZONE) static obj-xxx.xxx.xxx.xxx service tcp pop3 pop3
  nat (TRUST_ZONE,INT_ZONE) after-auto source static obj-172.17.8.8 obj-xxx.xxx.xxx.xxx service https https
  access-group outside_access_in in interface INT_ZONE
  access-group DMZ_access_in in interface SRV_ZONE
  access-group TRUST_ZONE_access_in in interface TRUST_ZONE
  route INT_ZONE 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  route TRUST_ZONE 10.10.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 10.11.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 10.12.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 10.13.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 172.17.0.0 255.255.0.0 172.17.200.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication serial console LOCAL
  http server enable
  http 172.17.8.0 255.255.255.0 TRUST_ZONE
  http 172.17.8.155 255.255.255.255 TRUST_ZONE
  http 172.17.8.45 255.255.255.255 TRUST_ZONE
  http 10.10.10.2 255.255.255.255 MGMT
  http 192.168.1.12 255.255.255.255 SRV_ZONE
  http 0.0.0.0 0.0.0.0 INT_ZONE
  http 172.17.200.0 255.255.255.0 TRUST_ZONE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map pol 1 match address TRUST_ZONE_cryptomap
  crypto dynamic-map pol 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map INT_ZONE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map TRUST_ZONE_map0 1 ipsec-isakmp dynamic pol
  crypto map TRUST_ZONE_map0 interface TRUST_ZONE
  crypto map INT_ZONE_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map INT_ZONE_map0 interface INT_ZONE
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  fqdn SEC-xxx-FW1
  subject-name CN=SEC-xxx-FW1
  no client-types
  proxy-ldc-issuer
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment self
  subject-name CN=SEC-xxx-FW1
  keypair sslvpnkeypair
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 31
      57f4e52e 6b851966 77515d62 c209a0df 1c32ce94 bb90cbce 497cfd04 6745ea85
      efb75f85 2ae1ad35 344d94ab 915e01ab d3292626 ac697a52 b4ed6632 d3ed2332 ae
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate e6054352
      c64f3661 30f14c3d 06b5f039 9f14560d 3b154fd1 42782268 7531689e 8e547d91
      85e88415 e326f653 74733a6c a3f5c935 f7e83f56 f6
    quit
  crypto isakmp enable INT_ZONE
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 INT_ZONE
  ssh 172.17.8.0 255.255.255.0 TRUST_ZONE
  ssh 10.10.10.2 255.255.255.255 MGMT
  ssh timeout 5
  console timeout 0
  management-access TRUST_ZONE
  vpn load-balancing
  interface lbpublic INT_ZONE
  interface lbprivate INT_ZONE
  priority-queue INT_ZONE
    tx-ring-limit 256
  threat-detection basic-threat
  threat-detection scanning-threat
  threat-detection statistics host number-of-rate 3
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint1 INT_ZONE
  webvpn
  enable INT_ZONE
  svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy xxx-VPN internal
  group-policy xxx-VPN attributes
  dns-server value xx.xx.xx.xx xx.xx.xx.xx
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value xxx-VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol webvpn
  group-policy GPNEW internal
  group-policy GPNEW attributes
  dns-server value 172.17.8.41
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  default-domain value xxx.xxx.xxx
  address-pools value VPN_POOL
  username VPNAM password xxx encrypted
  username VPNAM attributes
  service-type remote-access
  vpn-group-policy xxx-VPN
  tunnel-group xxx-VPN type remote-access
  tunnel-group xxx-VPN general-attributes
  dhcp-server 172.17.8.41
  tunnel-group xxx-VPN ipsec-attributes
  pre-shared-key *****
  tunnel-group pol type ipsec-l2l
  tunnel-group pol ipsec-attributes
  pre-shared-key *****
  trust-point ASDM_TrustPoint0
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  address-pool VPN_POOL
  default-group-policy GPNEW
  tunnel-group SSLClientProfile webvpn-attributes
  group-alias SSLVPNClient enable
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect ip-options
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:78a941e3f509dec8f3570c60061eedaa
  : end

  thanks god
  i solve the problem
  the problem is in NAT
  i creat an object with the ip address host from VPN pool and name it vpn
  then i do the nat from inside to that host as the following picture...
  trust zone is the inside zone
  vpn is the outside vpn host...
  thanks and hope it helps anyone else...

• Allow seperate interface access to a single host on inside interface

  I'm using a Cisco PIX 515E running ASA 8.0(3) - two separate networks, one on each interface…
  I intentionally have a separate network on the 'wireless' interface because I share the wireless with my neighbor and don't want him on my 'inside' LAN. I occasionally want to use the wireless myself, but only need access to my printer at 192.168.21.6
  How can I allow the wireless interface access to 192.168.21.6 (just port tcp/udp 9100 I believe). I experimented with static commands, but could not get it to work? Must I create a separate IP such as 192.168.22.6 and map that to 192.168.21.6 on the inside interface in order to print?

  If you use reguar 'Static Identity NAT', it will be a one to one mapping for ALL ports (this means you have to adjust your ACL to only allow DNS , Printer). Right now your Access-Control is aided by the 'nat-control' command.
  You cannot use the printer because you have nat-control command. This means to successfully pass traffic from lower security zone to higher security zone you need the ACL entry coupled with a 'Static' translation or exemption for the traffic flow. Since your translations are limited to particular ports the two zones cannot communicate.
  Yes you would need a similar translation for DNS.
  Regards
  Farrukh

• Can't Ping or access via SNMP Inside interface of 5505

  I have a remote site I'm trying to setup monitoring on and I can't get the inside interface to respond to a ping or SNMP requests.  I have tried everything I can find in the forums and on the web but this location will not cooperate.  I have full access to the ASA and to the inside network behind it.  IPSEC VPN tunnel is working perfectly.  I see the ping requests in the log on the ASA.  I turned on ICMP debugging and only see the echo request.. never an echo reply.  Below is a partial configuration.  If you need any more information, let me know.
  names
  name 192.168.0.0 Domain
  name 1.1.1.2 MCCC_Outside
  name 172.31.10.0 VLAN10
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.23.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.0
  boot system disk0:/asa847-k8.bin
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
   domain-name mtcomp.org
  object network obj-192.168.23.0
   subnet 192.168.23.0 255.255.255.0
  object network Domain
   subnet 192.168.0.0 255.255.0.0
  object network 172.31.0.0
   subnet 172.31.0.0 255.255.0.0
  access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 object Domain
  access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 object Domain
  access-list Outside_NAT0_inbound extended permit ip object Domain 192.168.23.0 255.255.255.0
  access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 any
  access-list inside_access_in extended permit ip any 192.168.23.0 255.255.255.0 inactive
  no pager
  logging enable
  logging timestamp
  logging buffered debugging
  logging trap informational
  logging asdm informational
  logging device-id hostname
  logging host inside 192.168.x.x 17/1514
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,any) source static obj-192.168.23.0 obj-192.168.23.0 destination static Domain Domain no-proxy-arp route-lookup
  route outside MCCC_Outside 255.255.255.255 1.1.1.1 1
  route outside 172.31.0.0 255.255.0.0 192.168.1.1 1
  route outside VLAN10 255.255.255.0 MCCC_Outside 1
  route outside Domain 255.255.0.0 192.168.1.1 1
  route outside 192.168.1.0 255.255.255.0 MCCC_Outside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 192.168.1.81 255.255.255.255 inside
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.23.0 255.255.255.0 inside
  snmp-server host inside 172.x.x.x community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer MCCC_Outside
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  management-access inside
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
  policy-map global-policy
  service-policy global_policy global
  prompt hostname context

  Hi,
  First of all let me clarify your trial.
  Where is your monitoring server?
  Is it behind inside or outside interface (please share ip adress)?
  From config it seems, it can be reach via outside interface. Then you have to make snmp check on outside interface, not on inside (cannot make a snmp/ping check on inside interface with request comming through outside inteface - it simply won't work).
  From the first check of routing table, I would suggest:
  delete : route outside MCCC_Outside 255.255.255.255 1.1.1.1 1 - doesn't make a sense route host address, when it's directly connected network (and more, route 1.1.1.2 to 1.1.1.1, when 1.1.1.1 is vlan2 interface)
  change : route outside 172.31.0.0 255.255.0.0 192.168.1.1 1; route outside Domain 255.255.0.0 192.168.1.1 1 - you should consider route it to 1.1.1.2 (if this is your next hop address at WAN).
  route outside VLAN10 255.255.255.0 MCCC_Outside 1 - why?
  I would use default route to somewhere at 1.1.1.0/24 range - next hop (router).
  HTH,
  Pavel

• Can not access ASAs inside interface via VPN tunnels

  Hi there,
  I have a funny problem.
  I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
  All tunnels and the RAS VPN access are working fine.
  I use the tunnels for Voip, terminal server access and a few other services.
  The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
  No problem when I connect to the interface via a host inside the network.
  All telnet statments in the config are ending with the INSIDE command.
  On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
  For the RAS client access I use the Cisco 5.1 VPN client.
  Did anybody have any suggestions?
  Regards
  Marcel

  Marcel,
  Simply add on the asas you want to administer through the tunnels
  management-access
  http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
  for asa5505
  management-access inside
  for all others if you have management interface management0/0 defined then:
  management-access management
  then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
  telnet 10.20.20.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  same principle for l2l vpns
  Regards

• Disable BFD in multiple Router Sub interfaces that participates in OSPF

  Hi team,
  Please help me on this. Here is the scenario:
  We are on an enterprise set up and running on 100+ routers.
  We have 200 to 300+ sub interfaces for virtual circuits
  Our protocol is OSPF over MPLS
  One of our provider in LA encountered link flaps on SONET causing our LA router that is directly connected to that link to recalculate multiple times.
  Recalculation of OSPF routes caused disconnection of users in LA VM's.
  We were advised by our provider in LA to disable BFD so minor link flaps will no affect recalculation of routes.
  We are now tasked by our design team to Disable BFD in multiple Router Sub interfaces that participates in OSPF.
  My questions are:
  What is the implication in disabling all BFD in routers' interface and sub interface?
  Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
  Will the routers only recognize a "full down" status of the interface?
  How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
  Please advise before we present this to the CAB and implementation. Thank you.

  My questions are:
  What is the implication in disabling all BFD in routers' interface and sub interface?
  Answer:  the implication would be eliminating sub-second millisecond convergence.
  BFD detect failure at the link layer very fast , once detected it informs the upper layer protocol about the failure causing it to converge immediately. 
  Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
  Answer: if your Provider experiencing intermittent flaps, then yes it will be advisable to turn BFD off. this however doesn't totally ignore the link flaps, once the upper protocol detect the failure based on the dead interval parameter on OSPF, it will recalculate OSPF routes again.  Keep in mind, if you have redundant or more links to your provider , then I wouldn't recommend disabling BFD , as it should improve Convergence and you shouldn't notice the failure. 
  Will the routers only recognize a "full down" status of the interface?
  Answer: disabling BFD allows the router recognize a full down status once the upper protocol dead interval occurs or full down status of interface. which ever occurs the earliest.
  How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
  You can disable it one by one. or if you have configuration management software, it allows you to do it for all nodes at a time. but this depends if you have it or not.
  Please consider not to disable BFD if you have multiple OSPF links towards your provider from any branch, as it shouldn't impact your VMs, it should rather improve Convergence at milliseconds which is absolutely not noticeable.
  BR,
  Mohamed 

• Routing Issue Accessing Inside Interface of ASA

  Ok so I'm making this more complex than it needs to be and can't see the forest for the trees. I'm setting up an ASA 5510 with multiple contexts. I'm working with my main internal context for my internal traffic. I have created interfaces on this context as follows:
  interface Ethernet0/0.1
  description outside interface
  nameif outside
  security-level 0
  ip address 1.1.1.2 255.255.255.252
  interface Ethernet0/1.1
  description inside interface for internal context
  nameif inside
  security-level 100
  ip address 10.10.50.150 255.255.0.0
  same-security-traffic permit intra-interface
  route outside 0.0.0.0 0.0.0.0 1.1.1.1
  NOTE: Also has ssh configuration but can't document that here.
  My workstation has an IP 10.10.30.20 255.255.0.0 with a default gateway that points to my core switch (10.10.50.151).
  When I try to access the inside interface of the ASA via ssh from my workstation I can't connect. I tried to ping the inside interface IP address of the ASA from my workstation and it doesn't reply. I can however ping anything on my internal network from the ASA through the inside interface. What am I missing on this?
  Thanks.

  I figured out this issue but now have a new issue. The problem I had accessing the internal network from the ASA was due to the core switch I was being routed through. After looking at the core I saw that the default route was redirecting all traffic to the IP address of the inside interface on the production ASA. I have since pulled a spare switch and created an isolated network with a laptop and the inside interface on the new ASA. This worked great.
  Now to my new problem. I am trying to access our ISPs external address from the ASA. The ISP has provided us with two vlans (100 and 101) on one connection and has given us two public IPs (one is the IP for the router on their end and the second is the IP I am supposed to use on my outside interface for vlan 100). I have created sub-interfaces on my outside interface and defined 0/0.1 as vlan 100 and 0/0.2 as vlan 101. VLAN 101 will go to our rack at our disaster recovery site so it will just be an extension of our existing network.
  My network is as follows:
                                 ISP (IP 2.2.2.1)
                                          |
                                          |
                                 3560-CG switch (both ports -- to ISP and ASA outside interface are configured as trunk ports)
                                          |
                                          |
                                 ASA (outside 2.2.2.2 vlan 100)
  When I try to ping the 2.2.2.1 address from the ASA it doesn't work. If both my ASA outside port and the port to the ISP are both trunk ports shouldn't it route both VLANs (100 and 101) without any issue or am I missing something in my thinking?
  Thanks.

• Connect to VPN but can't ping past inside interface

  Hello,
  I've been working on this issue for a few days with no success. We're setting  up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec  VPN setup on it for remote access. After some initial problems, we've gotten it  to where the VPN tunnel authenticates the user and connects as it should,  however we cannot ping into our LAN. We are able to ping as far as the  firewall's inside interface. I've tried other types of traffic too and nothing  gets through. I've checked the routes listed on the VPN client while we're  connected and they look correct - the client also shows both sent and received  bytes when we connect using TCP port 10000, but no Received bytes when we  connect using UDP 4500. We are trying to do split tunneling, and that seems to  be setup correctly because I can still surf while the VPN is connected.
  Below is our running config. Please excuse any messyness in the config as  there are a couple of us working on it and we've been trying a whole bunch of  different settings throughout the troubleshooting process. I will also note that  we're using ASDM as our primary method of configuring the unit, so any  suggestions that could be made with that in mind would be most helpful.  Thanks!
  ASA-01# sh run
  : Saved
  ASA Version 8.6(1)2
  hostname ASA-01
  domain-name domain.org
  enable password **** encrypted
  passwd **** encrypted
  names
  interface GigabitEthernet0/0
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 10.2.0.1 255.255.0.0
  interface GigabitEthernet0/1
  description Primary WAN Interface
  nameif outside
  security-level 0
  ip address 76.232.211.169 255.255.255.192
  interface GigabitEthernet0/2
  shutdown
  <--- More --->
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  <--- More --->
  duplex full
  shutdown
  nameif management
  security-level 100
  ip address 10.4.0.1 255.255.0.0
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.2.11.6
  domain-name domain.org
  dns server-group sub
  name-server 10.2.11.121
  name-server 10.2.11.138
  domain-name sub.domain.net
  same-security-traffic permit intra-interface
  object network 76.232.211.132
  host 76.232.211.132
  object network 10.2.11.138
  host 10.2.11.138
  object network 10.2.11.11
  host 10.2.11.11
  <--- More --->
  object service DB91955443
  service tcp destination eq 55443
  object service 113309
  service tcp destination range 3309 8088
  object service 11443
  service tcp destination eq https
  object service 1160001
  service tcp destination range 60001 60008
  object network LAN
  subnet 10.2.0.0 255.255.0.0
  object network WAN_PAT
  host 76.232.211.170
  object network Test
  host 76.232.211.169
  description test
  object network NETWORK_OBJ_10.2.0.0_16
  subnet 10.2.0.0 255.255.0.0
  object network NETWORK_OBJ_10.2.250.0_24
  subnet 10.2.250.0 255.255.255.0
  object network VPN_In
  subnet 10.3.0.0 255.255.0.0
  description VPN User Network
  object-group service 11
  service-object object 113309
  <--- More --->
  service-object object 11443
  service-object object 1160001
  object-group service IPSEC_VPN udp
  port-object eq 4500
  port-object eq isakmp
  access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
  access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
  access-list outside_access_in extended permit object DB91955443 any interface outside
  access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any
  access-list inside_access_in extended permit ip any any log disable
  access-list inside_access_in extended permit icmp any any echo-reply log disable
  access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
  access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
  access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
  access-list vpn_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
  <--- More --->
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any management
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source dynamic any WAN_PAT inactive
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
  nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
  nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ActiveDirectory protocol nt
  aaa-server ActiveDirectory (inside) host 10.2.11.121
  nt-auth-domain-controller sub.domain.net
  aaa-server ActiveDirectory (inside) host 10.2.11.138
  nt-auth-domain-controller sub.domain.net
  user-identity default-domain LOCAL
  eou allow none
  http server enable
  http 10.4.0.0 255.255.255.0 management
  http 10.2.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  no sysopt connection permit-vpn
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  <--- More --->
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  <--- More --->
  subject-name CN=ASA-01
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate a6c98751
      308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
      0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
      092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
      67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
      5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
      2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
      acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
      fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
      140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
      61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
      0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
      acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
      288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
      92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
      1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
    quit
  crypto isakmp identity address
  crypto isakmp nat-traversal 30
  crypto ikev2 policy 1
  <--- More --->
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  <--- More --->
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  <--- More --->
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  <--- More --->
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  <--- More --->
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  <--- More --->
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd dns 10.2.11.121 10.2.11.138
  dhcpd lease 36000
  dhcpd ping_timeout 30
  dhcpd domain sub.domain.net
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  <--- More --->
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy domain internal
  group-policy domain attributes
  banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
  wins-server value 10.2.11.121 10.2.11.138
  dns-server value 10.2.11.121 10.2.11.138
  vpn-idle-timeout none
  vpn-filter value vpn_access_in
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  group-policy DfltGrpPolicy attributes
  dns-server value 10.2.11.121 10.2.11.138
  vpn-filter value outside_access_in
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  address-pools value VPNUsers
  username **** password **** encrypted privilege 15
  <--- More --->
  username **** password **** encrypted privilege 15
  username **** attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect dtls compression lzs
    anyconnect ssl dtls enable
    anyconnect profiles value VPN_client_profile type user
  tunnel-group DefaultL2LGroup general-attributes
  default-group-policy domain
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNUsers
  authentication-server-group ActiveDirectory
  default-group-policy domain
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  ikev1 trust-point ASDM_TrustPoint0
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy domain
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool (inside) VPNUsers
  address-pool VPNUsers
  authentication-server-group ActiveDirectory LOCAL
  authentication-server-group (inside) ActiveDirectory LOCAL
  <--- More --->
  default-group-policy domain
  dhcp-server link-selection 10.2.11.121
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
  <--- More --->
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 21
    subscribe-to-alert-group configuration periodic monthly 21
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
  : end

  Hello,
  I've been working on this issue for a few days with no success. We're setting  up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec  VPN setup on it for remote access. After some initial problems, we've gotten it  to where the VPN tunnel authenticates the user and connects as it should,  however we cannot ping into our LAN. We are able to ping as far as the  firewall's inside interface. I've tried other types of traffic too and nothing  gets through. I've checked the routes listed on the VPN client while we're  connected and they look correct - the client also shows both sent and received  bytes when we connect using TCP port 10000, but no Received bytes when we  connect using UDP 4500. We are trying to do split tunneling, and that seems to  be setup correctly because I can still surf while the VPN is connected.
  Below is our running config. Please excuse any messyness in the config as  there are a couple of us working on it and we've been trying a whole bunch of  different settings throughout the troubleshooting process. I will also note that  we're using ASDM as our primary method of configuring the unit, so any  suggestions that could be made with that in mind would be most helpful.  Thanks!
  ASA-01# sh run
  : Saved
  ASA Version 8.6(1)2
  hostname ASA-01
  domain-name domain.org
  enable password **** encrypted
  passwd **** encrypted
  names
  interface GigabitEthernet0/0
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 10.2.0.1 255.255.0.0
  interface GigabitEthernet0/1
  description Primary WAN Interface
  nameif outside
  security-level 0
  ip address 76.232.211.169 255.255.255.192
  interface GigabitEthernet0/2
  shutdown
  <--- More --->
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  <--- More --->
  duplex full
  shutdown
  nameif management
  security-level 100
  ip address 10.4.0.1 255.255.0.0
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.2.11.6
  domain-name domain.org
  dns server-group sub
  name-server 10.2.11.121
  name-server 10.2.11.138
  domain-name sub.domain.net
  same-security-traffic permit intra-interface
  object network 76.232.211.132
  host 76.232.211.132
  object network 10.2.11.138
  host 10.2.11.138
  object network 10.2.11.11
  host 10.2.11.11
  <--- More --->
  object service DB91955443
  service tcp destination eq 55443
  object service 113309
  service tcp destination range 3309 8088
  object service 11443
  service tcp destination eq https
  object service 1160001
  service tcp destination range 60001 60008
  object network LAN
  subnet 10.2.0.0 255.255.0.0
  object network WAN_PAT
  host 76.232.211.170
  object network Test
  host 76.232.211.169
  description test
  object network NETWORK_OBJ_10.2.0.0_16
  subnet 10.2.0.0 255.255.0.0
  object network NETWORK_OBJ_10.2.250.0_24
  subnet 10.2.250.0 255.255.255.0
  object network VPN_In
  subnet 10.3.0.0 255.255.0.0
  description VPN User Network
  object-group service 11
  service-object object 113309
  <--- More --->
  service-object object 11443
  service-object object 1160001
  object-group service IPSEC_VPN udp
  port-object eq 4500
  port-object eq isakmp
  access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
  access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
  access-list outside_access_in extended permit object DB91955443 any interface outside
  access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any
  access-list inside_access_in extended permit ip any any log disable
  access-list inside_access_in extended permit icmp any any echo-reply log disable
  access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
  access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
  access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
  access-list vpn_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
  <--- More --->
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any management
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source dynamic any WAN_PAT inactive
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
  nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
  nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ActiveDirectory protocol nt
  aaa-server ActiveDirectory (inside) host 10.2.11.121
  nt-auth-domain-controller sub.domain.net
  aaa-server ActiveDirectory (inside) host 10.2.11.138
  nt-auth-domain-controller sub.domain.net
  user-identity default-domain LOCAL
  eou allow none
  http server enable
  http 10.4.0.0 255.255.255.0 management
  http 10.2.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  no sysopt connection permit-vpn
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  <--- More --->
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  <--- More --->
  subject-name CN=ASA-01
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate a6c98751
      308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
      0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
      092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
      67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
      5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
      2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
      acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
      fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
      140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
      61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
      0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
      acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
      288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
      92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
      1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
    quit
  crypto isakmp identity address
  crypto isakmp nat-traversal 30
  crypto ikev2 policy 1
  <--- More --->
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  <--- More --->
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  <--- More --->
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  <--- More --->
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  <--- More --->
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  <--- More --->
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd dns 10.2.11.121 10.2.11.138
  dhcpd lease 36000
  dhcpd ping_timeout 30
  dhcpd domain sub.domain.net
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  <--- More --->
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy domain internal
  group-policy domain attributes
  banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
  wins-server value 10.2.11.121 10.2.11.138
  dns-server value 10.2.11.121 10.2.11.138
  vpn-idle-timeout none
  vpn-filter value vpn_access_in
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  group-policy DfltGrpPolicy attributes
  dns-server value 10.2.11.121 10.2.11.138
  vpn-filter value outside_access_in
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  address-pools value VPNUsers
  username **** password **** encrypted privilege 15
  <--- More --->
  username **** password **** encrypted privilege 15
  username **** attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect dtls compression lzs
    anyconnect ssl dtls enable
    anyconnect profiles value VPN_client_profile type user
  tunnel-group DefaultL2LGroup general-attributes
  default-group-policy domain
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNUsers
  authentication-server-group ActiveDirectory
  default-group-policy domain
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  ikev1 trust-point ASDM_TrustPoint0
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy domain
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool (inside) VPNUsers
  address-pool VPNUsers
  authentication-server-group ActiveDirectory LOCAL
  authentication-server-group (inside) ActiveDirectory LOCAL
  <--- More --->
  default-group-policy domain
  dhcp-server link-selection 10.2.11.121
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
  <--- More --->
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 21
    subscribe-to-alert-group configuration periodic monthly 21
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
  : end

• ASA 5505 Vlan1/Inside Interface Down

  I did an initial setup of an ASA 5505 using the setup wizard.
  The inside interface is showing down/down.  It is not shutdown in the running config.
  The ethernet ports say "available but not configured via nameif."
  Anyone have some ideas for me to check?
  ethernet0/0 is working with no problems.

  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main  This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  Brian

• Remote Access VPN and NAT inside interface

  Hi everyone,
  I have configured Remote VPN access.
  Inside interface and vpn pool is 10.0.0.0 subnet.
  ASA inside interface has NAT exempt as per config below
  nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_10.0.0.0_25
  subnet 10.0.0.0 255.255.255.128
  Also i have ASA inside interface connected to R1 as below
  R1 ---10.0.0.2------------inside int  IP 10.0.0.1--------ASA
  R1 has loopback int 192.168.50.1 and ASA has static route to it.
  When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
  This ping works fine.
  Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
  Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
  Need to understand how this ping works without exempting 192.168.50.0 from natiing
  or
  how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
  Regards
  Mahesh

  Hi Jouni,
  IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
  Leting you  know that i have removed the NAT below config from inside to outside interface 
  ASA inside interface has NAT exempt as per config below
  nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_10.0.0.0_25
  subnet 10.0.0.0 255.255.255.128
  Still ping works fine from VPN client PC to IP 192.168.50.1
  Packet tracer output
  ASA1# packet-tracer input outside  icmp 10.0.0.52 8 0 192.168.50.1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.50.1    255.255.255.255 inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit ip any host 192.168.50.1 log
  access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: CP-PUNT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: DROP
  Config:
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I can ping from PC command prompt to IP 192.168.50.1 fine.
  Here is second packet tracer
  ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside_access_in in interface inside
  access-list inside_access_in extended permit ip any any
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: DEBUG-ICMP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: DEBUG-ICMP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 18033, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  So question is how ping from outside is working without nat exempt from inside to outside?
  So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
  Regards
  Mahesh
  Message was edited by: mahesh parmar

• I have an iPhone 5 and when i lightly tap on the back top part of my phone it sounds like something is rattling inside. Only on the top part of the phone, not on the bottom. I am wondering if anyone knows what this may be and should i have it looked at?

  I have an iPhone 5 and when i lightly tap on the back top part of my phone it sounds like something is rattling inside. Only on the top part of the phone, not on the bottom. I am wondering if anyone knows what this may be and should i have it looked at?

  Definitlely have it looked at. That could be a hardware deffect on the maker(apple) so there could be a definite replacement option.

• Cisco ASA 8.2 55xx connect 2 inside interfaces together

  Hi all,
  I have some problem with my Cisco ASA 8.2 5510. I have to know how shoud i connect 2 inside interfaces together. I am writing what i have.
  I have 5 network connection on Cisco ASA.
  1. Interface Ethernet 0/0 - outside 200.200.200.200 255.255.255.240
  2. Interface Ethernet 0/1 - 1_firm 10.0.1.1 255.255.255.0
  3. Interface Ethernet 0/2 - 2_firm 192.168.1.1 255.255.255.0
  4. Interface Ethernet 0/3 - DMZ-Server 10.10.10.1 255.255.255.0 (Just one Server)
  5. Management -  no need
  I have to connect 2 Interfaces, (1_firm) with Interface (2_firm). I've tried
  "route 1_firm 192.168.1.0 255.255.255.0 10.0.1.1" ,
  but i resiving following error "Cannot add route,connected route exists".
  But i have no route configuration. What i have cheking? Or maked i some wrong?
  Thank you for your help

  Hi Jennifer,
  Thanks for your answer.
  Sec. Level 90 .
  Can you write me correct NAT and exeption configuration? That is my conf.
  This is my test Firewall system
  ciscoasa(config)# sh run
  : Saved
  ASA Version 8.0(2)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  interface Ethernet0/0
  nameif outisde
  security-level 0
  ip address 200.100.100.200 255.255.255.240
  interface Ethernet0/1
  nameif vpm
  security-level 90
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/2
  nameif wundplan
  security-level 90
  ip address 10.0.1.1 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  passwd 2KFQnbNIdI.2KYOU encrypted
  boot config disk0:/.private/startup-config
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list wundplan_access_in extended permit ip 10.0.1.0 255.255.255.0 any
  access-list vpm_access_in extended permit ip 192.168.1.0 255.255.255.0 any
  access-list outisde_access_in extended permit ip any 200.100.100.192 255.255.255.240
  access-list wundplan_nonat extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outisde 1500
  mtu vpm 1500
  mtu wundplan 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-625-53.bin
  no asdm history enable
  arp timeout 14400
  global (outisde) 101 interface
  global (wundplan) 1 10.0.1.0 netmask 255.255.0.0
  access-group outisde_access_in in interface outisde
  access-group vpm_access_in in interface vpm
  access-group wundplan_access_in in interface wundplan
  route outisde 0.0.0.0 0.0.0.0 200.100.100.199 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.0.1.0 255.255.255.0 wundplan
  http 192.168.1.0 255.255.255.0 vpm
  http 10.0.0.0 255.255.255.0 wundplan
  http 192.168.0.0 255.255.255.0 vpm
  http redirect wundplan 80
  http redirect vpm 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:5cd35a1417360a176153562a9c67e266
  : end
  Thynk you very mach.