NAT issue on ASA 5525 8.6(1)
Hello Experts,
We have recently installed new 5525 8.6(1) ASA's. Our setup is like; where wer are using Public IP for web server, which needs to be mapped/natted to internet VIP address and that VIP is configured on F5 LB. Setup is below; This Public IP is the webserver IP. The firewall get hits, but web server page is not being displayes. In the logs FW built tcp but then tear down the session, syslog id (302014) 77 TCP Reset-I
|INTERNET|
|
|
195.201.55.X
[ ASA ]
Natting to
10.100.100.151
[ F5 ]
|
Real Servers---> .150 .151
NAT Config is;
nat (DMZ1,OUTSIDE) source static 10.100.100.151 195.201.55.X
Your help will be appreciated if you can provide the right nat config;
Regards
Hi Jouni,
The packet tracer looks good, all green tick boxes. I need to install wireshark on the Servers to makesure they are getting request from the Firewall.
The funny thing is, on the firewall if I change the NAT say, from public IP translate to the real IP of the servers, then it works perfectly. But as soon as I change the NAT rule i.e Public IP translate to the VIP address, then it doesn't bring up the webpage. though I can ping the VIP address from the firewall, and the VIP address is the same subnet as the FW and F5 boxes with /24 mask! e.g FW int ip is 10.100.100.1 and F5 connecting to FW is 10.100.100.3 and the VIP is
10.100.100.151/24.
Akshy,
On the FW I did the TCP Ping, but It doesn't work. Like I said, I will install wireshark on the server and then will see if it works.
Many thanks guys for your quick response and help. I will let you know the result.
Regards
Similar Messages
-
HI experts,
i am using
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.4(9)
i configure Nat but when i use packet tracer in firewall to see packet flow i found my inside packet is not able to reach to outside interface.what is the problem i don't understand. should i create access rule for the or anything else.
please healpe..
regards
SuhasHi,
Pease find the whole configuration & packet tracer screen shot..
ASA Version 8.0(4)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.30.0 outside
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.0
boot system disk0:/
boot system disk0:/asa825-33-k8.bin
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.10 255.255.255.255 inside
http 10.10.10.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.10 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:0fbad53e0533429878e448f1f87415fc
: end
ciscoasa(config)#
This image for INSIDE HOST TO INSIDE INTERFACE
This image for INSIDE HOST TO OUTSIDE INTERFACE
This image for INSIDE HOST TO OUTSIDE NEXT HOP INTERFACE -
Cisco asa 8.4 natting issues
Can any one help me out how to resolve this issue.
ASA 8.4 version
inside to TEST working fine.
nat (inside,TEST) source dynamic interface
my main concern is TEST (192.168.2.1) lan wants to access inside subnets with real ip addresses (ex: 11.11.11.1) with RDP connection.
please share the configuration.Hi Rajesh,
Do you expect router 11.11.11.1 to respond for your RDP connection?? or you want the pc behind that router if any to respond to your rdp connection??
Please put your present configuration and describe your question with more details on what do you want to achieve with this sample setup..... hopefully we will try to provide better suggestions to you....
Regards
Karthik -
Asymmetric NAT rules matched for forward and reverse flows - NAT Issue
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
JohnI don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App -
I have a asa 5525 and the license with IPS ,but i dont know How usede the IPS issue.anyone can tell me?
thank you very much
I re-image ips and "show module" and "session IPS"
ciscoasa# show module
Mod Card Type Model Serial No.
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH1623704D
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH1623704D
Mod MAC Address Range Hw Version Fw Version Sw Version
0 a493.4caa.50b3 to a493.4caa.50bc 1.0 2.1(9)8 8.6(1)
ips a493.4caa.50b1 to a493.4caa.50b1 N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
ips IPS Module Enabled perpetual
when loggin IPS display
***LICENSE NOTICE***
There is no license key installed on this IPS platform.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
why no license!! -
ASA 5525 firewall Trace Route.
Hi,
We are Having ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.
ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.
PLease help me to resolve this issue.
Regards,
DheerajHi Dheeraj,
firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
Make the Firewall Show Up in a Traceroute in ASA/PIX
ciscoasa(config)#class-map class-default
ciscoasa(config)#match any
!--- This class-map exists by default.
ciscoasa(config)#policy-map global_policy
!--- This Policy-map exists by default.
ciscoasa(config-pmap)#class class-default
!--- Add another class-map to this policy.
ciscoasa(config-pmap-c)#set connection decrement-ttl
!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.
ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global
!--- This service-policy exists by default.
WARNING: Policy map global_policy is already configured as a service policy
ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5
!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:
Cheers,
Naveen -
NAT issue - WRT54G Version 1.1 with Vista Home Premium
Router = WRT54G Version 1.1
I am trying to figure out the cause of my problems, this router or Vista?
I have 2 PC’s (just want to use my Vista 1) connected to the same router that is connected to a cable modem – the Windows XP machine has no problems bar its age and spec. I have a brand new PC with Vista Home Premium installed on it, now it is this new PC that I am having NAT problems with and port blocking.
I have installed Windows Live Messenger and when setting it up I went into Tools/Options/Connections and I get an error message:- "You are connected to the internet through a UPnP port restricted NAT. The Windows Firewall is enabled. (User)"
I have no option to run the trouble shooter (greyed out)…….
If I turn off Windows Vista Firewall I get:- "You are connected to the internet through a UPnP port restricted NAT. (User)”
Since this I have installed Media server software and have to reset the port it uses every time as it is always stating that it is blocked.
I have downloaded OpenOffice via a torrent client which also stated that I had NAT problems.
I have no NAT issues at all on my older XP PC and as a result I believe it is safe to rule out my router and modem……..I have only disabled Windows Firewall and this had made no difference, but I have not tried uninstalling it (no idea if that would make a difference)
Oh, I do not have UPnP enabled (router setting) – does this matter (I have tried turning it on but made no difference to this issue so I turned it off again)?
Message Edited by jomuir on 08-23-2007 02:50 AMuser11241256 wrote:
Documentation states that Oracle is supported on Vista business and Ultra. unfortuntatly Ihave Home Premium 64 and was curious if anyone had experience imstalling on this OS. I did attempt to install the 11g and I got one warning below that I could not find in the documentation for errors. You have answered your query yourself.
You might be able to get the things running on an unsupported combination but there is no guarantee about the stability. -
Tacacs+ access issue with ASA firewall after integrating with RSA SecureID
Hi,
In my earlier post, I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
Did any one face similar issue with ASA access ?
Rgds
SiddheshHi Siddesh,
In order to help you here, I need to know few things:
1.] Show run | in aaa
2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
~BR
Jatin Katyal
**Do rate helpful posts** -
How to Enable logging of the ASA 5525?
I need help to enable logging of the ASA 5525 for all new rules created today from the firewall module, rules changed, deleted desabilidas and disabled rules.
Not found in the historic level of the ID on new firewall rules.
0 or emergencies—System is unusable.
1 or alerts—Immediate action needed.
2 or critical—Critical conditions.
3 or errors—Error conditions.
4 or warnings—Warning conditions.
5 or notifications—Normal but significant conditions.
6 or informational—Informational messages.
7 or debugging—Debugging messages.
Thank you.You cannot log only those changes but you can log *all* changes.
The messages 111008 and 111010 are the ones to look for (as described in this post). -
ASA 5525, v9.1.2 - IPAA: Error freeing address ip-address, not found
Hello everybody!
The following problem:
VPN-dial-in on the ASA .
There are different VPN group policies , each with its own DHCP pool .
Authentication is performed by the AAA AD .
Everything works properly.
However, 3 users of a VPN group can not dial in . On the firewall then this error always comes in the log :
IPAA : Error freeing address 172.24.16.41 , not found
That address is nowhere else on the firewall , but was once assigned to a user . But this Network Object is deleted now.
The DHCP pool for this VPN Group goes from .33 to .63 .
I don not understand why the ASA always wants to take the .41 However, even if no one else is logged in via VPN .
No matter which one of the 3 users I take, the ASA always wants to assign the .41 .
For all the other users that are having no problem, it assumes a different IP from the pool.
I recreated the pool, created another pool and assigned that pool, I rebootet the ASA. No luck.
Also did a "clear arp".
No improvement .
Ideas ?
As I said, all other VPN groups and users have no problems.
ASA 5525 , v9.1.2
Thank You!Problem solved.
The User is only allowed to be in one of the VPN-Groups in the ActiceDirectory.
Those 2 problem-users where in two VPN-groups.
So, problem fixed. -
Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))
Hello
I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
Setup:
We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR: A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
Configuration in regards to certificate:
crypto key generate rsa label vpn.company.dk modulus 2048
crypto ca trustpoint vpn.trustpoint
keypair vpn.company.dk
fqdn none
subject-name CN=*.company.dk,C=DK
!id-usage ssl-ipsec
enrollment terminal
crl configure
crypto ca authenticate vpn.trustpoint
! <import intermediate certificate>
crypto ca enroll vpn.trustpoint
! <send CSR to CA>
crypto ca import vpn.trustpoint certificate
! <import SSL cert received back from CA>
ssl trust-point vpn.trustpoint outside
Problem:
When I try to import the certificate I receive the following error:
crypto ca import vpn.trustpoint certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
quit
ERROR: Failed to parse or verify imported certificate
Question:
- Does any one of you have any pointers in regards to what is going wrong?
- Especially in regards to fqdn and CN, I also have a question. My config
fqdn none
subject-name CN=*.company.dk,C=DK
would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
So do you have insight or pointers which might help me?
Thank you in advanceI also have a wildcard cert for my SSL VPN ASAs.
When i import the cert I use ASDM instead of CLI...
I import the wildcard as a *.pfx file and type in the password. works fine...
Perhaps the format is incorrect?
Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
Not sure if this helps but give ASDM a try? -
Console Gaming - NAT Issues - Workaround and Solut...
I've already used the BT Broadband Contact Us, to raise this issue. They said it was beyond them and that they'd forward me an address for a technical forum. They've not managed to do so yet, so I'm trying here.
Problem:
NAT hole punching regularly fails between peers/players, manifests as "Cannot chat to player due to NAT Issues" on many different broadband routers.
TL/DR:
The BT Home Hub iptables INPUT chain should have a default action of DROP and not REJECT.
Long Version:
I'm a network engineer and programmer analyst and have been for approaching two decades. I'm also a gamer. I'm regularly frustrated by NAT Issue errors while trying to play online games with my friends.
Frustrated for so long, we decided to start analysing the problem. Using packet captures and simulations, we have reproduced the problem and identified dubious logic in the netfilter conntrack module in the Linux kernel.
When it works:
When using a Playstation 4 to play Destiny, using either in-game or PS Party chat, each console uses a NAT discovery service to find it's external IP address and make an educated guess as to whether there is port translation.
At the end of this process, each Player Console receives IP/Port pairs for the other players, they then emit UDP from their desired port to the IP/Port pair of each of the other Players. These UDP packets pass through their NATing routers and establish conntrack entries for the source ip/port, destination ip/port and protocol (here on referred to as five-tuple) with NAT associations with the console's LAN ip address and port; this is the hole-punching.
All being well, each players console has created an association for each of the other players packets to come back through and then they are able to send each other data on these ports.
When it doesn't work:
However, here's the race condition: if player B's packet reaches player A's router before player A has sent theirs, there is no NAT association, no conntrack entry for the 5-tuple. The incoming packet instead considered as intended for the router.
The iptables configuration on the router says that the packet is not allowed and REJECTs it, sending an ICMP destination unreachable packet in response. This reply is then inspected by conntrack, which decapsulates is and erroneously creates a conntrack entry for the 5-tuple.
Now when Player A's console does manage to send it's own hole punching UDP packet, the 5-tuple for the desire hole is associated with the router's ICMP destination-unreachable. So Player A's packet can't have the desired port number and is renumbered to the first available port (e.g. 1025). Player B's subsequent packets to A follow the conntrack entry started by the ICMP destination-unreachable and are sent to the router which continues to reject them.
How to fix this mess
Linux conntrack
Arguably the decapsulation of the ICMP payload and the usage of it to create a conntrack entry is erroneous. The ICMP unreach should not stop the port from being used by a NAT client.
This will take a long time to fix and when fixed may never be back-ported to home routers which may never see new firmware again anyway.
Modify the routers configuration
If the router dropped instead of rejecting the traffic (relatively simple administrative task given appropriate access), the ICMP destination-unreachable wouldn't be generated, conntrack wouldn't create the erroneous entry and then even if Player B's packets arrived before Player A had sent theirs, it would still work.
Disable the "firewall" and put your console in the "DMZ"
These are terms borrowed from the Home Hub 3 admin interface. If you set your console as the "DMZ", it will receive any internet traffic that isn't associated with an already established flow. Actually at this point I'm not certain whether or not you *have* to set the "firewall" to disabled. It depends on how the "firewall" is implemented.
On my console disabling the firewall and setting the console to be the DMZ works around the problem. However, you can only have one default NAT target. So any other device suffering from this problem would be out of luck without you reconfiguring your router each time. Also I'm not thrilled by my console receiving unfiltered internet traffic.
In closing
Race-conditions depend on timings. This one is exacerbated by low latency between players. In this case the difference between server<->PlayerA and server<->PlayerB latencies has to be lower than the PlayerA<->PlayerB latency. If PlayerA and PlayerB have low latency between each other they are more likely to suffer from this problem.
Please, please, please bring this to the attention of someone who is responsible for the configuration of your routers. A simple configuration change on the HomeHub would prevent this problem from happening and remove the need for customers to add special configuration to their router and lowering their security.
Thanks for reading.
MattWelcome to this forum.
This is a customer to customer forum only,
This is where customers help each other get the most out of BT products & services.
Anything you post here does not go to BT. Although the forum is moderated by BT, not all posts are read.
This is a public forum which can be viewed worldwide, so please do not post any personal information, especially phone numbers, account numbers, fault numbers, address information or email addresses, as this could be used to impersonate you.
I would suggest that maybe you try using a different router?
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
P2P blocking on ASA 5525 with Software Version 8.6(1)2
Hello,
We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
We have DMZ setup & also inline IPS module.
Thanks in advance.
Regards,
Sandeshc Chavan.Hi Chavan ,
You can try to block this by port.
The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port).
The config is
Access-list BLOCK-P2P-TRAFFIC deny tcp any any range 6881 6889 log
And applies to the desire interface with the "Access-group command"
For example:
Access-group BLOCK-P2P-TRAFFIC outbound interface DMZ
However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
Also you can execute from the cmd on windows the command netstat -a and check the port Bit torrent is using .
Hope this helps. -
Never had this happen before. Installed Border in a lab setting..nw6.5
sp1a overlay cd, then border 3.8, then sp2 then tcp645j...
The first thing I always try to do is get dynamic NAT working then I
worry about the proxy services and so on. Opened icmp all the way so I
could test ping.
Server can ping both it's public and private interface, and can ping
points beyond on both sides of those two interfaces.
Workstation can ping border's private and public IP's but nothing beyond
the public IP. Traceroute never returns anything. Seems like Nat just
isn't working. Turned it off and back on...no help there.
I've set this up many times in outerlying offices and in my lab...for
some reason this time it won't work. I've even blown it out and redone
my set up from the beginning...same thing....Yes, dynamic nat passtru is
set on....
Tried to do the tcpip debug = 1 thing...the packets rolled off logger
such that I could not get an F2 to save a darn thing....You woulnd't
think a brand new box would have all the much traffic just yet...
Version of NAT is 7.00.07, trying very hard to understand what's going
on here. Ideas on why nat won't work?Jim Michael wrote:
> jim fixit wrote:
>
>
>>nw65 sp1a as indicated, bm 3.8sp2 not happy together....
>
>
> I'm running that combo here (sanem NAT.NLM too), and don't have the NAT
> issue you describe.
>
> --
> Jim
> NSC SYsop
hmm yes...I'm running a similar set up in a number of branch offices so
I'm really hard pressed to understand what is with NAT or if it is even
NAT at all that is having the issue..... -
I have a cluster of 2xASA 5525s with software IPS modules. I would like to rename the hostname of each of the IPS modules. This is easy enough but I was wondering how this affects the reporting data in IME. I know the IPS name is used as a PK field in IME so you can't edit it. I'm worried if I delete the devices from IME and re-add them with their new hostnames that the historic data will be lost for the sensors. Is there any way around this? Will IME automatically pick up the new hostname from the ISP meaning I won't have to re-add them?
thank you very much
I re-image ips and "show module" and "session IPS"
ciscoasa# show module
Mod Card Type Model Serial No.
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH1623704D
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH1623704D
Mod MAC Address Range Hw Version Fw Version Sw Version
0 a493.4caa.50b3 to a493.4caa.50bc 1.0 2.1(9)8 8.6(1)
ips a493.4caa.50b1 to a493.4caa.50b1 N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
ips IPS Module Enabled perpetual
when loggin IPS display
***LICENSE NOTICE***
There is no license key installed on this IPS platform.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
why no license!!
Maybe you are looking for
-
When i open music player it always starts with the albums and i have to select songs all the time to show me all the songs. How do i do to make songs list open instead of albums everytime when i open the player?
-
How to output video as still image frames?
Hi there, We need to convert a movie file which has something like 375 frames into 60 still image files. How could we go about doing this using After Effects? We have a lot of movie files to convert, is there a way to batch process this so that we ca
-
Hi there, I just bought MP3 Player MX00. It says that it doesn't required driver to connect in MP3. I'm in Windows XP, but everytime I plugged my MP3, it always say that the device is not installed properly. also, I found that in the screen I see a "
-
Why I cannot open my email appendix pdf
Why I cannot open my email appendix pdf
-
Hi All, I have a requirement in my current development to display the list of HR forms(Payroll) to the end client. I am successfully able to carry out the scenario for a single Record Type but when I use the multiple scenario the Adobe Form keeps han