Polycom HDX7000 behind ASA not working
I have ran into a problem with my Polycom behind my ASA5510. I cannot receive calls from the outside and when placing calles from inside to outside the connection completes and my audio/video reaches the outside but no audio/video is returned through the firewall. I am a newbe to firewall configs so any help would be greatly appreciated. My ASA is running version 9.1(2) and below is the config as it relates to the polycom.
object network polycom_private
host 10.3.0.x
object network polycom_public
host 63.234.x.x
object-group service h323-Group
service-object tcp destination eq h323
service-object object 3230-3235
service-object object 3230-3280
access-list outside_acl extended permit object-group h323-Group any object polycom_private
object network polycom_private
nat (inside,outside) static 63.234..x.x
I have disabled h323 inspection and still i cannot make a successful connection.
Thanks in advance.
After working with TAC we have made a few changes on the ASA to get this partially working. I can now make outbound calls to remote sites and get audio and video to pass in both directions. However, I still cannnot get any inbound calls to pass through the ASA. Here are the changes TAC made to the ASA to get this working most of the way.
Issue: ASA was dropping packets with 'router alert' IP option set.
Fix: Created a new policy-map to specifically allow this traffic and applied it to the Global Policy.
Also, enabled Skinny, SIP, H323 inspection on the global policy.
Still working on the remote site dialing in but as of right now when testing an inbound call from a remote site for reasons unknown, we were seeing SYN on port 1720 coming in from the remote Polycom unit, being untranslated and going to the local Polycom unit, however, we never saw a Syn Ack for that.
Work in progress..
Jimmy
Similar Messages
-
RV082 - SRP527W - VPN behind NAT not working
Hello,
I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.
The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.
That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.
Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.
Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.
Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?
The log for the RV082 is almost empty about the link. Here's a snippet :
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: initiating Main Mode
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
System Log
gateway_to_gateway.htm is changed.
Feb 10 19:09:08 2014
VPN Log
(g2gips0): deleting connection
Feb 10 19:09:08 2014
VPN Log
(g2gips0) #8: deleting state (STATE_MAIN_I1)
Feb 10 19:09:08 2014
VPN Log
added connection description (g2gips0)
Feb 10 19:09:08 2014
VPN Log
listening for IKE messages
Feb 10 19:09:08 2014
VPN Log
forgetting secrets
Feb 10 19:09:08 2014
VPN Log
loading secrets from '/etc/ipsec.d/ipsec.secrets'
Feb 10 19:09:09 2014
System Log
gateway_to_gateway.htm is changed.
The log for the SRP527W is full of this :
Dump pluto log message in syslog : cat /var/log/messages |grep plutoJan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main ModeJan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185Jan 1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode
Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!
Best RegardsHi again,
Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.
Anyway, i bought another router.
Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.
My settings are :
- Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)
- WAN Interface is assigned 192.168.0.246 / 24
- Gateway for the WAN interface is 192.168.0.254
- Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.
- Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.
When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)
Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".
I tried almost every configuration, none worked.
Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.
So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.
If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.
Could you help me please ? Thank you -
VBA- Code behind button not working
I am trying to add a vba code behind a close button to close a form but error keeps coming up. Each time i click the close button a Compile Error message: Sub or Function not Defined, keeps on coming up.
Code is below
Private Sub cmdClose_Click()
On Error GoTo Err_cmdClose_Click
' If Me.Dirty Then Me.Dirty = False
DoCmd.Close
Exit_cmdClose_Click:
Exit Sub
Err_cmdClose_Click
MsgBox Err.Description
Resume Exit_cmdClose_Click
End SubSometimes the link between the button and its event gets broken. Select the button on the form in design view. Select the On Click event in the properties sheet. Then press F7. That usually fixes it.
Bill Mosca
www.thatlldoit.com
http://tech.groups.yahoo.com/group/MS_Access_Professionals -
VPN not working after adding subinterface - ASA 5510
Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
ASA Version 8.2(5)
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
access-list INCOMING remark *** Wartung BMD ***
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: endHi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
ASA-5505 Site-to-Site Not Working
I am somewhat new to Cisco but to do have some experience. I am trying to connect two ASA 5505's together via site-to-site VPN. They are configured with public IPs and all other services are working. I have used the VPN wizard on both boxes successfully but the tunnels are not working. The two devices are on the Comcast network. Any help would be appreacited.
Site A: ASA 5505 w/50 User license
Site B: ASA 5505 w/10 User license
Site A Config:
ASA Version 8.2(5)
hostname *********************
enable password 6.De4e7UzES9wBPg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.10 Web_Server
name 10.0.6.0 Ghost_Flower_Inside
name 10.0.5.0 San_Mateo_Inside
name 10.0.5.100 Any_Connect_100
name 10.0.5.101 Any_Connect_101
name 10.0.5.102 Any_Connect_102
name 10.0.5.103 Any_Connect_103
name 10.0.5.104 Any_Connect_104
name 10.0.5.105 Any_Connect_105
name 10.0.5.106 Any_Connect_106
name 10.0.5.107 Any_Connect_107
name 10.0.5.108 Any_Connect_108
name 10.0.5.109 Any_Connect_109
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.5.201 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 173.10.XXX.XXX 255.255.255.252
interface Vlan12
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Any_Connect_DHCP
network-object host Any_Connect_100
network-object host Any_Connect_101
network-object host Any_Connect_102
network-object host Any_Connect_103
network-object host Any_Connect_104
network-object host Any_Connect_105
network-object host Any_Connect_106
network-object host Any_Connect_107
network-object host Any_Connect_108
network-object host Any_Connect_109
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.100.2 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.10.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 outside
http San_Mateo_Inside 255.255.255.255 inside
http San_Mateo_Inside 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 173.12.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-webvpn-session-limit 10
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 inside
ssh San_Mateo_Inside 255.255.255.0 inside
ssh 10.1.10.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.0.5.10-10.0.5.30 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
svc profiles CATS disk0:/cats.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 75.75.75.75
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc profiles value CATS
username user1 password tTq7bIZ.C4x0j.qv encrypted privilege 15
username ********* password sPxon1E6hTszm7Ko encrypted privilege 15
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
: end
Site B:
ASA Version 8.2(5)
hostname ***************
enable password 6.De4e7UzES9wBPg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.10 Web_Server
name 10.0.6.0 Ghost_Flower_Inside
name 10.0.5.0 San_Mateo_Inside
name 10.0.5.100 Any_Connect_100
name 10.0.5.101 Any_Connect_101
name 10.0.5.102 Any_Connect_102
name 10.0.5.103 Any_Connect_103
name 10.0.5.104 Any_Connect_104
name 10.0.5.105 Any_Connect_105
name 10.0.5.106 Any_Connect_106
name 10.0.5.107 Any_Connect_107
name 10.0.5.108 Any_Connect_108
name 10.0.5.109 Any_Connect_109
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.5.201 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 173.10.XXX.XXX 255.255.255.252
interface Vlan12
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Any_Connect_DHCP
network-object host Any_Connect_100
network-object host Any_Connect_101
network-object host Any_Connect_102
network-object host Any_Connect_103
network-object host Any_Connect_104
network-object host Any_Connect_105
network-object host Any_Connect_106
network-object host Any_Connect_107
network-object host Any_Connect_108
network-object host Any_Connect_109
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.100.2 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.10.242.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 outside
http San_Mateo_Inside 255.255.255.255 inside
http San_Mateo_Inside 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 173.12.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-webvpn-session-limit 10
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 inside
ssh San_Mateo_Inside 255.255.255.0 inside
ssh 10.1.10.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.0.5.10-10.0.5.30 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
svc profiles CATS disk0:/cats.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 75.75.75.75
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc profiles value CATS
username ************** password sPxon1E6hTszm7Ko encrypted privilege 15
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
: endHi Kevin,
Both the sides have IP address of 173.10.XXX.XXX on the respective Outside interfaces and you have configured the peers for 173.12.X.X.
Please ensure the correct IP addresses for VPN peers are configured , via the following command:
crypto map outside_map 1 set peer X.X.X.X
e.g. If you have 173.10.X.X on Site X and 173.12.X.X on Site Y , then
On Site X, peer would be
crypto map outside_map 1 set peer 173.12.X.X
and the tunnel-group will be
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
On Site Y, peer would be
crypto map outside_map 1 set peer 173.10.X.X
and the tunnel-group will be
tunnel-group 173.10.XXX.XXX type ipsec-l2l
tunnel-group 173.10.XXX.XXX ipsec-attributes
pre-shared-key *****
Also , the nat exempt would be complimentary on each other i.e.
On Site X,
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
On Site Y,
access-list inside_nat0_outbound extended permit ip Ghost_Flower_Inside 255.255.255.0 San_Mateo_Inside 255.255.255.0
Hope that helps.
Regards,
Dinesh Moudgil -
Hi there.
I just trying to do PAT with gns3. but not working and i don't have any idea.
(Cisco Adaptive Security Appliance Software Version 8.4(2))
and also i figure out that there are some changes in nat configuration. i did but didn't work.
I cannot ping from my host 192.168.100.116 to 1.1.12.1 ~ 1.1.12.2, 8.8.8.8
i turn debug in R1 and i can see the icmp.
R1#
*Mar 1 01:31:28.091: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
*Mar 1 01:31:32.739: ICMP: echo reply sent, src 1.1.12.1, dst 10.10.10.1
R1#
And also can see xlate on ASA
ASA-1# sh xlate
1 in use, 9 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
ICMP PAT from inside:192.168.100.116/1 to outside:10.10.10.1/6370 flags ri idle 0:00:04 timeout 0:00:30
ASA-1#
This is my topology.
[ASA1]
ASA-1# sh run ip
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
ASA-1# sh run object network
object network obj-192.168.100.0
subnet 0.0.0.0 0.0.0.0
ASA-1# conf t
ASA-1(config)# ob
ASA-1(config)# object net
ASA-1(config)# object network obj-192.168.100.0
ASA-1(config-network-object)# nat (in
ASA-1(config-network-object)# nat (inside,ou
ASA-1(config-network-object)# nat (inside,outside) dy
ASA-1(config-network-object)# nat (inside,outside) dynamic inter
ASA-1(config-network-object)# nat (inside,outside) dynamic interface
ASA-1(config-network-object)# end
[R4]
interface FastEthernet0/0
ip address 10.10.20.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.100.254 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.20.1
[HOST]
ip address 192.168.100.116/24
[R1]
interface FastEthernet0/0
ip address 10.10.10.254 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 1.1.12.1 255.255.255.0
duplex auto
speed auto
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
what am i mssing ?
please corret me.
Thank you in advance.just reload... .. i'm still stuck in the ping.
changed topology more simple. but still not working.
Here is all what i did.
[ASA]
access-list ICMP extended permit icmp any any echo-reply
access-list ICMP extended permit icmp any any time-exceeded
access-group ICMP in interface outside
interface GigabitEthernet0
description To_UP
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet1
description To_DOWN
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
[R1]
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip route 10.10.20.0 255.255.255.0 10.10.10.2 (I don't think i need this)
[R4]
interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
ip route 10.10.10.0 255.255.255.0 10.10.20.1 (same as well)
[outout tracer]
ciscoasa# packet-tracer input inside icmp 10.10.20.1 8 0 10.10.10.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP <---??????????????????????????
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
[ASA]
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 2 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x0b307247
access-list ICMP line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x1e6b1395
ciscoasa#
I created acl and permit it
Thank you. -
I hit this problem at a customer site and can re-produce it in a simple lab. Lab environment: servers:
1x Server 2012 R2 DC and DNS server - DC1 - 10.0.0.1
1x Server 2012 R2 DirectAccess (DA) server - DA1 - 10.0.0.100
Servers are running "Update" (KB2919355) and following DA hotfixes:
KB2929930
KB2966087
I configured DA (via advanced wizard) as follows:
DA and remote access
AD group
directaccess-webprobehost DNA (A) record pointing to 10.0.0.100
behind an edge device (with a single network adapter)
SSL certificate from enterprise root CA issued to directaccess.contoso.com
NLS on remote server using https://nls.corp.contoso.com
DNS: corp.contoso.com = 10.0.0.1; nls.corp.contoso.com = ""
DNS suffix search list = corp.contoso.com
The DNS server validates successfully in the configuration UI.
With this configuration, I get a static IPv6 address of fd79:7a37:cbd9:3333::1/128 assigned to the NIC
The operations status is all green apart from DNS which displays the following error:
"DNS: Not Working Properly"
Error:
None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
Causes:
Enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 are not responding.
I can, however ping fd79:7a37:cbd9:7777::a00:1 (which is the DNS64 translation of 10.0.0.1)
I would like to know what checks are failing as there are no failures in Event Viewer.
I have come across forums where people have the same issue and fix it by specifying the local IP (in this case 10.0.0.100) as the DNS server, however Richard Hicks has confirmed with me that the DNS server should be set to the DNS server, not the DA server's
IP.Thanks for the post Matt,
ISATAP has been disabled on my DA server, so the results of a "ROUTE PRINT -6" command yields:
===========================================================================
Interface List
12...00 15 5d 01 03 64 ......Microsoft Hyper-V Network Adapter
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 IPHTTPSInterface
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 261 fd79:7a37:cbd9::/48 On-link
14 306 fd79:7a37:cbd9:1000::/64 On-link
14 306 fd79:7a37:cbd9:1000::/128 On-link
14 306 fd79:7a37:cbd9:1000::1/128 On-link
14 306 fd79:7a37:cbd9:1000::2/128 On-link
14 306 fd79:7a37:cbd9:1000:814c:28be:46b5:52c1/128 On-link
12 261 fd79:7a37:cbd9:3333::1/128 On-link
12 261 fd79:7a37:cbd9:7777::/96 On-link
12 261 fe80::/64 On-link
14 306 fe80::/64 On-link
12 261 fe80::20c0:e848:d304:9f01/128 On-link
14 306 fe80::814c:28be:46b5:52c1/128 On-link
1 306 ff00::/8 On-link
12 261 ff00::/8 On-link
14 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 fd79:7a37:cbd9:1000::/64 On-link
0 4294967295 fd79:7a37:cbd9::/48 On-link
0 4294967295 fd79:7a37:cbd9:7777::/96 On-link
=========================================================================== -
Successmaker program not working behind Cisco SA520
My customer is a small school in British Columbia. They have used the Successmaker program (written by Pearson Education) to teach numeracy and literacy skills. Since installing a SA520 the teachers are saying that Successmaker does not work properly.
I am at my wits end.
I have disabled content filtering for the SA520, I have disabled IDS on the SA520. I am using the default outbound firewall rule allowing inside addresses access anywhere on the Internet, and I have created an inbound firewall rule allowing all traffic and all services from the Successmaker server IP address that their tech support gave us.Their app is still unable to work properly.
What am I missing?
Before the SA520 was installed the school was using PAT to map different ports on the public IP on the school cable modem to inside addresses. The whole school was a big DMZ, and any port scanning would have reached into their network. The port mappings were never communicated to the Successmaker folks, so I doubt they were ever relevant to the issue. The Successmaker App is web based, and according to their tech support uses "transfer encoding:chunked" technology. I read up on this and it dates back pre Web 2.0 (pre flash, pre silverlight, pre basically the silicon chip). It is discussed in RFC 2616, the SA520 is Linux based, not IOS based. Does that mean that it does not understand RFC2616? I doubt it, and even if it didn't understand RFC 2616 surely all the steps I have taken above would blow a hole the size of a barn door through the firewall?
If this weren't a school would not be as emotionally connected as I am to their situation. Without this firewall they will be without much protection at all.
Can you help?
Message was edited by: dirkventer - I added the feedback received from Successmaker tech support. It suggests that the Cisco SA520 may be a problem, something I don't want to believe.Hi Quendale
I'm sorry to say that putting a student computer in the DMZ didn't resolve the issue.
In setting up the DMZ I made the following changes -
1) I confirmed that the Option interface was in DMZ mode, and that it had a static IP on a new subnet.
2) We also configured the DMZ DHCP to assign addresses in the subnet, using the firewall DMZ IP as default gateway, and using the firewall DMZ IP as DNS server.
3) I created a default firewall rule allowing all outbound traffic from the DMZ to the Internet, and created a firewall rule allowing all inbound traffic from the Successmaker server on the Internet (insecure) zone to the DMZ.
4) I confirmed that IPS was off for the DMZ (Default) and that the content filter exception for the DMZ was still disabled.
The same problem occurred, which makes me believe that the reason for the application not working in the LAN zone had nothing to do with IPS or content filtering. As far as the firewall rule goes, the impact of the inbound rule seems to have been the same - i.e. ineffectual.
Connecting the PC running successmaker directly to the school cable modem works.
The possibility that the application in question has traffic blocked because of a RFC (2616?) governing the way get and post requests should be formatted would still exist so long as integrity/compliance checking of packets is something that cannot be bypassed via the firewall configuration. Suffice it to say that the application appears dated and uses nothing of web 2.0. One of the options available to my customer is the purchase of the Web 2.0 version of successmaker ($600/seat), but they are only prepared to explore this option if the indications are that the older application, not the firewall is at fault. Pearson Education support swears blindly that thousands of BC school children continue to use the old app behind Cisco firewalls. I don't deny that the possibility exists that the Pearson support technician is stretching the truth, having an older application that has ceased to function with more sophisticated firewalls because RFC violations in packet formatting have become significant would doubtless present a solid easy-sell for their upgraded version, which is expensive, especially for a school. -
Dynamic NAT ASA 8.4 Packet Tracer not working
Hi guys,
I've tried to ping and go to a site from 192.168.1.6 to 10.10.10.12, but it's not working. I've followed a couple dynamic NAT tutorials, but I can't figure out what I'm missing. The config is below, and I'd appreciate any help.
Thanks!
ASA Version 8.4(2)
hostname ciscoasa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.2 255.0.0.0
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network inside-subnet
nat (inside,outside) dynamic interface
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd auto_config outsideThanks guys. I'm one step closer. I can ping from 192.168.1.0 to 10.0.0.0, but I can't open a webpage. I try visiting 10.0.0.6/index.html in packet tracer and get a "Request time out" message. I tried to mirror the ACL for www, but it's not working.
Does anyone have a suggestion? My updated config is below.
Thanks!
ASA Version 8.4(2)
hostname ciscoasa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.1 255.0.0.0
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object network outside-subnet
subnet 10.0.0.0 255.0.0.0
access-list TEST extended permit icmp any any echo-reply
access-list TEST extended permit tcp any any eq www
access-list http extended permit tcp any any eq www
access-list http2 extended permit udp any any eq www
access-group TEST in interface outside
object network inside-subnet
nat (inside,outside) dynamic interface
telnet timeout 5
ssh timeout 5
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.35 inside
dhcpd enable inside -
NEW ASA 5510 8.4 -- internet is not working
Hi Experts,
I implemented a ASA5510 with latest software version.
I configured outside interface, default route, PAT to the outside interface. I am able to ping and telnet to the inside interface of the ASA.
But internet is not working.
Did i miss any configuration?
i enabled icmp to outside,. i did a ping to the next hop from ASA. but it is not working.
Please advice.
Thanks
VipinYes thats correct, but if it is not working then we might need to take a look at the complete configuration and also take captures to verify where the packets are being dropped.
Thanks,
Varun -
An ACL has been applied on the inside interface to of the ASA 8.4 but it is not working. The aim of this list to allow only a few host for outside access and deny rest of the hosts for outside access. The syntex of the access list is
access-list ACL-Inside extended permit ip host 192.168.100.101 any
access-list ACL-Inside extended permit ip host 192.168.100.108 any
access-list ACL-Inside extended permit ip host 192.168.100.109 any
access-list ACL-Inside extended permit ip host 192.168.100.243 any
access-list ACL-Inside extended permit ip host 192.168.100.241 any
access-group ACL-Inside in interface insideDid you configure the NAT statement for the inside hosts to be mapped to a public IP? The below config will NAT 192.168.100.0 -100.254 to outside interface and the access-list you defined only allow those hosts to go out.
object network Inside_Net
subnet 192.168.100.0 255.255.255.0
nat (inside, outside) dynamic interface
If you alread did the above config please send us the packet capture as Mike requested. -
WCCP does not work between WSA and ASA
I have configured WCCPv2 between WSA S160 ( 6.3.1-025) and ASA5540 (8.2(1)109).
Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.
It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.
I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.
Does anybody have any idea what the problem is and how I can resolve it ?IronPort Support team helped me to find the trouble:
If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy
("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")
The WSA guide doesn't clearly say about it.
So the Discussion can be closed ... -
Radio not working behind proxy on iTunes 11 on windows 7
Radio works just fine over internet on same PC, however behind the proxy it will not work.. iTunes sees the proxy and ask for Credentials but after entering them it give error message....
any ideas would be appreciated
davidHi,
iTunes Radio is only available in USA.
Jim -
Hi Everyone,
I am setting up new ASA for testing purposes.
So far it has single interface Active which is management.
I can ssh to ASA fine but ASDM is not working.
sh run http shows
sh run http
http server enable
http 172.31.20.0 255.255.255.0 management
sh run ssh
ssh 172.31.20.0 255.255.255.0 management.
Regards
MAheshHi Julio,
sh run ssl foed not sjow any output
show flash | include asdm
111 16280544 Jun 29 2011 12:10:58 asdm-645.bin
sh run asdm
no asdm history enable
sh ver shows
up 2 days 2 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: GigabitEthernet0/0 : address is e8b7.483d.0d68, irq 9
1: Ext: GigabitEthernet0/1 : address is e8b7.483d.0d69, irq 9
2: Ext: GigabitEthernet0/2 : address is e8b7.483d.0d6a, irq 9
3: Ext: GigabitEthernet0/3 : address is e8b7.483d.0d6b, irq 9
4: Ext: Management0/0 : address is e8b7.483d.0d6c, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Regards
MAhesh
Maybe you are looking for
-
2 gmail accounts, how can I access both of them?
I just got the Droid. I have 2 gmail accounts, one for work and the other personal. How can I view them both? I added both accounts and have 2 icons. But both icons are currently showing work emails. Thanks for any help anyone can give me!
-
Mail app displays No Subject, No Sender and No content in All Inboxes
On my iPad 2 in the mail app, when looking at mail in All Inboxes my iCloud emails display with No Sender, No Subject, and No Content. If I tap on it there is "nothing to display". If I go to the iCloud inbox everything displays fine. I have multiple
-
Hi Colleagues. Anybody knows if there is a way to issue a message from transaction F-28 when a document was held by transaction F110 ? When the user try to do a receivable write off document, the SAP system doesn't shows message to user's help. Runni
-
TS3694 how will i turn on my iphone3g?
i updated my iphone 3g (4.2.1)now it needs to be restored in the itunes but it said iphone could not be restored error 1015 now i cant open my iphone3g...i cant used it anymore.
-
What procedure is requred after I reinstall windows 7 (LR on another drive)?
One of my SSD collapsed so I have to reintall windows. Fortunately my LR and PS are installed on seperated SSD. After I started LR, it asked me to re-enter my SERIAL NUMBER and where to store my catalogue. My old one is still on the drive so what sho