Preventing MITM via arp spoofing in ASA and IOS environment

Similar Messages

• VPN between ASA and IOS router

  We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

  Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
  It should help fix any problems.
  HTH and please rate.

• My mac and iPhone 6  has been hacked! foresure! Antivirus sentinel pro from apple store detected apr or arp spoofing, thereafter Antivirus protection also got hacked, I turn network monitoring on they turn off like 3 times then they close Antivirus

  my mac and iPhone 6  has been hacked! foresure! Antivirus sentinel pro from apple store detected apr or arp spoofing, thereafter Antivirus protection also got hacked, I turn network monitoring on they turn off everytime then they close Antivirus for good, also Google.com is being imitated and not showing a true certificate (apr spoofing)?.these guys r good! I erased and reinstall Yosemite changed all passwords even on the wifi...could be wifi sniffing? I got Kaspersky hoping to use virtual keyboard for passwords and Kaspersky is comprised too..the virtual keyboard doesn't work it freezes up not allowing me to enter password. So I Uninstall and reinstall Kaspersky, so now I have problem with reinstall that doesn't work, then way later that day it is reinstalled..not over yet..that virtual keyboard now pops up randomly wanting me to use password? seems like they can copy anything real fast for i have to enter info like 2 or 3 times, never had that problem before. I'm thinking about going old school with paper docs and checks..yes technology ***...too vulnerable. .on the news they said 97% of businesses are hacked! can someone help me to counter this attack? thx
  Message was edited by: technologysux

  You have not been hacked. Get rid of all that antivirus. It is just making your life harder.

• Routing issue with ASA and UC540 phone system - at ASA???

  Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
  Here are some facts:
  1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
  2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
  3. The ASA is the default gateway for the PC.
  4. I have a route inserted at the asa that is:
                 route 10.1.10.1 255.255.255.0 10.19.250.254 1
  5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.
  6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
  7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
                 route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
       Is is only with this route that I am able to get to the web GUI on the phone system.
  8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1
  9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.
  Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
  Here are the routing tables:
  ASA:
  Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
  C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
  S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
  S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
  C    10.19.250.0 255.255.254.0 is directly connected, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
  The UC540 phone system's router side:
  Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx
        10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
  C        10.1.1.0/24 is directly connected, BVI100
  L        10.1.1.1/32 is directly connected, BVI100
  C        10.1.10.0/30 is directly connected, Loopback0
  S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
  L        10.1.10.2/32 is directly connected, Loopback0
  C        10.19.250.0/23 is directly connected, BVI1
  L        10.19.250.254/32 is directly connected, BVI1
        XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
  L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
        172.16.0.0/24 is subnetted, 1 subnets
  S        172.16.100.0 [1/0] via 10.19.250.1
  The UC540's internal CUE server:
  Main Routing Table:
             DEST            GATE            MASK                     IFACE
        10.1.10.0            0.0.0.0           255.255.255.252       eth0
          0.0.0.0             10.1.10.2         0.0.0.0                    eth0
  Any help appreciated!!!
  Thanks!

  Hello,
  Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
  I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
  Here is a info page on the TCP State Bypass:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
  Please let me know how it works out.

• What does the 'rtcli async executor process' process do on a Cisco ASA and why would it cause high CPU load?

  I noticed that the CPU on our ASA had jumped from around %4 to 30% consistently a few weeks back.  The process below seems to be causing the load, but I can't find any information on what it does and how to resolve the issue.
  ASA# sh proc cpu-usage sorted non-zero
  PC         Thread       5Sec     1Min     5Min   Process
  0x08a24505   0x1bdb0124    25.4%    25.6%    25.6%   rtcli async executor process
  0x081ecc51   0x1bdc0f3c     4.7%     4.3%     4.1%   Dispatch Unit
  0x08e4687c   0x1bdc0528     0.3%     0.3%     0.3%   ssm4ge_cfg_poll_thread
  0x08a496d0   0x1bdbecf8     0.1%     0.1%     0.1%   Unicorn Admin Handler
  0x0866d56e   0x1bdafd1c     0.1%     0.1%     0.1%   ARP Thread
  A little more background that has me concerned is that I have the exact time when the jump occurred.  Since that time, I've lost ssh access to the ASA and can only access it via Telnet internally or the ASDM.  I checked the certificates and a new one was generated exactly when the spike occurred.  I am unsure wether or not that was a system triggered certificate generation, or if I have a security issue I need to address.  Heartbleed maybe??  
  Any insight would be greatly appreciated.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Sorry I wasn't clear, but when I was asking about "not a lot of traffic", I was wondering about actual  volume passing through the 2811.
  When I asked about "kind of tunnels", I was wondering about how they are configured.  E.g. GRE or IPSec/GRE or VTI, encryption options, other tunnel interface options.
  Perhaps the easiest way to check for fragmentation, is packet analyze the traffic passing through the 2811.

• Site-to-site vpn with 2 asa and home router

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

• ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate

        I am facing strange issue on my asa and client Fortigate fw.
  We have site to site tunnel with 3des and sha and DH-5 on asa
  3des  sha1 and dh-5 on Fortigate.
  Tunnel came up when configured after some time it went down and it is throwing below errors. Please
  some one help me here.
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
  Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating:  flags 0x01000002, refcnt 0, tuncnt 0
  Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
  Mum-PRI-ASA#

  Hey All,
  I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
  Eror Before Reload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
  Aug 06 21:17:33 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 06 21:17:33 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
  Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
  Isakmp phase completion After reload
  Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
  Aug 25 10:40:35 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 25 10:40:35 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
  Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
  SENDING PACKET to xx.xx.xx.xx

• MS NLB with ASA and Static NAT from PUP to NLB IP

  Hi all,
  I am trying to get MS NLB up and running.  It is almost all working.  Below is my physical setup.
  ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
  I have two VMs runing on two different ESXi hosts.  They have two vNICs.  One for managment and one for inside puplic subnet.  The inside puplic subnet NICs are in the NLB cluster.  The inside public subnet is NATed on the ASA to a outide public IP.
  192.168.0.50 is the 1st VM
  192.168.0.51 is the 2nd VM
  192.168.0.52 is the cluster IP for heartbeat
  192.168.0.53 is the cluster IP for NLB traffic.
  0100.5e7f.0035 is the cluster MAC.
  The NLB cluster is using MULTICAST
  I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC. 
  For the ASA I found
  http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
  ASDM
  Configuration > Device Management > Advanced > ARP > ARP Static Table
  I was able to add my stic ARP just fine.
  However, the next step was to enable ARP inspection.
  Configuration > Device Management > Advanced > ARP > ARP Inspection
  My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
  For the CAT Switch I found
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
  I added the both the ARP and Static MAC.  For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
  On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa.  I then added a DNS entry for our domain to point to the outside public IP.  I also added it to the public servers section allowing all IP traffic testing puproses.
  At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets)  The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae.  Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine. 
  So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine.  Below is my ASA Config. I have bolded the parts of Interest.
  Result of the command: "show run"
  : Saved
  ASA Version 8.4(4)9
  hostname MP-ASA-1
  enable password ac3wyUYtitklff6l encrypted
  passwd ac3wyUYtitklff6l encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 198.XX.XX.82 255.255.255.240
  interface Ethernet0/1
  description Root Inside Interface No Vlan
  speed 1000
  duplex full
  nameif Port-1-GI-Inside-Native
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  interface Ethernet0/1.2
  description Managment LAN 1 for Inside Networks
  vlan 2
  nameif MGMT-1
  security-level 100
  ip address 192.168.180.1 255.255.255.0
  interface Ethernet0/1.3
  description Managment LAN 2 for Inside Networks
  vlan 3
  nameif MGMT-2
  security-level 100
  ip address 192.168.181.1 255.255.255.0
  interface Ethernet0/1.100
  description Development Pubilc Network 1
  vlan 100
  nameif DEV-PUB-1
  security-level 50
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/1.101
  description Development Pubilc Network 2
  vlan 101
  nameif DEV-PUB-2
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  interface Ethernet0/1.102
  description Suncor Pubilc Network 1
  vlan 102
  nameif SUNCOR-PUB-1
  security-level 49
  ip address 192.168.3.1 255.255.255.0
  interface Ethernet0/1.103
  description Suncor Pubilc Network 2
  vlan 103
  nameif SUNCOR-PUB-2
  security-level 49
  ip address 192.168.4.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa844-9-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network Inside-Native-Network-PNAT
  subnet 10.1.1.0 255.255.255.0
  description Root Inisde Native Interface Network with PNAT
  object network ASA-Outside-IP
  host 198.XX.XX.82
  description The primary IP of the ASA
  object network Inside-Native-Network
  subnet 10.1.1.0 255.255.255.0
  description Root Inisde Native Interface Network
  object network VPN-POOL-PNAT
  subnet 192.168.100.0 255.255.255.0
  description VPN Pool NAT for Inside
  object network DEV-PUP-1-Network
  subnet 192.168.0.0 255.255.255.0
  description DEV-PUP-1 Network
  object network DEV-PUP-2-Network
  subnet 192.168.2.0 255.255.255.0
  description DEV-PUP-2 Network
  object network MGMT-1-Network
  subnet 192.168.180.0 255.255.255.0
  description MGMT-1 Network
  object network MGMT-2-Network
  subnet 192.168.181.0 255.255.255.0
  description MGMT-2 Network
  object network SUNCOR-PUP-1-Network
  subnet 192.168.3.0 255.255.255.0
  description SUNCOR-PUP-1 Network
  object network SUNCOR-PUP-2-Network
  subnet 192.168.4.0 255.255.255.0
  description SUNCOR-PUP-2 Network
  object network DEV-PUB-1-Network-PNAT
  subnet 192.168.0.0 255.255.255.0
  description DEV-PUB-1-Network with PNAT
  object network DEV-PUB-2-Network-PNAT
  subnet 192.168.2.0 255.255.255.0
  description DEV-PUB-2-Network with PNAT
  object network MGMT-1-Network-PNAT
  subnet 192.168.180.0 255.255.255.0
  description MGMT-1-Network with PNAT
  object network MGMT-2-Network-PNAT
  subnet 192.168.181.0 255.255.255.0
  description MGMT-2-Network with PNAT
  object network SUNCOR-PUB-1-Network-PNAT
  subnet 192.168.3.0 255.255.255.0
  description SUNCOR-PUB-1-Network with PNAT
  object network SUNCOR-PUB-2-Network-PNAT
  subnet 192.168.4.0 255.255.255.0
  description SUNCOR-PUB-2-Network with PNAT
  object network DEV-APP-1-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network DEV-APP-2-SNAT
  host 192.168.2.120
  description DEV-APP-2 Server with SNAT
  object network DEV-APP-2-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network DEV-SQL-1
  host 192.168.0.110
  description DEV-SQL-1 Inside Server IP
  object network DEV-SQL-2
  host 192.168.2.110
  description DEV-SQL-2 Inside Server IP
  object network SUCNOR-APP-1-PUB
  host 198.XX.XX.XX
  description SUNCOR-APP-1 Public Server IP
  object network SUNCOR-APP-2-SNAT
  host 192.168.4.120
  description SUNCOR-APP-2 Server with SNAT
  object network SUNCOR-APP-2-PUB
  host 198.XX.XX.XX
  description DEV-APP-2 Public Server IP
  object network SUNCOR-SQL-1
  host 192.168.3.110
  description SUNCOR-SQL-1 Inside Server IP
  object network SUNCOR-SQL-2
  host 192.168.4.110
  description SUNCOR-SQL-2 Inside Server IP
  object network DEV-APP-1-SNAT
  host 192.168.0.120
  description DEV-APP-1 Network with SNAT
  object network SUNCOR-APP-1-SNAT
  host 192.168.3.120
  description SUNCOR-APP-1 Network with SNAT
  object network PDX-LAN
  subnet 192.168.1.0 255.255.255.0
  description PDX-LAN for S2S VPN
  object network PDX-Sonicwall
  host XX.XX.XX.XX
  object network LOGI-NLB--SNAT
  host 192.168.0.53
  description Logi NLB with SNAT
  object network LOGI-PUP-IP
  host 198.XX.XX.87
  description Public IP of LOGI server for NLB
  object network LOGI-NLB-IP
  host 192.168.0.53
  description LOGI NLB IP
  object network LOGI-PUP-SNAT-NLB
  host 198.XX.XX.87
  description LOGI Pup with SNAT to NLB
  object-group network vpn-inside
  description All inside accessible networks
  object-group network VPN-Inside-Networks
  description All Inside Nets for Remote VPN Access
  network-object object Inside-Native-Network
  network-object object DEV-PUP-1-Network
  network-object object DEV-PUP-2-Network
  network-object object MGMT-1-Network
  network-object object MGMT-2-Network
  network-object object SUNCOR-PUP-1-Network
  network-object object SUNCOR-PUP-2-Network
  access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
  access-list outside_access_out remark Block ping to out networks
  access-list outside_access_out extended deny icmp any any inactive
  access-list outside_access_out remark Allow all traffic from inside to outside networks
  access-list outside_access_out extended permit ip any any
  access-list outside_access extended permit ip any object LOGI-NLB--SNAT
  access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
  access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
  access-list outside_access extended permit ip any object DEV-APP-2-SNAT
  access-list outside_access extended permit ip any object DEV-APP-1-SNAT
  access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu Port-1-GI-Inside-Native 1500
  mtu MGMT-1 1500
  mtu MGMT-2 1500
  mtu DEV-PUB-1 1500
  mtu DEV-PUB-2 1500
  mtu SUNCOR-PUB-1 1500
  mtu SUNCOR-PUB-2 1500
  mtu management 1500
  ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any Port-1-GI-Inside-Native
  icmp permit any MGMT-1
  icmp permit any MGMT-2
  icmp permit any DEV-PUB-1
  icmp permit any DEV-PUB-2
  icmp permit any SUNCOR-PUB-1
  icmp permit any SUNCOR-PUB-2
  asdm image disk0:/asdm-649-103.bin
  no asdm history enable
  arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
  arp timeout 14400
  no arp permit-nonconnected
  nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
  nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
  object network Inside-Native-Network-PNAT
  nat (Port-1-GI-Inside-Native,outside) dynamic interface
  object network VPN-POOL-PNAT
  nat (Port-1-GI-Inside-Native,outside) dynamic interface
  object network DEV-PUB-1-Network-PNAT
  nat (DEV-PUB-1,outside) dynamic interface
  object network DEV-PUB-2-Network-PNAT
  nat (DEV-PUB-2,outside) dynamic interface
  object network MGMT-1-Network-PNAT
  nat (MGMT-1,outside) dynamic interface
  object network MGMT-2-Network-PNAT
  nat (MGMT-2,outside) dynamic interface
  object network SUNCOR-PUB-1-Network-PNAT
  nat (SUNCOR-PUB-1,outside) dynamic interface
  object network SUNCOR-PUB-2-Network-PNAT
  nat (SUNCOR-PUB-2,outside) dynamic interface
  object network DEV-APP-2-SNAT
  nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
  object network SUNCOR-APP-2-SNAT
  nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
  object network DEV-APP-1-SNAT
  nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
  object network SUNCOR-APP-1-SNAT
  nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
  object network LOGI-NLB--SNAT
  nat (DEV-PUB-1,outside) static LOGI-PUP-IP
  object network LOGI-PUP-SNAT-NLB
  nat (outside,DEV-PUB-1) static LOGI-NLB-IP
  access-group outside_access in interface outside
  access-group outside_access_out out interface outside
  route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 outside
  http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
  http 192.168.180.0 255.255.255.0 MGMT-1
  http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
  : end
  Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff. 
  Thanks,
  Chris

  Also If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP.  So it's definatly an issue when NATing the VIP of NLB cluster.
  Chris

• Security Against ARP Spoofing

  Hi,
  I  am planning to create two DHCP servers for DHCP load balancing. Since  ARP Spoofing is one of major threats while configuring DHCP, I want to  know what are the ways to prevent ARP spoofing.
  Regards,
  Prasad Bait

  The best is to go with DHCP snooping + Dynamic ARP inspection. This would help against ARP spoofing:
  http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html
  Regards,
  Deepak

• Connecting routers. ASA and 2921

  Here is a link to the previous post to explain where we were. https://supportforums.cisco.com/message/4133793#4133793
  OK..
  I have an ASA 5510 and a 2921.
  The ASA is used and vpn/firewall and and internet,
  The 2921 is used for inter-vlan routing..
  My  primary scenario, take a look at the image . https://supportforums.cisco.com/servlet/JiveServlet/download/4096848-15371310/router_net.gif
  My data network  is 10.20.60.0
  My Voice network is 192.168.2.0
  The problem; with this setup, I cannot get the 192.168.2.0 network to browse the web. And I cannot get to access my VOICE mail server unless I use a 192 address.
  The solution:
  Roger
  so remember the plan was to remove the 2921 interface and use 10.10.10.2 on the inter with 10.20.60.2...
  1) shutdown the 2921 interface on the ASA and remove the address from the config.
  2) remove the cable from the inside interface of the ASA that i think still connects to a switch.
  3) take the cable that is in the 2921 interface on the ASA and connect it to the inside interface of the ASA.
  Now the 2921 router physical connection runs from gi0/2 on the router to the inside interface of the ASA.
  4) remove the 10.20.60.2 address from the inside interface on the ASA and add the 10.10.10.2 address that was previously on the 2921 ASA interface.
  5) these routes on the ASA need changing  -
  a) remove these -
  no route 2921 10.20.30.0 255.255.254.0 10.10.10.1 1
  no route 2921 192.168.2.0 255.255.255.0 10.10.10.1 1
  b) add these
  route inside 10.20.30.0 255.255.254.0 10.10.10.1 1
  route inside 192.168.2.0 255.255.255.0 10.10.10.1 1
  6) add this route to the 2921
  ip route 0.0.0.0 0.0.0.0 10.10.10.2
  That should do it. As i say you will need downtime but once done all internal vlans should route via the 2921 and the ASA should only be used for internet. The ASA NAT statements reference the inside interface so it should just work.
  And Still no connection.. If you follow the thread post on top you will get a better Idea..
  Basically I want to be able to get the 10.20.60.0 network  and use the asa for vpn and internet while use the 2921 for routing.

  Roger
  Okay, i though it might be an issue with the cable ie. straight thru vs cross over.
  When you tried to browse the web did you check that the interfaces on the 2921 and the ASA were both up ?
  As long as the routes were adding ie, the default route on the 2921 to the ASA inside interface and routes on the ASA pointing back to the 2921 then it should have worked.
  If it is not the cable then the only other things i can think of are -
  1) the default gateway on the PCs is not set correctly but then the PC in different vlans would not be able to talk to each other.
  In your diagram you say the gateway for the internet is now 10.10.10.2. But that is only on the router ie. the default route. The PCs should have their default gateways set to the respective subinterface IP on the 2921 - is this how you did it ?
  2) some misconfiguration on your ASA.
  In addition you say you cannot get to the voice server unless you use a 192.168.x.x address. What subnet is the voice server on ?
  Did you manage to save the configs when you did the upgrade or are you back to where you were before without the configs ?
  Jon

• Xlate count via SNMP on a ASA

  Hi
  Does anyone know of af OID to get the count of active xlate´s per PAT IP address?
  I have a firewall that is performing PAT on several IPs that is defined via object. I need to find a way to get the ammount of xlates on a "per public IP" level.
  I know that i can get the "show conn" via SNMP but this is all the connections globally to the ASA and not on a per-PAT bases. 
  So far the only way i have managed to get something out of the ASA is to do a "show xlate | inc [PUBLIC-IP]" and then count the lines.

  Those don't seem to be supported in ASA 9.x... not in "show snmp-server oidlist".
  natAddrMapAddrUsed might be what you're looking for... but, if you have multiple sources NATed to the same destination, finding the appropriate entry in that table will take some doing.

• Transfer files between ASA and a host across a VPN

  Hello Guys,
  I have a Remote Access VPN between an ASA and a Windows PC, the issue that I'm seeing is that I can't transfer files between the ASA and my PC across the VPN.
  The first time I thought that because the size of the file and some issue with my ADSL service bandwidth could be the problem. However, I tried to copy the running config of the ASA to my PC and is also impossible. I received this error:
  ASA# copy running-config tftp:
  Source filename [running-config]?
  Address or name of remote host []? 10.10.10.2   ----> This is the address of my PC over the VPN tunnel
  Destination filename [running-config]? ASA-Config04032014
  Cryptochecksum: f5a9f8cb 9f63b2e5 e8c99e36 9498cb50
  %Error writing tftp://10.10.10.2/ASA-Config04032014 (Timed out attempting to connect)
  Does anybody had this kind of problem before?
  Thanks in advance,

  I was wondering if I transfer files between a PC and Mac via Ethernet cable can I reverse the transfer from a Mac to a Pc?
  Yes. Start Windows File Sharing on the Mac and then access it on the PC.
  (47464)

• How to use the private subnet between ASA and Router

  Guys,
  Here is the context:
  I am connecting to 2 ISPs for load sharing traffic coming from my private network.
  The 2 links from the ISPs terminate in the router which connects to an ASA via a private subnet, back to my private network.
  I have configured PBR in the router, to prefer ISP1 for trafic coming from my internal servers X, Y, Z  (public addresses, no need for the ASA to translate).  The router  should send any other traffic coming from the rest of my private address space, servers W, V, U  (after translation by ASA) to ISP2.
  So far so good.  The default route defined on ASA points to the internal LAN interface of the Router (private ip address). How can I route this subnet used between the ASA and Router? Being a private address I have to translate it to something (public) before the router can send it out. But translate to what?
  Alternatively I could use a public subnet. But I do not have any.How do I get aroung this?
  Regards
  Ndaungwe

  You have IP addresses on the direct interface links to the ISP's?? You ccould use those IP addresses with NAT overload.

• Connection dropped between ASA and router

  Hi,
  Last night Internet traffic was going from my 2811 router to the Internet via my ASA 5510 (as it should do and in accordance with my route-map policy) but, when I came in this morning, traffic wasn't going via my ASA as my route-map policy specified, it was going straight to the Internet via my Gateway of Last Resort (an SDSL router). When I did a ping between the ASA and the 2811 router, traffic started to be routed via the ASA again, as specified by the Route-Map policy. Does anyone know what caused this to happen?
  Thanks,
  Jaime

  Ensure your ACL configured properly in your device or may be you did any changes recently.

• Asa and scp

  hi experts,
  can I copy the running-config from asa with scp to a linux server ?
  I was reading the cli-command guide, but the suggested commandline does not work.
  scp -v -pw password filename username@fwsm_address
  Does anyone know how scp works with the asa ?

  Hi All,
  This is a similar thread to: https://supportforums.cisco.com/message/936663#936663
  I do not feel this question has been answered in all honesty.
  I am working on an ASA 5550 running asa831-k8.bin and can scp files to and from disk0: without any problems.
  When I attempt to scp the system:running-config file I get the file succesfully but it contains nothing. On the ASA a "dir system:" shows the running-config file with a file size of 0 bytes but a "more system:running-config" dumps the real contents of the file to the terminal session.
  Is there a command to remove the "lock" on this file?
  Is there a way to use the archive command to at least archive it to disk0: or some other file system to be pulled via scp? Establishing an IPSEC tunnel from our backup box to every single ASA in our environment for secure tftp would be impossible!
  Chris