Replacing ASA 5510 and ARP

Hello Support,
Probably an easy question and may be buried within these forums (but I can't find it).
I'm attempting to replace a 5510 with another 5510 and having all sorts of difficulty.  Devices the PAT against the outside interface have no problems getting out, but anything with a 1:1 NAT cannot.  Screams of an ARP issue; however rebooting the switch and the firewall have no effect.  Is there something else I could potentially be missing.  Configurations are completely mirrored.  And the firewall the I'm trying to replace has no issues getting out with 1 to 1 (static) nats.  Any ideas?

Hi,
If you are talking about normal L2 switches with no routing capabilities then rebooting them might not do anything. I guess usually if you replace a device that is connected directly to some routers then the simple fact that the interface will go down is enough to "flush" the ARP table on the connected devices and the replacement of the device goes smoothly.
If you ASA is connected to the ISP through a L2 switch there is always a chance that the rebooting of the switch wont bring down any link on the ISP side and remove the old ARP table information.
I am also not quite sure if and when the ASA uses Gratuitous ARP which is meant to update the ARP table of the connected devices.
But I would have to say that its not that uncommon that some people face problem with replacing devices and the ISP still having the old ARP information on their end. As I personally work for the ISP and usually am the person who handles the firewall replacement, its pretty easy to handle both the ISP side and the customer side.
Usually the the firewall that I replace is also connected directly to some LAN router so the routers interfaces naturally go down during the device switch and I wont have to resort to any ARP clearing on the LAN side.
Even though it might be basic information, I am actually not sure how long the basic PC keeps the ARP table information. Though I would imagine Google might tell me pretty quickly
- Jouni

Similar Messages

  • Using ASA 5510 and router for dual WAN Connections.

    Guys, neeed some help here:
    Context:
    1- My company has one ASA 5510 configured with Site-to-site VPN, Ipsec Cisco VPN and AnyConnect VPN.
    2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the NATing for internal users to go out.
    3- A second link is coming in and we will be using ISP 2 to loadbalance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).
    4- A router will be deployed in front of the ASA to terminate internet links.
    5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2).
    Questions:
    How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?
    Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?.
    Finally, which device should be doing the NATing? The ASA just like now or move NATing to the Router?
    Thanks
    Ndaungwe

    Hi,
    Check the below link, it gives information on trasperant fw config and limilations. Based on the doc, you may need to move the VPN /anyconnect to router as well. From the routr end you may be able to set up static routes pointing to diff ISP based on traffic needs but this will be compleicated setup and can break things. Wait for other suggestions or if possible stick to ASA to terminate both links and still route the traffic to diff ISPs (Saves the router cost as well).
    http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
    Thx
    MS

  • Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops

    Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
    Here is the Cisco switch port facing the ASA 5510 configuration:
    interface FastEthernet2/0/6
    description Trunk to ASA 5510
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 50
    switchport trunk allowed vlan 131,500
    switchport mode trunk
    switchport nonegotiate
    And here is the ASA 5510 port configuration:
    interface Ethernet0/3
    speed 100
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3.500
    vlan 500
    nameif outside
    security-level 0
    ip address X.X.X.69 255.255.255.0
    There is a default route on ASA to X.X.X.1.
    When I try to ping from ASA X.X.X.1 i get:
    Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
    Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
    I have also changed the ports on the Switch and ASA but the same error stays.
    Any thoughts?

    I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
    Maybe you should adjust the "speed 100"?  In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
    I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch.  Alternatively, have both sides set
       speed 100
       duplex full
    and see if things improve.
    -- Jim Leinweber, WI State Lab of Hygiene

  • ASA 5510 and VPN access to remote site over Ext WAN

    ASA 5510
    int client IP 172.0.1.XXX /24
    VPN Client IP 172.0.1.248 /29
    Static routes in the ASA
    1) 0.0.0.0 --- points to router1
    2) 172.29.1.1 --- Points to router2
    3) 172.29.1.2 --- Points to router2
    Router1 Internet connection // VPN access in path
    Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
    ................../---- ROUTER 1
    ..Inside -- ASA --- outside (switch 2 rtrs)
    ..................\---- ROUTER 2
    If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
    At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
    Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
    I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
    3000 packets captured
    1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
    2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
    3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
    4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
    5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
    Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?

    Hi,
    Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
    Something like this:-
    access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
    nat (Inside) 0 access-list NONAT

  • ASA 5510 and Certifcates

    Hi,
    Which certificates do I install on the ASA 5510 ???
    I have a TrustExternalCARoot, TrustServerCA, ExtendedValidationSecureServerCA and the name of the domain all ending in crt. Yet the instructions only refer to two certificates ?
    Thanks
    Ed

    Any ideas?
    Sent from Cisco Technical Support iPhone App

  • Cisco ASA 5510 and Spiceworks port forward

    So you want to set up a static NAT from 207.123.123.123:9876 to 192.168.0.11:9876. (I assume you're keeping the same port on the public interface.)
    Here's a link to a how-to for setting it up. (I'm headed out the door for the weekend. Sorry!) Hope this helps.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/na..
    Skip down to the section "Configuring Static NAT or Static NAT-with-Port-Translation"

    I know this topic has been beaten to death, but I'm rather green with firewalls and would like some guidance with why my config is not working. I'm using ASDM 6.4.
    My public address is 207.123.123.123 (simplified for this example)
    My Spiceworks server is 192.168.0.11 (SpiceServer)
    My SpiceServer SSL port for SW is 9876
    I've created a NAT for SpiceServer to Any Outside connection. I've created an access rule for Outside where Any is destined for SpiceServer and I created a Service Group for TCP-UDP for Port 9876.
    Where am I going wrong (besides everywhere)??
    This topic first appeared in the Spiceworks Community

  • ASA 5510 and Windows Vista/7 VPN problems

    Hi, I'm a programmer that's had to take over the sysadmin position (thank you economy) and our boss can't get access to the VPN with his new Windows 7 laptop. I've been banging my head trying to figure this out but I can't.
    I think it gets past the phase 1 stuff, because windows stops the connection process when it hits "Authenticating username/password."
    It works on our old XP systems and on OSX. It just doesn't seem to work on Windows 7.
    Can anybody help? What do I have to add or change to get it to work?
    Thanks so much in advance!
    ciscoasa# sh run crypto
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto ipsec ikev1 transform-set TRANS_ESP_AES128_SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_AES128_SHA mode transport
    crypto ipsec ikev1 transform-set TRANS_ESP_AES256_SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_AES256_SHA mode transport
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set TRANS_ESP_AES128_SHA TRANS_ESP_AES256_SHA TRANS_ESP_3DES_SHA
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_MD5 TRANS_ESP_AES128_SHA TRANS_ESP_AES256_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 11.22.33.44
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-192-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    ciscoasa# sh run tunnel-group
    tunnel-group DefaultRAGroup general-attributes
    address-pool l2tp_iprange
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 11.22.33.44 type ipsec-l2l
    tunnel-group 11.22.33.44 ipsec-attributes
    ikev1 pre-shared-key *****

    > What can we do?
    Let your Cisco rep know that this is an important feature. The word I have is that stateful firewall is not in the Vista feature set for Cisco.
    The readme for the Cisco VPN client 5.0 bears this out:
    Known Issues:
    CSCsh02887 Vista: Stateful firewall does not start.
    CSCse44616 Vista: VPN Client should not install Zone Lab Firewall on Vista platform
    CSCsf07334 Vista: Stateful Firewall Not Supported on Vista VPN Client

  • NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

    Hi everyone,
    Hoping someone can help please.
    We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
    We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
    What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
    then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
    Has anyone implemented this before and if so, are there any guides available please?
    Many Thanks,
    Dean.

    Hi Dean,
    Thanks for posting here.
    Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
    Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
    Checklist: Configure NPS for Dial-Up and VPN Access
    http://technet.microsoft.com/en-us/library/cc754114.aspx
    Thanks.
    Tiger Li
    Tiger Li
    TechNet Community Support

  • RAS and ASA 5510

    I have a ASA 5510 and need to restrict internet access to a defined group in the AD. I was told that you can use RAS server to acomplish this. Has anybody done this before? Any pointers?

    Hi
    this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.
    If you remove this line:
       authorization-server-group RADIUS01
    you'll see it starts to work fine
    In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.
    This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.
    Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).
    hth
    Herbert

  • ASA 5510 ignoring configured acl entry?

    Greetings,
      I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
    interface Ethernet0/0.200
    vlan 200
    nameif SITECORP
    security-level 90
    ip address 10.1.4.1 255.255.254.0
    interface Ethernet0/0.207
    vlan 207    
    nameif SITESERVER
    security-level 90
    ip address 10.1.7.1 255.255.255.128
    interface Ethernet0/1.311
    vlan 311
    nameif MOD1BMS
    security-level 100
    ip address 10.1.144.1 255.255.252.0
    I have the following access-lists configured and applied:
    access-list SITECORP_access_in extended permit ip any any
    access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
    access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
    fw# show run object-group
    object-group network SITECORP
    network-object 10.1.4.0 255.255.254.0
    object-group network MOD1BMS
    network-object 10.1.144.0 255.255.252.0
    object-group network SITESERVER
    network-object 10.1.7.0 255.255.255.128
    fw# show run nat-control
    no nat-control
    packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group SITECORP_access_in in interface SITECORP
    access-list SITECORP_access_in extended permit ip any any
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd5641ec8, priority=12, domain=permit, deny=false
            hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
            src ip=0.0.0.0, mask=0.0.0.0, port=0
            dst ip=0.0.0.0, mask=0.0.0.0, port=0
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd544e8c8, priority=110, domain=permit, deny=true
    hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0
    This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
    Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
    Regards,
      Phil

    Hello Phil,
    That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
    But you do not have to change the Security level, of course that is one work-around but again the solution is :
    -     same-security-traffic permit inter-interface
    Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
    Regards,
    Julio

  • ASA 5510 & Object-groups

    I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
    access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
    The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.
    Going off these posts:
    - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
    - http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/nwaccess.html
    Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
    What am I doing wrong?
    Thanks in advance for any help.

    Hi Adam!
    You are doing it right, you are just missing on little keyword.
    The line should be as this:
    access-list dmz_access_in extended permit object-group Sample_Port_Group host 192.168.1.1 any
    or you could specify the subnetmask as:
    access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 255.255.255.255 any
    Regards

  • ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

    I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network. 
    Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either.  Any ideas what I could be missing in my configuration?  I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
    ASA Version 8.2(1)
    hostname fw
    domain-name net.com
    enable password eYKAfQL1.ZSbcTXZ encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    interface Ethernet0/0
    description Primary Outside (Internet)
    speed 10
    duplex full
    nameif outside
    security-level 0
    ip address 1.1.1.5 255.255.255.240
    ospf cost 10
    interface Ethernet0/1
    description inside
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    ospf cost 10
    interface Ethernet0/2
    description WLAN
    nameif WLAN
    security-level 100
    ip address 192.168.108.240 255.255.255.0
    ospf cost 10
    interface Ethernet0/3
    description Secondary Outside (Internet)
    speed 100
    duplex full
    nameif WAN2
    security-level 0
    ip address 2.2.2.133 255.255.255.192
    interface Management0/0
    description LAN/STATE Failover Interface
    time-range after_hours
    periodic weekdays 7:00 to 23:00
    boot system disk0:/asa821-k8.bin
    no ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup WLAN
    dns server-group DefaultDNS
    retries 3
    timeout 5
    name-server 8.8.8.8
    name-server 206.191.0.210
    name-server 4.2.2.1
    name-server 4.2.2.2
    domain-name net.com
    access-list WAN2_access_in extended permit icmp any any echo-reply
    access-list WAN2_access_in extended permit icmp any any time-exceeded
    access-list WAN2_access_in extended permit icmp any any source-quench
    access-list WAN2_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit icmp any any echo-reply
    access-list WLAN_access_in extended permit icmp any any time-exceeded
    access-list WLAN_access_in extended permit icmp any any source-quench
    access-list WLAN_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
    access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    access-list WLAN_access_in extended permit ip any any
    access-list time_based extended permit ip any any time-range after_hours
    access-list split_tunnel standard permit host 206.191.0.210
    access-list split_tunnel standard permit host 206.191.0.140
    access-list split_tunnel standard permit host 207.181.101.4
    access-list split_tunnel standard permit host 207.181.101.5
    access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    pager lines 20
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu WLAN 1500
    mtu WAN2 1500
    ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface WAN2
    failover
    failover lan unit secondary
    failover lan interface FO Management0/0
    failover key *****
    failover link FO Management0/0
    failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    icmp permit any WLAN
    icmp permit any WAN2
    asdm image disk0:/asdm-621.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (WAN2) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (WLAN) 1 192.168.108.0 255.255.255.0
    static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group WLAN_access_in in interface WLAN
    access-group WAN2_access_in in interface WAN2
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
    route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
    route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.108.0 255.255.255.0 WLAN
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.1.101 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 123
    type echo protocol ipIcmpEcho 4.2.2.2 interface outside
    num-packets 3
    timeout 1000
    frequency 3
    service resetoutside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    track 1 rtr 123 reachability
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet timeout 5
    ssh scopy enable
    ssh 2.2.2.132 255.255.255.255 outside
    ssh 69.17.141.134 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.108.0 255.255.255.0 WLAN
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd address 192.168.108.11-192.168.108.239 WLAN
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp authenticate
    ntp server 128.100.100.128
    ntp server 132.246.168.148
    ntp server 128.100.56.135
    tftp-server inside 192.168.1.100 /
    webvpn
    group-policy Wifi internal
    group-policy Wifi attributes
    wins-server none
    dns-server value 206.191.0.210 206.191.0.140
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_tunnel
    tunnel-group Wifi type remote-access
    tunnel-group Wifi general-attributes
    address-pool DHCP
    default-group-policy Wifi
    tunnel-group Wifi ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
      inspect icmp error
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 512
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
    : end
    asdm image disk0:/asdm-621.bin
    asdm location 192.168.1.245 255.255.255.255 inside
    asdm location 192.168.1.252 255.255.255.255 inside
    asdm history enable

    Hi,
    I can't see any problems right away in the configuration.
    I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
    packet-tracer input outside tcp 1.1.1.1 12345 22
    packet-tracer input outside icmp 1.1.1.1 8 0
    Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
    Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
    Also, have you made sure that there is no old translations active on the ASA?
    You can use this command to view those
    show xlate local 192.168.1.100
    You can clear the xlates with
    clear xlate local 192.168.1.100
    - Jouni

  • Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

    I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
    WLC 2504
    1142 LAPs
    4510R+E
    ASA 5510
    Existing configuration as follows:
    WLC management interface and APs addressed on the 192.168.126.0 /25 network
    Internal WLAN mapped to the management interface
    Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
    WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
    4510 connected to ASA inside interface (security level 100)
    Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
    ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
    What is the best way to add guest wireless to our existing configuration?
    Note: I need the guest wireless to be filtered by Websense as our internal wireless is
    Any advice would be greatly appreciated!

    Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
    Any input would be greatly appreciated...
    JW

  • CNA and ASA 5510

    Hi.
    Can I add an ASA 5510 to my network diagram on the CNA?
    If I can, what monitoring and contol can be done on the ASA?
    The ASA is being managed using SDM.
    Thanks,
    Danny.

    aborole:
       Do you know what technology/mibs  or other means thats used to discover ASA  and other information like interfaces on which this ASA is connected to other devices in the network ?
    Thanks,
    Chandra.

  • 10Mb Metro link between ASA 5505 and ASA 5510

    Dear all,
    I have encountered one difficult problem, I wished all expert could give my - newie some tips,
    Environment
    One ASA 5505 - ASA 7.2(1) and ASDM 5.2(1)
    One ASA 5510 - ASA 7.2 (1) and ASDM 5.2(1)
    These two firewall make site-to-site VPN connection
    two ASA has three interface - the one is inside (security level is 100), the another is outside (security level is 0), the finally interface is metro (security level is also 100)
    ***** I didn't know why around 3 days to one week , these two ASA would hang and make all internal PC cannot access to internet, it need to uplug and replug power, and then the ASA resumed. I didn't know how to shooting this problem, is ASA version is old (7.2(1)), or other problem,
    ***** I didn't know how to see the log, in the matter of fact, I have already set up a syslog in the one windows server, but I see log, I found no any error log for ASA error or hang message, please everyone.

    To see the error logs on ASA; telnet to the device and after authentication give command "show log". This will display a long list of log messages. Point out to the log messages that have been logged at the time when the connection went down. Without the error message or syslog message it would not be possible to figure out the problem. Following link may help you to configure ASA for syslog
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

Maybe you are looking for

  • Cumulative Key figure

    Hi all, can anybody tell me abt cumulative or non cumulative key figure with sutabel example . why those type of key figures are use in BW3.5 ?? if anybody have document related to the same then send it to me id : modi.ankit1 at the rate gmail Thanks

  • When Apple developers going to allow applock for individual apps???

    I am using an IOS7 iPhone the problem is that whenever I gave my phone to friends they try to access to my private data like Facebook , Whatsapp , Viber , Contacts and even much more stuff which I don't want them to go through.All I want is an app th

  • Replace content smart objects doesnt work properly.

    Hello fellow Photoshoppers, Currently i am working on reusable album templates with smart objects. At first i was very enthusiastic but this was soon to end. as the replacing doesnt work properly. I made the smart object by using: 1. > file 2. > plac

  • Screen size problem for schedule line bdc

    Hi All, I created a bdc for schedule line item maintainance of sales order thro' VA02,I did all coding on 20 inch color monitor in which the schedule line screen shows 18 lines using that i did recording for bdc.But when keyuser executes BDC on lapto

  • Not opening ipod nano :( :(

    my friend give me a gift(that 4th generation ipod). but i can't open it. when i connect it to PC by USB it's warning about in the hub connection there is over limit power. i tried to reset it, the apple logo can seen but then nothing happens...