Researching CISCO ASA5505-BUN-K9

Hello all,
I am researching CISCO ASA5505-BUN-K9 for a small office environment.
Will this device allow any wireless router behind it or only  Cisco wireless routers?
Thanks

Hi,
Yes it should and this does work.
Thanks and Regards,
Vibhor Amrodia

Similar Messages

  • How many users does a ASA5505-BUN-K9 support

    I know it is a stupid question.
    I say the answer is ten.  That means ten hosts can be behind the firewall and hit the internet.  The eleventh doesn't get to go out.
    I'm being told by a coworker that the "10" in the part number refers to the number of IPsec VPN peers.
    Who's right?
    I say if you want an unlimited number of users on the inside to be able to get to the internet, you need the ASA5505-SEC-BUN-K9
    Thanks in advance!
    Mfg. Part: ASA5505-SEC-BUN-K9  
    Mfg. Part: ASA5505-50-BUN-K9  
    Mfg. Part: ASA5505-BUN-K9  
    Cisco ASA 5505 10-User Bundle includes 8-port Fast Ethernet switch, 10 IPsec VPN peers, 2 Premium VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license
    ASA5505-BUN-K9

    Hi,
    Below is a table of the licenses of ASA 5505 from Ciscos site.
    It would seem the Part you are referring to is the one with 10 users
    The Unlimited one seems to be the ASA5505-UL-BUN-K9 but without the extra features of ASA5505-SEC-BUN-K9
    Table 1. Recommended Cisco ASA 5500 Series Business Edition Solutions
    Cisco ASA 5505 Solution Description
    Firewall/VPN Performance
    Part Number
    Cisco ASA 5505 10-user bundle
    Includes  10-user license, 8-port Fast Ethernet switch, stateful firewall, 10  IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license, and 1 expansion slot
    150 Mbps/100 Mbps
    ASA5505-BUN-K9
    Cisco ASA 5505 50-user bundle
    Includes  50-user license, 8-port Fast Ethernet switch, stateful firewall, 10  IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license, and 1 expansion slot
    150 Mbps/100 Mbps
    ASA5505-50-BUN-K9
    Cisco ASA 5505 unlimited user bundle
    Includes  unlimited user license, 8-port Fast Ethernet switch, stateful firewall,  10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license, and 1 expansion  slot
    150 Mbps/100 Mbps
    ASA5505-UL-BUN-K9
    Cisco ASA 5505 Security Plus bundle
    Includes  Cisco ASA 5505, unlimited users, 8-port Fast Ethernet switch, stateful  firewall, 25 IPsec VPN peers, 2 SSL VPN peers, stateless Active/Standby  high availability, dual ISP support, DMZ support, 3DES/AES license, and 1  expansion slot
    150 Mbps/100 Mbps
    ASA5505-SEC-BUN-K9
    Source:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html
    - Jouni

  • Problem with traffic over Remote Access VPN (Cisco ASA5505)

    Hi
    I've changed the VPN IP pool on a previously functioning VPN setup on a Cisco ASA5505, I've updated IP addresses everywhere it seemed appropriate, but now the VPN is no longer working. I am testing with a Cisco IPSec client, but the same happens with the AnyConnect client. Clients connect, but cannot access resources on the LAN. Split tunneling also doesn't work, internet is not accessible once VPN is connected.
    I found a NAT exempt rule to not be correctly specified, but after fixing this, the problem still persists.
    : Saved:ASA Version 8.2(1) !hostname ciscoasadomain-name our-domain.comenable password xxxxxxxx encryptedpasswd xxxxxxxx encryptednamesname 172.17.1.0 remote-vpn!interface Vlan1 nameif inside security-level 100 ip address 10.1.1.2 255.0.0.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group adslrealm ip address pppoe setroute !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone SAST 2dns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNS name-server 10.1.1.138 name-server 10.1.1.54 domain-name our-domain.comsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network utobject-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list no_nat extended permit ip 10.0.0.0 255.0.0.0 remote-vpn 255.255.255.0 access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 access-list outside_access_in extended permit tcp any interface outside eq https access-list outside_access_in extended permit tcp any interface outside eq 5061 access-list outside_access_in extended permit tcp any interface outside eq 51413 access-list outside_access_in extended permit udp any interface outside eq 51413 access-list outside_access_in extended permit tcp any interface outside eq 2121 access-list outside_access_in extended permit udp any interface outside eq 2121 access-list inside_access_out extended deny ip any 64.34.106.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.20.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.21.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.76.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.77.0 255.255.255.0 access-list inside_access_out extended deny ip any 216.52.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 74.201.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 64.94.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 69.25.0.0 255.255.0.0 access-list inside_access_out extended deny tcp any any eq 12975 access-list inside_access_out extended deny tcp any any eq 32976 access-list inside_access_out extended deny tcp any any eq 17771 access-list inside_access_out extended deny udp any any eq 17771 access-list inside_access_out extended permit ip any any pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500ip local pool VPNPool 172.17.1.1-172.17.1.254icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list no_natnat (inside) 1 10.0.0.0 255.0.0.0static (inside,outside) tcp interface 5061 10.1.1.157 5061 netmask 255.255.255.255 static (inside,outside) tcp interface https 10.1.1.157 4443 netmask 255.255.255.255 static (inside,outside) tcp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) udp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) tcp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 static (inside,outside) udp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 access-group outside_access_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server AD protocol ldapaaa-server AD (inside) host 10.1.1.138 ldap-base-dn dc=our-domain,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn cn=ciscoasa,cn=Users,dc=ourdomain,dc=com server-type auto-detectaaa authentication ssh console AD LOCALaaa authentication telnet console LOCAL http server enable 4343http 0.0.0.0 0.0.0.0 outsidehttp 10.0.0.0 255.0.0.0 insidehttp remote-vpn 255.255.255.0 insidesnmp-server host inside 10.1.1.190 community oursnmpsnmp-server host inside 10.1.1.44 community oursnmpno snmp-server locationno snmp-server contactsnmp-server community *****snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto dynamic-map dyn1 1 set transform-set FirstSetcrypto dynamic-map dyn1 1 set reverse-routecrypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map mymap 1 ipsec-isakmp dynamic dyn1crypto map mymap interface outsidecrypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa crl configurecrypto ca trustpoint CA1 revocation-check crl none enrollment retry period 5 enrollment terminal fqdn ciscoasa.our-domain.com subject-name CN=ciscoasa.our-domain.com, OU=Department, O=Company, C=US, St=New York, L=New York keypair ciscoasa.key crl configurecrypto ca certificate chain ASDM_TrustPoint0 certificate xxxxxxx    ...  quitcrypto ca certificate chain CA1 certificate xxxxxxxxxxxxxx    ...  quit certificate ca xxxxxxxxxxxxx    ...  quitcrypto isakmp enable outsidecrypto isakmp policy 1 authentication rsa-sig encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400ssh 10.0.0.0 255.0.0.0 insidessh timeout 5console timeout 0vpdn group adslrealm request dialout pppoevpdn group adslrealm localname username6@adslrealmvpdn group adslrealm ppp authentication papvpdn username username6@adslrealm password ********* store-localvpdn username username@adsl-u password ********* store-localvpdn username username2@adslrealm password ********* dhcpd auto_config outside!threat-detection basic-threatthreat-detection scanning-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server x.x.x.x source outsidessl trust-point ASDM_TrustPoint0 outsidewebvpn port 4343 enable outside svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 svc enablegroup-policy defaultgroup internalgroup-policy defaultgroup attributes dns-server value 10.1.1.138 10.1.1.54 split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value our-domain.comgroup-policy DfltGrpPolicy attributes dns-server value 10.1.1.138 10.1.1.54 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel address-pools value VPNPool webvpn  svc ask none default svcusername person1 password xxxxxxx encryptedusername admin password xxxxxxxx encrypted privilege 15username person2 password xxxxxxxxx encryptedusername person3 password xxxxxxxxxx encryptedtunnel-group DefaultRAGroup general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group DefaultRAGroup ipsec-attributes trust-point CA1tunnel-group OurCompany type remote-accesstunnel-group OurCompany general-attributes address-pool VPNPooltunnel-group OurCompany webvpn-attributes group-alias OurCompany enable group-url https://x.x.x.x/OurCompany enabletunnel-group OurIPSEC type remote-accesstunnel-group OurIPSEC general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group OurIPSEC ipsec-attributes pre-shared-key * trust-point CA1!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map type inspect sip sip-map parameters  max-forwards-validation action drop log  state-checking action drop log  rtp-conformance policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect netbios   inspect tftp   inspect icmp   inspect pptp   inspect sip sip-map !             service-policy global_policy globalprompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxx: end
    I've checked all the debug logs I could think of and tried various troubleshooting steps. Any ideas?
    Regards
    Lionel

    Hi
    The bulk of the devices are not even routing through the ASA, internal devices such as IP phones, printers, etc. There is also large wastage of IP addresses which needs to be sorted out at some stage.
    Outside IP address is 196.215.40.160. The DSL modem is configured as an LLC bridge.
    Here are the debug logs when connecting if this helps at all. Nothing is logged when a connection is attempted though.
    Regards
    Lionel
    Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 765Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ISA_KE payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Fragmentation VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  FalseOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal RFC VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 03 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 02 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received xauth V6 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Cisco Unity client VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received DPD VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, Connection landed on tunnel_group OurIPSECOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing IKE SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 2Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ISAKMP SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Generating keys for Responder...Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Cisco Unity VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing xauth V6 VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing dpd vid payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Traversal VID ver 02 payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Fragmentation VID + extended capabilities payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Send Altiga/Cisco VPN3000/Cisco ASA GW VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing notify payloadOct 15 17:08:51 [IKEv1]: Group = OurIPSEC, IP = 197.79.9.227, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT deviceOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Processing MODE_CFG Reply attributes.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary DNS = 10.1.1.138Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary DNS = 10.1.1.54Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: split tunneling list = split-tunnelOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: IP Compression = disabledOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Split Tunneling Policy = Split NetworkOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Setting = no-modifyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Bypass Local = disableOct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, User (person2) authenticated.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg ACK attributesOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 164Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg Request attributesOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 net mask!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for DNS server address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for WINS server address!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received unsupported transaction mode attribute: 5Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Application Version!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Client Type: iPhone OS  Client Application Version: 7.0.2Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Banner!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Default Domain Name!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split DNS!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split Tunnel List!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Local LAN Include!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for PFS setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Save PW setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for FWTYPE!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for backup ip-sec peer list!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Client Browser Proxy Setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth enabled)Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Assigned private IP address 172.17.1.1 to remote userOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, construct_cfg_set: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Send Client Browser Proxy Attributes!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg replyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210Oct 15 17:09:03 [IKEv1 DECODE]: IP = 197.79.9.227, IKE Responder starting QM: msg id = c9359d2eOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progressOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completedOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 1 COMPLETEDOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, Keep-alive type for this connection: DPDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P1 rekey timer: 3420 seconds.Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 284Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR ID received172.17.1.1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received remote Proxy Host data in ID Payload:  Address 172.17.1.1, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received local IP Proxy Subnet data in ID Payload:   Address 10.0.0.0, Mask 255.0.0.0, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, QM IsRekeyed old sa not found by addrOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-TraversalOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Remote Peer configured for crypto map: dyn1Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IPSec SA Proposal # 1, Transform # 6 acceptable  Matches global IPSec SA entry # 1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE: requesting SPI!IPSEC: New embryonic SA created @ 0xCB809F40,     SCB: 0xC9613DB0,     Direction: inbound    SPI      : 0x96A6C295    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got SPI from key engine: SPI = 0x96a6c295Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, oakley constucting quick modeOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing proxy IDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Transmitting Proxy Id:  Remote host: 172.17.1.1  Protocol 0  Port 0  Local subnet:  10.0.0.0  mask 255.0.0.0 Protocol 0  Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Responder sending 2nd QM pkt: msg id = c9359d2eOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 152Oct 15 17:09:06 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + NONE (0) total length : 52Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, loading all IPSEC SAsOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Security negotiation complete for User (person2)  Responder, Inbound SPI = 0x96a6c295, Outbound SPI = 0x09e97594IPSEC: New embryonic SA created @ 0xCB8F7418,     SCB: 0xC9F6DD30,     Direction: outbound    SPI      : 0x09E97594    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsIPSEC: Completed host OBSA update, SPI 0x09E97594IPSEC: Creating outbound VPN context, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x00000000    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: New outbound encrypt rule, SPI 0x09E97594    Src addr: 10.0.0.0    Src mask: 255.0.0.0    Dst addr: 172.17.1.1    Dst mask: 255.255.255.255    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound encrypt rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: New outbound permit rule, SPI 0x09E97594    Src addr: 196.215.40.160    Src mask: 255.255.255.255    Dst addr: 197.79.9.227    Dst mask: 255.255.255.255    Src ports      Upper: 4500      Lower: 4500      Op   : equal    Dst ports      Upper: 41593      Lower: 41593      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound permit rule, SPI 0x09E97594    Rule ID: 0xC9242228Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got a KEY_ADD msg for SA: SPI = 0x09e97594IPSEC: Completed host IBSA update, SPI 0x96A6C295IPSEC: Creating inbound VPN context, SPI 0x96A6C295    Flags: 0x00000026    SA   : 0xCB809F40    SPI  : 0x96A6C295    MTU  : 0 bytes    VCID : 0x00000000    Peer : 0x001E7FCC    SCB  : 0x985C5DA5    Channel: 0xC6691360IPSEC: Completed inbound VPN context, SPI 0x96A6C295    VPN handle: 0x0020190CIPSEC: Updating outbound VPN context 0x001E7FCC, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x0020190C    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: Completed outbound inner rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: Completed outbound outer SPD rule, SPI 0x09E97594    Rule ID: 0xC9242228IPSEC: New inbound tunnel flow rule, SPI 0x96A6C295    Src addr: 172.17.1.1    Src mask: 255.255.255.255    Dst addr: 10.0.0.0    Dst mask: 255.0.0.0    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound tunnel flow rule, SPI 0x96A6C295    Rule ID: 0xCB7CFCC8IPSEC: New inbound decrypt rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound decrypt rule, SPI 0x96A6C295    Rule ID: 0xCB9BF828IPSEC: New inbound permit rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound permit rule, SPI 0x96A6C295    Rule ID: 0xCBA7C740Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Pitcher: received KEY_UPDATE, spi 0x96a6c295Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P2 rekey timer: 3417 seconds.Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Adding static route for client address: 172.17.1.1 Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 2 COMPLETED (msgid=c9359d2e)

  • Problem with VPN timeout on Cisco ASA5505

    Hi i'm sorry if it's vague, but i'm coming here without any  config simply because i don't have access.
    At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
    We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
    The problem we have will be the disconnection.
    We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
    The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
    Me and the other user can get frequent Disconnection in a day, but  it's all random (1 days i can get disconnected 0 times and the next day 3 times)
    I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
    The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
    On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
    1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
    2) When i check my VPN connection it simply disconnected alone.
    Thanks for possible solutions.   (also the windows client had another PC Before and she said it never disconnected, but it started on new PC)  (Before she was on WinXP)
    Thanks

    Hi i'm sorry if it's vague, but i'm coming here without any  config simply because i don't have access.
    At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
    We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
    The problem we have will be the disconnection.
    We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
    The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
    Me and the other user can get frequent Disconnection in a day, but  it's all random (1 days i can get disconnected 0 times and the next day 3 times)
    I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
    The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
    On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
    1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
    2) When i check my VPN connection it simply disconnected alone.
    Thanks for possible solutions.   (also the windows client had another PC Before and she said it never disconnected, but it started on new PC)  (Before she was on WinXP)
    Thanks

  • Cisco ASA5505 Logging

    This is likely a very basic question....
    I've got a new Cisco ASA5505 and I'm trying to see some logs at console level. Currently when I do a sh logging I simply get the below. I was expecting or I have seen on other PIX/ASA's system messages.
    Any ideas on what command I need to run in order to enable these messages?
    mipsasa01# sh logging
    Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 7108 messages logged

    The "show log" displays what is known as the buffer log. Your buffer logging is disabled. Use the config cmd "logging buffered " to enable it. You can adjust the size of the buffer with "logging buffer-size ". I think the buffer space is allocated in memory so don't go overboard.
    http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/l2.html#wp1729451

  • VLAN on SRW2024 and Cisco ASA5505

    Hello All,
    Here is my current situtation:
    3 SRW2024s in one building and a Cisco ASA5505 to the Internet
    SRW2024 #1 and #2 are in the same room with one port each connected directly to the ASA. No VLANs setup at all.
    SRW2024 #3 is in another room with a direct connection to SRW2024 #1. Again no VLANs at all.
    So at this time all internal equipment has Internet access through the ASA. Nothing fancy there except NATing from external IPs to the internal IPs.
    This is what I am looking for:
    SRW2024 #3 is in a different room and will be what all the server equipment is connected to, so I would like a VLAN solely for that, so that the computer VLAN can talk back and forth to it. And also allow Internet access through the Internet VLAN
    SRW2024 #1 is almost completely full with Computers and VoIP phones
    SRW2024 #2 has plenty of free space, so what I wanted to create was a VLAN containing the first 4 ports that will be my Internet VLAN (this will be my connection to the Internet (port1), my VoIP PBX that needs direct Internet access (since I have failed multiple times to get it to work behind the ASA) (port2), and the outside interface of the ASA (port3). Then have the inside interface of the  ASA connected directly to the Computer VLAN so that all my computers (on the Computer VLAN)will be able to get Internet access and the ASA will do proper NATing to my e-mail server and a couple of other internal servers (on the Server VLAN).
    So how do I set this up properly in the SRW2024 and do I have to get the ASA involved in any capacity beyond the firewall/gateway functionality I am currently using now?

    1. Create you desired VLAN on the SRW2024. The default VLAN on the SRW2024 is VLAN 1, meaning this is the untagged VLAN. Configure a trunk port that connects SRW2024 #1 and SRW2024 #3, another trunk port that connects the ASA--- SRW2024 #1 and ASA --SRW2024#2. Make sure that all the trunk ports are member of all the VLANS that you have created on all the switch.
    2. Create VLANS on the Cisco ASA and create a trunk port that connects it to both the SRW2024#1 and SRW2024#2. You will also have to create a sub interface on the ASA that will router internet traffic between VLAN's.
    Note:if the ASA router has different default VLAN or native VLAN as the SRW2024 which is VLAN 1, you will have to set all the trunk ports on all the SRW2024 to general and indicate the VLAN ID that the ASA is using.

  • What version of Cisco software and firmware is supposed to be packaged with a new CISCO ASA5505-SEC-BUN-K9?

    What version of ASA should be expected (8.2)?
    What version of ASDM (6.3)?
    Will registration of this product give me rights to download the latest version of these software package directly from Cisco?
    The box has an NB date: 11-MAR-14.  What does NB date mean?
    I just bought this product and all the printed material and the CD are full of apparently dated material.  I tried to use the "Cisco ASM-IDM launcher Installer Information" from the CD and it is asking for the JRE to be downloaded from http://java.sun.com/javase/downloads while I have the latest version already installed. What in the world?  This is a security product and it is demanding that a inherently insecure product be installed?
    I also got a three pronged power cable that seems to be a standard for latin America or Europe. Can someone give me a heads up on this?

    What version of ASA should be expected (8.2)?
    On my last order, which was about 6 months ago, I got an ASA with version 9.1.  So I would assume that you would get atleast that version now if not a newer version.
    What version of ASDM (6.3)?
    Again, I got ASDM version 7.1 with my last purchase, so a new order should receive the same if not newer.
    Will registration of this product give me rights to download the latest version of these software package directly from Cisco?
    No, you will need to have a support contract with Cisco in order to download newer versions of software. Product registration only gives you rights to download software that was shipped with the device.
    The box has an NB date: 11-MAR-14.  What does NB date mean?
    Not sure what that is.
    I just bought this product and all the printed material and the CD are full of apparently dated material.  I tried to use the "Cisco ASM-IDM launcher Installer Information" from the CD and it is asking for the JRE to be downloaded from http://java.sun.com/javase/downloads while I have the latest version already installed. What in the world?  This is a security product and it is demanding that a inherently insecure product be installed?
    I think Richard is right.  Sounds like the box has been sitting on the shelf a while.  Perhaps ask the reseller to provide you with a new image release?
    I also got a three pronged power cable that seems to be a standard for latin America or Europe. Can someone give me a heads up on this?
    In all the Cisco purchases I have made I have always received a 3 prong cable along with 2 others (a 2 prong and another...different...3 prong cable).  I believe the devices are shipped in such a way that they do not need to be "customized" for each country. That way they can be shipped to whichever country and be good to go once they arrive.
    Please remember to select a correct answer and rate

  • Upgradation of cisco ASA5505 IOS to Security plus license

    Hi Team,
    I do have Base license IOS (asa805-k8.bin) in my ASA5505 & i want to upgrade it to Security plus IOS.
    Can you please guide me about the same?
    Can you tell me the procedure for the same?
    Thanks & Regards
    Manish Sarolkar

    You should purchase the Security plus license through Cisco partner, and once you purchase it, you will need to obtain the activation key from [email protected] The activation key then can be entered to the ASA via the "activation-key" command as follows:
    http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1623546
    Hope that helps.

  • Only 1 pc unknowingly block access to Cisco ASA5505 (SSH.Telnet, ASDM)

    Hi,
    i have setup a new ASA5505, most of our pc getting DHCP from ASA5505, all my pc/laptop can SSH/ and ASDM into the Cisco ASA for administration.
    however there is 1 Lenovo Laptop (Window XP) unable to ping, unable to ASDM into cisco asas5505, this pc is getting DHCP from ASA5505 as well and able to surf net as other PCs do.
    from ASA can ping to this Lenovo Laptop ip address, however only this Lenovo Laptop unable to access the cisco asa management portal.
    would you advise what is the likely cause and what could be check?
    Thank you

    try to check the firewall setting on that laptop, perhaps it's not allowing some services e.g. ssl/tsl. try to check the access-list rule and the pool addresses for the dhcp on the asa, make sure the access-list is not allowing only some parts of ip addresses in that pool. 

  • New to Cisco, ASA5505 Help

    Afternoon guys,
    I have decided I want to learn Cisco so made the decision to pick up a used ASA 5505 from ebay and use it as my main firewall/router. I have it installed and working but have a few questions about configuration, as some of what i have done seems like a very inefficient way of setting things up.
    My Basic config is this
    O2 ADSL Modem in bridge only mode  192.168.1.254 > ASA 5505 Public Static IP >ASA Inside 192.168.1.1 > Rest of internal LAN.
    I have spotted this blog post that details how to get to the modems WebUI through a Cisco router, But i am not sure how I would implement it in my network setup so would like advice on this.
    http://en.tiagomarques.info/2011/05/access-your-modem-webui-behind-a-cisco-router-bridged-configuration/
    O2 Modem IP: 192.168.1.254 ASA inside IP: 192.168.1.1Apple Airport: 192.168.1.2 (Wireless Bridge)LAN : 192.168.1.0/24 (VLAN 1)
    The other thing I would like to ask is about PAT, I have configured it to allow Ports 3074TCP/UDP and 88TCP inbound to my Xbox to allow Xbox live to work. But I would like to know if there is a better way to do this using object groups.
    This is currenlty how I set it up,
    object network xbox_udp_3074host 192.168.1.5nat (inside,outside) static interface service udp 3074 3074exitaccess-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074object network xbox_tcp_3074host 192.168.1.5nat (inside,outside) static interface service tcp 3074 3074exitaccess-list acl_outside extended permit udp any object xbox_tcp_3074 eq 3074object network xbox_udp_88host 192.168.1.5nat (inside,outside) static interface service udp 88 88exitaccess-list acl_outside extended permit udp any object xbox_udp_88 eq 88
    What I would like to know is there a better more efficient way of setting this up as I have 3 network objects with 3 NAT statements and 1 ACL.
    Finally I have attempted to configure a Client VPN on the ASA and it works and connects but the problem is it only appears to let web traffic through. If i connect using the VPN built into my iPhone and try a ping using using Ping Lite app i dont get any responce's. but if you open safari and put in 192.168.1.4 I get the WebUI of my NAS device if i try to RDP to my home server the connection times out. If i drop the VPN and connect to Wifi i can ping and RDP from my phone ok so it must be a config problem.
    Below is my full config I have masked the password and cryptochecksum
    : Saved: Written by enable_15 at 02:08:45.939 GMT Sat Apr 21 2012!ASA Version 8.4(3) !hostname warrillow-asa1domain-name warrillow.localenable password (Masked) encryptedpasswd (Masked) encryptednames!interface Ethernet0/0 description physical connection to O2 Box IV switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 description to inside VLAN nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !interface Vlan2 description to outside interface (O2 Modem) nameif outside security-level 0 ip address (Public Static IP) 255.255.254.0 !ftp mode passiveclock timezone gmt 0clock summer-time GMT recurringdns server-group DefaultDNS domain-name warrillow.localobject network obj_any subnet 192.168.1.0 255.255.255.0object service playOn service tcp destination eq 57331 object service service_xbox_udp_88 service tcp destination eq 88 object network HomeServer_tcp_57331 host 192.168.1.250object network xbox_udp_3074 host 192.168.1.5object network xbox_tcp_3074 host 192.168.1.5object network xbox_udp_88 host 192.168.1.5object-group icmp-type DefaultICMP description Default ICMP Types permitted icmp-object echo-reply icmp-object unreachable icmp-object time-exceededobject-group service xbox_live tcp-udp port-object eq 3074 port-object eq 88object-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list acl_outside extended permit icmp any any object-group DefaultICMP access-list acl_outside extended permit tcp any object HomeServer_tcp_57331 eq 57331 access-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074 access-list acl_outside extended permit tcp any object xbox_tcp_3074 eq 3074 access-list acl_outside extended permit udp any object xbox_udp_88 eq 88 pager lines 24mtu inside 1500mtu outside 1500ip local pool vpnpool 10.0.0.2-10.0.0.200 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1icmp permit any echo-reply outsideno asdm history enablearp timeout 14400!object network obj_any nat (inside,outside) dynamic interfaceobject network HomeServer_tcp_57331 nat (inside,outside) static interface service tcp 57331 57331 object network xbox_udp_3074 nat (inside,outside) static interface service udp 3074 3074 object network xbox_tcp_3074 nat (inside,outside) static interface service tcp 3074 3074 object network xbox_udp_88 nat (inside,outside) static interface service udp 88 88 access-group acl_outside in interface outsideroute outside 0.0.0.0 0.0.0.0 (Public Static IP) 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALaaa authentication ssh console LOCAL http server enablehttp 192.168.1.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac crypto dynamic-map dynmap 30 set ikev1 transform-set strong-descrypto map warrillow 65535 ipsec-isakmp dynamic dynmapcrypto map warrillow interface outsidecrypto isakmp identity address crypto ikev1 enable outsidecrypto ikev1 policy 11 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400telnet 192.168.1.0 255.255.255.0 insidetelnet timeout 30ssh 192.168.1.0 255.255.255.0 insidessh timeout 30console timeout 30threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160threat-detection basic-threatthreat-detection scanning-threat shun duration 3600threat-detection statisticsthreat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200webvpngroup-policy Warrillow internalgroup-policy Warrillow attributes wins-server none dns-server value 192.168.1.250 vpn-idle-timeout 120 vpn-tunnel-protocol ikev1 default-domain value warrillow.localusername mattw password (Masked) encrypted privilege 15tunnel-group Warrillow-VPN type remote-accesstunnel-group Warrillow-VPN general-attributes address-pool vpnpool default-group-policy Warrillowtunnel-group Warrillow-VPN ipsec-attributes ikev1 pre-shared-key *****!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options class class-default  user-statistics accounting!service-policy global_policy globalprompt hostname context no call-home reporting anonymoushpm topN enable
    EDIT: to remove public IP from config posted

    Hi,
    Adding the following configurations should allow ICMP through the ASA (for the echo-reply to come through also without using ACL)
    policy-map global_policy class inspection_default
        inspect icmp
    Unless you had already added this.
    You might also find the following documents/video helpfull. It shows off some of the common NAT configurations. This was mostly to help the people that were moving from the old to the new format. But it should be helpfull to you also. I know I sometimes double check there.
    Document: https://supportforums.cisco.com/docs/DOC-9129
    Video: https://supportforums.cisco.com/docs/DOC-12324 (also has a link to the above document)
    Regarding the NAT configurations for modem management, I cant guarantee this will work but the first configuration that came to mind is the following (kind resembles the NONAT configuration)
    Though I'm not really sure if this would work as the LAN network and the outside management IP is from the same network. But you can always try.
    object network LAN
      subnet 192.168.1.0 255.255.255.0
    object network MODEM-MANAGEMENT
    host 192.168.1.254
    nat (inside,outside) source static LAN LAN destination static MODEM-MANAGEMENT MODEM-MANAGEMET
    - Jouni

  • Cisco ASA5505 multiple public ip nat problem

    Hello,
    I've been having weird problem with static nat.
    First have to say that i've been searching answer for this and not yet found...
    I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask 255.255.255.0.
    I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.
    Using Cisco ASA 5505 software v9.02
    Config:
    object network obj_guest
    nat (guest,outside) dynamic interface
    object network obj_any
    nat (inside,outside) dynamic interface
    object network w2008
    host 192.168.1.10
    object network w2008
    nat (inside,outside) static 83.x.x.27
    object service RDP
    service tcp destination eq 3389
    access-list outside_access_in extended permit object RDP any object w2008
    access-group outside_access_in in interface outside
    This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
    It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
    What trick i need to do with ASA to get this working?

    Here is the command reference for that:
    http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a3.html#wp1824414
    Apology, didn't know that you are running that version that supports this new command.
    The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled.

  • Help, How to configure cisco ASA5505 to permit access to internal LAN

    Hi everyone,
    Once more I am stuck into another dilemma , I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool.
    From outside (on VPN connection) I can ping the interface e0/0 (outside)  and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN.
    I hope my explaination does make sense, I am available at any time if further information is needed. Please find attached my ASA config.
    Best regards,
    BEN

    Many thanks Marvin,
    I have configured the router ospf the way you instructed me, I have changed the VPN Pool to a complete different class of 10.0.1.0/24, I have also configured : access-list OUTSIDE_IN_ACL permit icmp any any echo-relpy and access-group OUTSIDE_IN_ACL in interface outside. but I can only from my VPN connection ping both interfaces of the ASA and nothing else.
    Please find attached my ASA and the layer 3 switch configs. And also ASA and L3 Switch ip route output.
    Note this: When connected to my VPN, cmd>ip config /all it showing as follows: ip address 10.0.1.100
                                                                                                                                   Subnet Mask 255.0.0.0 
                                                                                                                                    Def Gateway 10.0.0.1 
                                                                                                                                    dns server 192.168.30.3
    Best regards,
    BEN.
    Message was edited by: Bienvenu Ngala

  • Cisco ASA5505 sla monitoring

    Hello,
    I'm not sure how does the SLA monitoring works...
    Example:
    sla monitor 123
    type echo protocol ipIcmpEcho 10.0.0.1 interface outside
    num-packets 3
    frequency 10!--- Configure a new monitoring process with the ID 123.  Specify the
    !--- monitoring protocol and the target network object whose availability the tracking
    !--- process monitors.  Specify the number of packets to be sent with each poll.
    !--- Specify the rate at which the monitor process repeats (in seconds).
    When does the routing table change the default route?
    If the 3 send packets will get 3x timeout response or it's enought that just one of those 3 packets dont respond?
    I would like to set up that the routing table (default route) will rebuild after 30 second of timeout the primary default gateway.
    Many thanks
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

    Hi Martin,
    You are missing the track configuration. Track 1 rtr 123 reachability
    And then:
    sla monitor schedule 123 life forever start-time now
    The track is attached to the SLA, so when you pick one default route to monitor (The one with the lower administrative distance) you add the track command, for example:
    route outside 0.0.0.0 0.0.0.0 200.20.20.1 1 track 1
    route outside2 0.0.0.0 0.0.0.0 200.30.30.1 254
    The firewall will be monitoring the first route and when it fails, it will remove it from the routing table.
    If the 3 send packets will get 3x timeout response or it's enought that just one of those 3 packets dont respond?
    There is a threshold that can be configured to say how many packets you will expect.
    Mike
    Mike

  • Out of band access of Cisco ASA5505

    Hi Team, Can i access Cisco ASA 5505 Remotely Via Modem?  l mean out of band management of Cisco ASA 5505? is that possible??

    Hi,
    Do you mean connecting a dial up modem directly to the ASA? If so this is not possible.
    If you had a spare router however you could set up a terminal server for out of band management.
    If say for example you lost IP connectivity to the ASA you could telnet to the terminal server. From this device you can then access the ASA via the console cable connected to this router.
    http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtml

  • ASA5505-UL-BUN-K9

    Is this the correct model of ASA to be able to get DHCP for at least 100 addresses.

    Hi,
    Here is a listing of the ASA5505 Licenses (also containing the one you mention)
    As you can see, it will give you Unlimited User License and therefore you wont be limited to a specific number of users anymore.
    Table 1. Recommended Cisco ASA 5500 Series Business Edition Solutions
    Cisco ASA 5505 Solution Description
    Firewall/VPN Performance
    Part Number
    Cisco ASA 5505 10-user bundle
    Includes  10-user license, 8-port Fast Ethernet switch, stateful firewall, 10  IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license, and 1 expansion slot
    150 Mbps/100 Mbps
    ASA5505-BUN-K9
    Cisco ASA 5505 50-user bundle
    Includes  50-user license, 8-port Fast Ethernet switch, stateful firewall, 10  IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license, and 1 expansion slot
    150 Mbps/100 Mbps
    ASA5505-50-BUN-K9
    Cisco ASA 5505 unlimited user bundle
    Includes  unlimited user license, 8-port Fast Ethernet switch, stateful firewall,  10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license, and 1 expansion  slot
    150 Mbps/100 Mbps
    ASA5505-UL-BUN-K9
    Cisco ASA 5505 Security Plus bundle
    Includes  Cisco ASA 5505, unlimited users, 8-port Fast Ethernet switch, stateful  firewall, 25 IPsec VPN peers, 2 SSL VPN peers, stateless Active/Standby  high availability, dual ISP support, DMZ support, 3DES/AES license, and 1  expansion slot
    150 Mbps/100 Mbps
    ASA5505-SEC-BUN
    Actual document link:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html
    Also notice regarding the DHCP. DHCP Pools max size is a /24 network and you cant configure more than 1 Pool per interface of ASA.
    - Jouni

Maybe you are looking for

  • Error on miscellaneous tab in Role Expert (a web dynpro application)

    Hi, When i click on Miscellaneous option within configuration tab in role expert. Page is not getting displayed, error is "The page cannot be found". I am attaching the print screen also. Please suggest the solution for it. Thanks in Advance. Regards

  • How can i see visitor statistics for web page hosted on osx lion server

    Hello how can i see visitor statistics for web page hosted on osx lion server Thanks Adrian

  • Business systems  for Soap to file scenario

    Hi Experts,    I am working on a soap to file scenario.Which type of business systems shall i  create i.e Third party,As ABAP,As Java etc.Please suggest. Thanks Veeru

  • Final Cut Pro 7 Installation

    When I try to install Fincal Cut Pro 7, the screen tells me to insert Audio Content 2 disc but does not spit out the previous disk. When I force it to quit, it tells me my install failed. Help!

  • Creating OnLine

    I'm a relatively new user to converting on line.  All has gone well so far...  I usually convert simple word docs created in MS Office Word 2003 to pdf.  As I say until today no problem but now my headers are not printing.  Footers are fine but no he