SA 540 Router - Filtering
Hello All,
I'm having trouble with the filtering feature on the SA540 router (firmware ver 2.1.71). When I turn filtering on I am not able to access a sharepoint site. There doesn't have to be any restrictions enabled (allowed/blocked sites), I just turn on the feature and I get a user id/password authentication errors at the sharepoint site. I've been looking for an answer but no luck so far. It was mentioned to obtain protectlink for the router but it is discontinued. Any help would be appreciated.
Thanks
Pete
Hi pete,
You could create an ACL allowing the IP address from the sharepoint to the LAN and vice versa. That should give you access to the web page. However if you need a faster answer to resolve your problem, can you please reach out to our Small Business Support Center and open a Service Request to address this issue? One of our Engineers may be able to work with you and diagnose the root cause. You can find the appropriate contact information for SBSC in the below link.
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
I hope you find this answer useful,
*Please mark the question as Answered or rate it so other users can benefit from it"
Greetings,
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.
Similar Messages
-
BGP Conditional Route Filtering
Hi All,
I have router with 2 Connection.
1) IP Transit from Tier 2 Provider
2) IX - Local Internet Exchange for local peering
I'm receiving full internet route nearly 500k+ entries. I also have few local peering through IX connection to local telco. Now that , Im receiving more specific route from IP Transit link compared to local peering . Eg
Local Peer A( ASN YYYY) send route : a.a.0.0/16
IP Transit send route : a.a.1.0/24
With this , My traffic to a.a.1.0/24 end up routed over IP transit link. But we need the traffic routed via IX Peering, since its direct peering and have low latency and high bandwidth capacity.
Im thinking, to filter AS-PATH YYYY from IP Transit link, so that anyy traffic to ASN YYYY will now routed over local IX Peering. But, this will cause traffic get dropped if My Port to IX or Peering Partner Port to IX is went down. The traffic then should routed over IP transit link if local peering is down. Meaning to say , AS-Path filtering should be removed if local peering to that ASN is down.
Any Idea how to accomplish this ?Hello
You dont say if this is just one router with two perrings or two routers with ibgp between them each with a isp peering?
However i for outbound traffic you can use either Weight or local Prefeance path selection for your local traffic to be go over your selected link.
For inbound As-Path prepending would be apllcable I think
Outbound:
Weight (Is locally significant - Just one router)
access-list 10 permit x.x.x.x y.y.y.y
route-map Weight permit 10
match ip address 1
set weight 400000
route-map Weight permit 99
router bgp xx
neigbour x.x.x.x route-map Weight out (to ebgp perring for your prefered choice path)
or
route-map Local-Pref permit 10 ( for IBGP routers)
match ip address 1
set local-preferance 200
route-map Local-Pref permit 99
router bgp xx
neigbour x.x.x.x route-map Local-Pref in (to ebgp perring for your prefered choice path)
Inbound
AS=PAth prepend
route-map AS-Path permit 10
match ip address 10
set as-path prepend ASN ASN ASN
route-map AS-Path permit 99
router bgp xx
neigbour x.x.x.x route-map AS-Path out ( to the least preffered ISP)
res
Paul -
Hello Everyone,
I am just Confused about Filtering methods like - Route Maps, Distribute List, Prefix-List
where to use above these methods?
Aas i came to know that all these methods are for filtering purpose with the help of ACL but where to use these filtering methods in network scenario.
Please give some example for these above commands.
Thanks to everyone in advance for giving me support on this topic....Hi Ambarish,
You are asking to explain different pretty vast topics. Route-maps,distribute-list and prefix-lists can be used with any routing protocol. Each will have different types of implementation also.
Please consider breaking this into different topics and try to practice it.
CF -
How to stop isp1 routes advertisement via isp2 on Bgp...
The problem is when my spoke isp1 mpls down...
Still it is getting routes via isp2I do not have an understanding of your topology or of the relationship between ISP 1 and ISP 2 and therefore can not be sure how well my suggestion will work. But here is what I frequently use when I want to be sure that routes learned from ISP 1 do not get advertised to ISP 2.
ip as-path access-list 10 permit ^$
router bgp 123
neighbor 1.2.3.4 filter-list 10 out
HTH
Rick -
ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traffic
Hi all,
Some might know that I have been dealing with an issue where I cannot seem to get forwarded packets to reach their destinations behind an ASA 5510 that has a Cisco 2811 connected directly behind it.
Some examples that work.
I can SSH into the ASA.
I can SSH to the Cisco Routers behind the ASA.
I cannot reach items beind the Cisco Routers.
My Configuration is this (I am sure I included a bunch of info I didn't need to, but I am hoping it'll help!):
I have a static Ip assigned to my Ouside Interface Ethernet 0/1
It has an IP address of 199.195.xxx.xxx
I am trying to learn how to shape network traffic (this is all new to me) via the ASA and the Routers to specific devices.
The Inside Interface on the ASA is 10.10.1.1 255.255.255.252
The Outside Interface on the 2811 is 10.10.1.2 255.255.255.252
I can ping the router from the ASA. I can SSH through the ASA to the router.
BUT I CANNOT ACCESS DEVICES BEHIND THE ROUTER.
So, I wanted to BAM that statement above because I just don't kjnow where the issue is. Is the issue on the router or the ASA, my guess is, the router, but I just don't know.
Here are my configs, helpfully someone can help.
ASA errors on the ASDM when I try and hit resources; specifically a web device behind the ASA and the 2811. It's Ip address 192.168.1.5 it's listening on port 80.Static IP, not assigned via DHCP.
6
Feb 14 2014
19:38:56
98.22.121.x
41164
192.168.1.5
80
Built inbound TCP connection 1922859 for Outside:98.22.121.x/41164 (98.22.121.x/41164) to Inside:192.168.1.5/80 (199.195.168.x/8080)
6
Feb 14 2014
19:38:56
10.10.1.2
80
98.22.121.x
41164
Deny TCP (no connection) from 10.10.1.2/80 to 98.22.121.x/41164 flags SYN ACK on interface Inside
ASA5510# sh nat
Auto NAT Policies (Section 2)
1 (DMZ) to (Outside) source static ROUTER-2821 interface service tcp ssh 2222
translate_hits = 1, untranslate_hits = 18
2 (Inside) to (Outside) source static ROUTER-2811 interface service tcp ssh 222
translate_hits = 0, untranslate_hits = 13
3 (VOIP) to (Outside) source static ROUTER-3745 interface service tcp ssh 2223
translate_hits = 0, untranslate_hits = 3
4 (Inside) to (Outside) source static RDP-DC1 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 236
5 (Inside) to (Outside) source static WEBCAM-01 interface service tcp www 8080
translate_hits = 0, untranslate_hits = 162
Manual NAT Policies (Section 3)
1 (any) to (Outside) source dynamic PAT-SOURCE interface
translate_hits = 1056862, untranslate_hits = 83506
ASA5510# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list USERS; 1 elements; name hash: 0x50681c1e
access-list USERS line 1 standard permit 10.10.1.0 255.255.255.0 (hitcnt=0) 0xdd6ba495
access-list Outside_access_in; 5 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x host 10.10.1.2 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x host 10.10.0.2 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 3 extended permit tcp host 98.22.121.x interface Outside eq https (hitcnt=0) 0x385488b2
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x object WEBCAM-01 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x host 192.168.1.5 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389 (hitcnt=3) 0x02f13f4e
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x host 192.168.1.2 eq 3389 (hitcnt=3) 0x02f13f4e
access-list dmz-access-vlan1; 1 elements; name hash: 0xc3450860
access-list dmz-access-vlan1 line 1 extended permit ip 128.162.1.0 255.255.255.0 any (hitcnt=0) 0x429fedf1
access-list dmz-access; 3 elements; name hash: 0xf53f5801
access-list dmz-access line 1 remark Permit all traffic to DC1
access-list dmz-access line 2 extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2 (hitcnt=0) 0xd2dced0a
access-list dmz-access line 3 remark Permit only DNS traffic to DNS server
access-list dmz-access line 4 extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain (hitcnt=0) 0xbb21093e
access-list dmz-access line 5 remark Permit ICMP to all devices in DC
access-list dmz-access line 6 extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x71269ef7
CISCO-2811#show access-lists
Standard IP access list 1
10 permit any (1581021 matches)
CISCO-2811#show translate
CISCO-2811#show route
CISCO-2811#show route-map
CISCO-2811#show host
CISCO-2811#show hosts
Default domain is maladomini.int
Name/address lookup uses domain service
Name servers are 192.168.1.2, 199.195.168.4, 205.171.2.65, 205.171.3.65, 8.8.8.8
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
api.mixpanel.com None (temp, OK) 2 IP 198.23.64.21
198.23.64.22
198.23.64.18
198.23.64.19
198.23.64.20
ASA5510:
ASA5510# sh run all
: Saved
ASA Version 9.1(4)
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname ASA5510
domain-name maladomini.int
enable password x encrypted
no fips enable
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
passwd x encrypted
names
dns-guard
lacp system-priority 32768
interface Ethernet0/0
description LAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
delay 10
interface Ethernet0/1
description WAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Outside
security-level 0
ip address 199.195.168.xxx 255.255.255.240
delay 10
interface Ethernet0/2
description DMZ
speed auto
duplex auto
no flowcontrol send on
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
delay 10
interface Ethernet0/3
description VOIP
speed auto
duplex auto
no flowcontrol send on
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
delay 10
interface Management0/0
speed auto
duplex auto
management-only
shutdown
nameif management
security-level 0
no ip address
delay 10
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[\r\n\t ]+[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[\r\n\t ]+[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
checkheaps check-interval 60
checkheaps validate-checksum 60
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone UTC 0
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name maladomini.int
same-security-traffic permit inter-interface
object service ah pre-defined
service ah
description This is a pre-defined object
object service eigrp pre-defined
service eigrp
description This is a pre-defined object
object service esp pre-defined
service esp
description This is a pre-defined object
object service gre pre-defined
service gre
description This is a pre-defined object
object service icmp pre-defined
service icmp
description This is a pre-defined object
object service icmp6 pre-defined
service icmp6
description This is a pre-defined object
object service igmp pre-defined
service igmp
description This is a pre-defined object
object service igrp pre-defined
service igrp
description This is a pre-defined object
object service ip pre-defined
service ip
description This is a pre-defined object
object service ipinip pre-defined
service ipinip
description This is a pre-defined object
object service ipsec pre-defined
service esp
description This is a pre-defined object
object service nos pre-defined
service nos
description This is a pre-defined object
object service ospf pre-defined
service ospf
description This is a pre-defined object
object service pcp pre-defined
service pcp
description This is a pre-defined object
object service pim pre-defined
service pim
description This is a pre-defined object
object service pptp pre-defined
service gre
description This is a pre-defined object
object service snp pre-defined
service snp
description This is a pre-defined object
object service tcp pre-defined
service tcp
description This is a pre-defined object
object service udp pre-defined
service udp
description This is a pre-defined object
object service tcp-aol pre-defined
service tcp destination eq aol
description This is a pre-defined object
object service tcp-bgp pre-defined
service tcp destination eq bgp
description This is a pre-defined object
object service tcp-chargen pre-defined
service tcp destination eq chargen
description This is a pre-defined object
object service tcp-cifs pre-defined
service tcp destination eq cifs
description This is a pre-defined object
object service tcp-citrix-ica pre-defined
service tcp destination eq citrix-ica
description This is a pre-defined object
object service tcp-ctiqbe pre-defined
service tcp destination eq ctiqbe
description This is a pre-defined object
object service tcp-daytime pre-defined
service tcp destination eq daytime
description This is a pre-defined object
object service tcp-discard pre-defined
service tcp destination eq discard
description This is a pre-defined object
object service tcp-domain pre-defined
service tcp destination eq domain
description This is a pre-defined object
object service tcp-echo pre-defined
service tcp destination eq echo
description This is a pre-defined object
object service tcp-exec pre-defined
service tcp destination eq exec
description This is a pre-defined object
object service tcp-finger pre-defined
service tcp destination eq finger
description This is a pre-defined object
object service tcp-ftp pre-defined
service tcp destination eq ftp
description This is a pre-defined object
object service tcp-ftp-data pre-defined
service tcp destination eq ftp-data
description This is a pre-defined object
object service tcp-gopher pre-defined
service tcp destination eq gopher
description This is a pre-defined object
object service tcp-ident pre-defined
service tcp destination eq ident
description This is a pre-defined object
object service tcp-imap4 pre-defined
service tcp destination eq imap4
description This is a pre-defined object
object service tcp-irc pre-defined
service tcp destination eq irc
description This is a pre-defined object
object service tcp-hostname pre-defined
service tcp destination eq hostname
description This is a pre-defined object
object service tcp-kerberos pre-defined
service tcp destination eq kerberos
description This is a pre-defined object
object service tcp-klogin pre-defined
service tcp destination eq klogin
description This is a pre-defined object
object service tcp-kshell pre-defined
service tcp destination eq kshell
description This is a pre-defined object
object service tcp-ldap pre-defined
service tcp destination eq ldap
description This is a pre-defined object
object service tcp-ldaps pre-defined
service tcp destination eq ldaps
description This is a pre-defined object
object service tcp-login pre-defined
service tcp destination eq login
description This is a pre-defined object
object service tcp-lotusnotes pre-defined
service tcp destination eq lotusnotes
description This is a pre-defined object
object service tcp-nfs pre-defined
service tcp destination eq nfs
description This is a pre-defined object
object service tcp-netbios-ssn pre-defined
service tcp destination eq netbios-ssn
description This is a pre-defined object
object service tcp-whois pre-defined
service tcp destination eq whois
description This is a pre-defined object
object service tcp-nntp pre-defined
service tcp destination eq nntp
description This is a pre-defined object
object service tcp-pcanywhere-data pre-defined
service tcp destination eq pcanywhere-data
description This is a pre-defined object
object service tcp-pim-auto-rp pre-defined
service tcp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-pop2 pre-defined
service tcp destination eq pop2
description This is a pre-defined object
object service tcp-pop3 pre-defined
service tcp destination eq pop3
description This is a pre-defined object
object service tcp-pptp pre-defined
service tcp destination eq pptp
description This is a pre-defined object
object service tcp-lpd pre-defined
service tcp destination eq lpd
description This is a pre-defined object
object service tcp-rsh pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-rtsp pre-defined
service tcp destination eq rtsp
description This is a pre-defined object
object service tcp-sip pre-defined
service tcp destination eq sip
description This is a pre-defined object
object service tcp-smtp pre-defined
service tcp destination eq smtp
description This is a pre-defined object
object service tcp-ssh pre-defined
service tcp destination eq ssh
description This is a pre-defined object
object service tcp-sunrpc pre-defined
service tcp destination eq sunrpc
description This is a pre-defined object
object service tcp-tacacs pre-defined
service tcp destination eq tacacs
description This is a pre-defined object
object service tcp-talk pre-defined
service tcp destination eq talk
description This is a pre-defined object
object service tcp-telnet pre-defined
service tcp destination eq telnet
description This is a pre-defined object
object service tcp-uucp pre-defined
service tcp destination eq uucp
description This is a pre-defined object
object service tcp-www pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-http pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-https pre-defined
service tcp destination eq https
description This is a pre-defined object
object service tcp-cmd pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-sqlnet pre-defined
service tcp destination eq sqlnet
description This is a pre-defined object
object service tcp-h323 pre-defined
service tcp destination eq h323
description This is a pre-defined object
object service tcp-udp-cifs pre-defined
service tcp-udp destination eq cifs
description This is a pre-defined object
object service tcp-udp-discard pre-defined
service tcp-udp destination eq discard
description This is a pre-defined object
object service tcp-udp-domain pre-defined
service tcp-udp destination eq domain
description This is a pre-defined object
object service tcp-udp-echo pre-defined
service tcp-udp destination eq echo
description This is a pre-defined object
object service tcp-udp-kerberos pre-defined
service tcp-udp destination eq kerberos
description This is a pre-defined object
object service tcp-udp-nfs pre-defined
service tcp-udp destination eq nfs
description This is a pre-defined object
object service tcp-udp-pim-auto-rp pre-defined
service tcp-udp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
description This is a pre-defined object
object service tcp-udp-sunrpc pre-defined
service tcp-udp destination eq sunrpc
description This is a pre-defined object
object service tcp-udp-tacacs pre-defined
service tcp-udp destination eq tacacs
description This is a pre-defined object
object service tcp-udp-www pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-http pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-talk pre-defined
service tcp-udp destination eq talk
description This is a pre-defined object
object service udp-biff pre-defined
service udp destination eq biff
description This is a pre-defined object
object service udp-bootpc pre-defined
service udp destination eq bootpc
description This is a pre-defined object
object service udp-bootps pre-defined
service udp destination eq bootps
description This is a pre-defined object
object service udp-cifs pre-defined
service udp destination eq cifs
description This is a pre-defined object
object service udp-discard pre-defined
service udp destination eq discard
description This is a pre-defined object
object service udp-domain pre-defined
service udp destination eq domain
description This is a pre-defined object
object service udp-dnsix pre-defined
service udp destination eq dnsix
description This is a pre-defined object
object service udp-echo pre-defined
service udp destination eq echo
description This is a pre-defined object
object service udp-www pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-http pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-nameserver pre-defined
service udp destination eq nameserver
description This is a pre-defined object
object service udp-kerberos pre-defined
service udp destination eq kerberos
description This is a pre-defined object
object service udp-mobile-ip pre-defined
service udp destination eq mobile-ip
description This is a pre-defined object
object service udp-nfs pre-defined
service udp destination eq nfs
description This is a pre-defined object
object service udp-netbios-ns pre-defined
service udp destination eq netbios-ns
description This is a pre-defined object
object service udp-netbios-dgm pre-defined
service udp destination eq netbios-dgm
description This is a pre-defined object
object service udp-ntp pre-defined
service udp destination eq ntp
description This is a pre-defined object
object service udp-pcanywhere-status pre-defined
service udp destination eq pcanywhere-status
description This is a pre-defined object
object service udp-pim-auto-rp pre-defined
service udp destination eq pim-auto-rp
description This is a pre-defined object
object service udp-radius pre-defined
service udp destination eq radius
description This is a pre-defined object
object service udp-radius-acct pre-defined
service udp destination eq radius-acct
description This is a pre-defined object
object service udp-rip pre-defined
service udp destination eq rip
description This is a pre-defined object
object service udp-secureid-udp pre-defined
service udp destination eq secureid-udp
description This is a pre-defined object
object service udp-sip pre-defined
service udp destination eq sip
description This is a pre-defined object
object service udp-snmp pre-defined
service udp destination eq snmp
description This is a pre-defined object
object service udp-snmptrap pre-defined
service udp destination eq snmptrap
description This is a pre-defined object
object service udp-sunrpc pre-defined
service udp destination eq sunrpc
description This is a pre-defined object
object service udp-syslog pre-defined
service udp destination eq syslog
description This is a pre-defined object
object service udp-tacacs pre-defined
service udp destination eq tacacs
description This is a pre-defined object
object service udp-talk pre-defined
service udp destination eq talk
description This is a pre-defined object
object service udp-tftp pre-defined
service udp destination eq tftp
description This is a pre-defined object
object service udp-time pre-defined
service udp destination eq time
description This is a pre-defined object
object service udp-who pre-defined
service udp destination eq who
description This is a pre-defined object
object service udp-xdmcp pre-defined
service udp destination eq xdmcp
description This is a pre-defined object
object service udp-isakmp pre-defined
service udp destination eq isakmp
description This is a pre-defined object
object service icmp6-unreachable pre-defined
service icmp6 unreachable
description This is a pre-defined object
object service icmp6-packet-too-big pre-defined
service icmp6 packet-too-big
description This is a pre-defined object
object service icmp6-time-exceeded pre-defined
service icmp6 time-exceeded
description This is a pre-defined object
object service icmp6-parameter-problem pre-defined
service icmp6 parameter-problem
description This is a pre-defined object
object service icmp6-echo pre-defined
service icmp6 echo
description This is a pre-defined object
object service icmp6-echo-reply pre-defined
service icmp6 echo-reply
description This is a pre-defined object
object service icmp6-membership-query pre-defined
service icmp6 membership-query
description This is a pre-defined object
object service icmp6-membership-report pre-defined
service icmp6 membership-report
description This is a pre-defined object
object service icmp6-membership-reduction pre-defined
service icmp6 membership-reduction
description This is a pre-defined object
object service icmp6-router-renumbering pre-defined
service icmp6 router-renumbering
description This is a pre-defined object
object service icmp6-router-solicitation pre-defined
service icmp6 router-solicitation
description This is a pre-defined object
object service icmp6-router-advertisement pre-defined
service icmp6 router-advertisement
description This is a pre-defined object
object service icmp6-neighbor-solicitation pre-defined
service icmp6 neighbor-solicitation
description This is a pre-defined object
object service icmp6-neighbor-advertisement pre-defined
service icmp6 neighbor-advertisement
description This is a pre-defined object
object service icmp6-neighbor-redirect pre-defined
service icmp6 neighbor-redirect
description This is a pre-defined object
object service icmp-echo pre-defined
service icmp echo
description This is a pre-defined object
object service icmp-echo-reply pre-defined
service icmp echo-reply
description This is a pre-defined object
object service icmp-unreachable pre-defined
service icmp unreachable
description This is a pre-defined object
object service icmp-source-quench pre-defined
service icmp source-quench
description This is a pre-defined object
object service icmp-redirect pre-defined
service icmp redirect
description This is a pre-defined object
object service icmp-alternate-address pre-defined
service icmp alternate-address
description This is a pre-defined object
object service icmp-router-advertisement pre-defined
service icmp router-advertisement
description This is a pre-defined object
object service icmp-router-solicitation pre-defined
service icmp router-solicitation
description This is a pre-defined object
object service icmp-time-exceeded pre-defined
service icmp time-exceeded
description This is a pre-defined object
object service icmp-parameter-problem pre-defined
service icmp parameter-problem
description This is a pre-defined object
object service icmp-timestamp-request pre-defined
service icmp timestamp-request
description This is a pre-defined object
object service icmp-timestamp-reply pre-defined
service icmp timestamp-reply
description This is a pre-defined object
object service icmp-information-request pre-defined
service icmp information-request
description This is a pre-defined object
object service icmp-information-reply pre-defined
service icmp information-reply
description This is a pre-defined object
object service icmp-mask-request pre-defined
service icmp mask-request
description This is a pre-defined object
object service icmp-mask-reply pre-defined
service icmp mask-reply
description This is a pre-defined object
object service icmp-traceroute pre-defined
service icmp traceroute
description This is a pre-defined object
object service icmp-conversion-error pre-defined
service icmp conversion-error
description This is a pre-defined object
object service icmp-mobile-redirect pre-defined
service icmp mobile-redirect
description This is a pre-defined object
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.121.x
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 4096
logging asdm-buffer-size 100
logging asdm informational
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
flow-export template timeout-rate 30
flow-export active refresh-interval 1
mtu Inside 1500
mtu Outside 1500
mtu management 1500
mtu DMZ 1500
mtu VOIP 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www 8080
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
object network RDP-DC1
nat (Inside,Outside) static interface service tcp 3389 3389
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
access-group Outside_access_in in interface Outside
ipv6 dhcprelay timeout 60
router rip
network 10.0.0.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action continue
no cts server-group
no cts sxp enable
no cts sxp default
no cts sxp default source-ip
cts sxp reconciliation period 120
cts sxp retry period 120
user-identity enable
user-identity domain LOCAL
user-identity default-domain LOCAL
user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 60
user-identity poll-import-user-group-timer hours 8
user-identity ad-agent active-user-database full-download
user-identity ad-agent hello-timer seconds 30 retry-times 5
no user-identity user-not-found enable
aaa authentication ssh console LOCAL
http server enable 443
http 0.0.0.0 0.0.0.0 Inside
http 98.22.121.x 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
no snmp-server enable traps memory-threshold
no snmp-server enable traps interface-threshold
no snmp-server enable traps remote-access session-threshold-exceeded
no snmp-server enable traps connection-limit-reached
no snmp-server enable traps cpu threshold rising
no snmp-server enable traps ikev2 start stop
no snmp-server enable traps nat packet-discard
snmp-server enable
snmp-server listen-port 161
fragment size 200 Inside
fragment chain 24 Inside
fragment timeout 5 Inside
no fragment reassembly full Inside
fragment size 200 Outside
fragment chain 24 Outside
fragment timeout 5 Outside
no fragment reassembly full Outside
fragment size 200 management
fragment chain 24 management
fragment timeout 5 management
no fragment reassembly full management
fragment size 200 DMZ
fragment chain 24 DMZ
fragment timeout 5 DMZ
no fragment reassembly full DMZ
fragment size 200 VOIP
fragment chain 24 VOIP
fragment timeout 5 VOIP
no fragment reassembly full VOIP
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp Inside
no sysopt noproxyarp Outside
no sysopt noproxyarp management
no sysopt noproxyarp DMZ
no sysopt noproxyarp VOIP
service password-recovery
no crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 64
crypto ipsec security-association pmtu-aging infinite
crypto ipsec fragmentation before-encryption Inside
crypto ipsec fragmentation before-encryption Outside
crypto ipsec fragmentation before-encryption management
crypto ipsec fragmentation before-encryption DMZ
crypto ipsec fragmentation before-encryption VOIP
crypto ipsec df-bit copy-df Inside
crypto ipsec df-bit copy-df Outside
crypto ipsec df-bit copy-df management
crypto ipsec df-bit copy-df DMZ
crypto ipsec df-bit copy-df VOIP
crypto ca trustpool policy
revocation-check none
crl cache-time 60
crl enforcenextupdate
crypto isakmp identity auto
crypto isakmp nat-traversal 20
crypto ikev2 cookie-challenge 50
crypto ikev2 limit max-in-negotiation-sa 100
no crypto ikev2 limit max-sa
crypto ikev2 redirect during-auth
crypto ikev1 limit max-in-negotiation-sa 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.121.x 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
ipv6-vpn-addr-assign aaa
ipv6-vpn-addr-assign local reuse-delay 0
no vpn-sessiondb max-other-vpn-limit
no vpn-sessiondb max-anyconnect-premium-or-essentials-limit
no remote-access threshold
l2tp tunnel hello 60
tls-proxy maximum-session 100
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 24.56.178.140 source Outside prefer
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2
webvpn
memory-size percent 50
port 443
dtls port 443
character-encoding none
no http-proxy
no https-proxy
default-idle-timeout 1800
portal-access-rule none
no csd enable
no anyconnect enable
no tunnel-group-list enable
no tunnel-group-preference group-url
rewrite order 65535 enable resource-mask *
no internal-password
no onscreen-keyboard
no default-language
no smart-tunnel notification-icon
no keepout
cache
no disable
max-object-size 1000
min-object-size 0
no cache-static-content enable
lmfactor 20
expiry-time 1
no auto-signon
no error-recovery disable
no ssl-server-check
no mus password
mus host mus.cisco.com
no hostscan data-limit
: # show import webvpn customization
: Template
: DfltCustomization
: # show import webvpn url-list
: Template
: # show import webvpn translation-table
: Translation Tables' Templates:
: PortForwarder
: banners
: customization
: url-list
: webvpn
: Translation Tables:
: fr PortForwarder
: fr customization
: fr webvpn
: ja PortForwarder
: ja customization
: ja webvpn
: ru PortForwarder
: ru customization
: ru webvpn
: # show import webvpn mst-translation
: No MS translation tables defined
: # show import webvpn webcontent
: No custom webcontent is loaded
: # show import webvpn AnyConnect-customization
: No OEM resources defined
: # show import webvpn plug-in
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn none
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
html-content-filter none
port-forward name Application Access
port-forward disable
http-proxy disable
sso-server none
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface private none
anyconnect firewall-rule client-interface public none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles none
anyconnect ask none
customization none
keep-alive-ignore 4
http-comp gzip
download-max-size 2147483647
upload-max-size 2147483647
post-max-size 2147483647
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting
password-policy minimum-length 3
password-policy minimum-changes 0
password-policy minimum-lowercase 0
password-policy minimum-uppercase 0
password-policy minimum-numeric 0
password-policy minimum-special 0
password-policy lifetime 0
no password-policy authenticate-enable
quota management-session 0
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultRAGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultRAGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
class-map type inspect http match-all _default_gator
match request header user-agent regex _default_gator
class-map type inspect http match-all _default_msn-messenger
match response header content-type regex _default_msn-messenger
class-map type inspect http match-all _default_yahoo-messenger
match request body regex _default_yahoo-messenger
class-map type inspect http match-all _default_windows-media-player-tunnel
match request header user-agent regex _default_windows-media-player-tunnel
class-map type inspect http match-all _default_gnu-http-tunnel
match request args regex _default_gnu-http-tunnel_arg
match request uri regex _default_gnu-http-tunnel_uri
class-map type inspect http match-all _default_firethru-tunnel
match request header host regex _default_firethru-tunnel_1
match request uri regex _default_firethru-tunnel_2
class-map type inspect http match-all _default_aim-messenger
match request header host regex _default_aim-messenger
class-map type inspect http match-all _default_http-tunnel
match request uri regex _default_http-tunnel
class-map type inspect http match-all _default_kazaa
match response header regex _default_x-kazaa-network count gt 0
class-map type inspect http match-all _default_shoutcast-tunneling-protocol
match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol
class-map class-default
match any
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2
class-map type inspect http match-all _default_httport-tunnel
match request header host regex _default_httport-tunnel
policy-map type inspect rtsp _default_rtsp_map
description Default RTSP policymap
parameters
policy-map type inspect ipv6 _default_ipv6_map
description Default IPV6 policy-map
parameters
verify-header type
verify-header order
match header routing-type range 0 255
drop log
policy-map type inspect h323 _default_h323_map
description Default H.323 policymap
parameters
no rtp-conformance
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no message-length maximum server
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
policy-map type inspect ip-options _default_ip_options_map
description Default IP-OPTIONS policy-map
parameters
router-alert action allow
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect rsh
inspect rtsp
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options _default_ip_options_map
inspect icmp
inspect icmp error
inspect pptp
class class-default
policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
im
no ip-address-privacy
traffic-non-sip
no rtp-conformance
policy-map type inspect dns _default_dns_map
description Default DNS policy-map
parameters
no message-length maximum client
no message-leI ran those commands while I had the nat off on the router and here are the results. note, i didn't make any changes to the ASA as you only said to remove the router RIP which I did and reloaded and no change.
As long as the statements ip nat outside on the Fastethernet 0/0 is off and the ip nat inside is off on the vlan and the overload statement is taken out, I cannot hit the internet.
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#int
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#no ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#no ip nat outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#$nside source list 1 interface FastEthernet0/0 overload
Dynamic mapping in use, do you want to delete all entries? [no]: y
CISCO-2811(config)#exit
CISCO-2811#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 202 c47d.4f3b.8ea6 ARPA FastEthernet0/0
Internet 10.10.1.2 - 0019.55a7.2ae8 ARPA FastEthernet0/0
Internet 172.16.10.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.1
Internet 172.16.10.3 238 0011.5c73.28c1 ARPA FastEthernet0/1.1
Internet 172.16.10.50 72 cc2d.8c78.065a ARPA FastEthernet0/1.1
Internet 172.16.20.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.2
Internet 172.16.20.3 196 0011.5c73.28c2 ARPA FastEthernet0/1.2
Internet 192.168.1.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.3
Internet 192.168.1.2 0 0024.e864.01a8 ARPA FastEthernet0/1.3
Internet 192.168.1.3 155 0011.5c73.28c0 ARPA FastEthernet0/1.3
Internet 192.168.1.5 61 4802.2a4c.1c74 ARPA FastEthernet0/1.3
Internet 192.168.1.20 0 5cf9.dd52.5fa9 ARPA FastEthernet0/1.3
Internet 192.168.1.50 0 308c.fb47.f2d9 ARPA FastEthernet0/1.3
Internet 192.168.1.51 1 ec35.8677.4057 ARPA FastEthernet0/1.3
Internet 192.168.1.52 1 b418.d136.ef72 ARPA FastEthernet0/1.3
Internet 192.168.1.53 1 8853.9572.e113 ARPA FastEthernet0/1.3
Internet 192.168.1.54 12 0009.b044.9f23 ARPA FastEthernet0/1.3
Internet 192.168.1.55 0 f47b.5e9a.7ae5 ARPA FastEthernet0/1.3
Internet 192.168.1.149 0 001e.4fc5.a199 ARPA FastEthernet0/1.3
Internet 192.168.1.174 0 b8ac.6fff.af83 ARPA FastEthernet0/1.3
CISCO-2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.1.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/30 is directly connected, FastEthernet0/0
L 10.10.1.2/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.10.0/24 is directly connected, FastEthernet0/1.1
L 172.16.10.1/32 is directly connected, FastEthernet0/1.1
C 172.16.20.0/24 is directly connected, FastEthernet0/1.2
L 172.16.20.1/32 is directly connected, FastEthernet0/1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1.3
L 192.168.1.1/32 is directly connected, FastEthernet0/1.3
ASA
ASA5510# sh arp
Inside 10.10.1.2 0019.55a7.2ae8 12342
Outside 199.195.168.113 000c.4243.581a 2
Outside 199.195.168.116 e05f.b947.116b 2436
Outside 199.195.168.120 0017.c58a.1123 9192
DMZ 10.10.0.2 0025.849f.63e0 3192
VOIP 10.10.2.2 000d.bcdc.fc40 7754
ASA5510# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 199.195.168.113 to network 0.0.0.0
S 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
C 199.195.168.112 255.255.255.240 is directly connected, Outside
C 10.10.0.0 255.255.255.252 is directly connected, DMZ
C 10.10.1.0 255.255.255.252 is directly connected, Inside
S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside
ASA5510# show xlate
35 in use, 784 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.x 2222-2222
flags sr idle 481:54:14 timeout 0:00:00
TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.x 222-222
flags sr idle 51:06:46 timeout 0:00:00
TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.x 2223-2223
flags sr idle 687:32:27 timeout 0:00:00
TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.x 3389-3389
flags sr idle 457:17:01 timeout 0:00:00
TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.x 8080-8080
flags sr idle 52:18:58 timeout 0:00:00
NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0
flags sIT idle 353:10:21 timeout 0:00:00
UDP PAT from any:10.10.1.2/52581 to Outside:199.195.168.x/52581 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from any:10.10.1.2/55389 to Outside:199.195.168.x/55389 flags ri idle 0:00:03 timeout 0:00:30
UDP PAT from any:10.10.1.2/51936 to Outside:199.195.168.x/51936 flags ri idle 0:00:04 timeout 0:00:30
UDP PAT from any:10.10.1.2/51345 to Outside:199.195.168.x/51345 flags ri idle 0:00:09 timeout 0:00:30
UDP PAT from any:10.10.1.2/55985 to Outside:199.195.168.x/55985 flags ri idle 0:00:18 timeout 0:00:30
UDP PAT from any:10.10.1.2/49368 to Outside:199.195.168.x/49368 flags ri idle 0:00:22 timeout 0:00:30
UDP PAT from any:10.10.1.2/52441 to Outside:199.195.168.x/52441 flags ri idle 0:00:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/57908 to Outside:199.195.168.x/57908 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57907 to Outside:199.195.168.x/57907 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57906 to Outside:199.195.168.x/57906 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57896 to Outside:199.195.168.x/57896 flags ri idle 0:09:09 timeout 0:00:30
TCP PAT from any:10.10.1.2/57879 to Outside:199.195.168.x/57879 flags ri idle 0:10:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/49441 to Outside:199.195.168.x/49441 flags ri idle 0:20:52 timeout 0:00:30
TCP PAT from any:10.10.1.2/57868 to Outside:199.195.168.x/57868 flags ri idle 0:25:28 timeout 0:00:30
TCP PAT from any:10.10.1.2/60519 to Outside:199.195.168.x/60519 flags ri idle 0:44:11 timeout 0:00:30
TCP PAT from any:10.10.1.2/60491 to Outside:199.195.168.x/60491 flags ri idle 0:44:20 timeout 0:00:30
TCP PAT from any:10.10.1.2/60484 to Outside:199.195.168.x/60484 flags ri idle 0:44:35 timeout 0:00:30
TCP PAT from any:10.10.1.2/60480 to Outside:199.195.168.x/60480 flags ri idle 0:44:51 timeout 0:00:30
TCP PAT from any:10.10.1.2/53851 to Outside:199.195.168.x/53851 flags ri idle 0:54:14 timeout 0:00:30
TCP PAT from any:10.10.1.2/57812 to Outside:199.195.168.x/57812 flags ri idle 0:58:30 timeout 0:00:30
TCP PAT from any:10.10.1.2/57810 to Outside:199.195.168.x/57810 flags ri idle 0:58:32 timeout 0:00:30
TCP PAT from any:10.10.1.2/53847 to Outside:199.195.168.x/53847 flags ri idle 1:00:18 timeout 0:00:30
TCP PAT from any:10.10.1.2/57808 to Outside:199.195.168.x/57808 flags ri idle 1:07:58 timeout 0:00:30
TCP PAT from any:10.10.1.2/60406 to Outside:199.195.168.x/60406 flags ri idle 1:42:13 timeout 0:00:30
TCP PAT from any:10.10.1.2/49259 to Outside:199.195.168.x/49259 flags ri idle 7:39:44 timeout 0:00:30
TCP PAT from any:10.10.1.2/49191 to Outside:199.195.168.x/49191 flags ri idle 7:42:39 timeout 0:00:30
TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.x/55951 flags ri idle 23:11:40 timeout 0:00:30
TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.x/55944 flags ri idle 23:15:19 timeout 0:00:30
TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.x/55942 flags ri idle 23:15:24 timeout 0:00:30
ASA5510# sh conn all
149 in use, 815 most used
TCP Outside 74.125.193.108:993 Inside 10.10.1.2:57879, idle 0:12:37, bytes 6398, flags UIO
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53879, idle 0:00:01, bytes 0, flags saA
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53878, idle 0:00:01, bytes 0, flags saA
TCP Outside 17.149.36.177:5223 Inside 10.10.1.2:60480, idle 0:16:53, bytes 4539, flags UIO
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53877, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53876, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53875, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53874, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53872, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53871, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53868, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53867, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53860, idle 0:00:17, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53859, idle 0:00:17, bytes 0, flags saA
TCP Outside 17.172.233.95:5223 Inside 10.10.1.2:49191, idle 0:18:48, bytes 7384, flags UIO
TCP Outside 17.178.100.43:443 Inside 10.10.1.2:57810, idle 0:56:21, bytes 5797, flags UFIO
TCP Outside 23.206.216.93:80 Inside 10.10.1.2:53847, idle 0:54:15, bytes 2683, flags UFIO
TCP Outside 143.127.93.90:80 Inside 10.10.1.2:49259, idle 0:12:20, bytes 13315, flags UIO
TCP Outside 74.125.225.53:443 Inside 192.168.1.20:53864, idle 0:00:11, bytes 0, flags saA
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49204, idle 0:00:04, bytes 67, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:50122, idle 0:00:07, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63275, idle 0:00:08, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63306, idle 0:00:18, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65059, idle 0:00:22, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64681, idle 0:00:30, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64661, idle 0:00:30, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:55618, idle 0:00:32, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65056, idle 0:00:33, bytes 48, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:59433, idle 0:00:41, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:52178, idle 0:00:42, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:61414, idle 0:00:43, bytes 34, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65438, idle 0:00:44, bytes 44, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63686, idle 0:00:44, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65416, idle 0:00:45, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:53047, idle 0:00:47, bytes 32, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:62213, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:52347, idle 0:00:46, bytes 92, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:58069, idle 0:00:46, bytes 64, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:50753, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65381, idle 0:00:50, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65082, idle 0:00:50, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64038, idle 0:00:50, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49309, idle 0:00:51, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64034, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49197, idle 0:00:51, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64728, idle 0:00:51, bytes 49, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64309, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63289, idle 0:00:51, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64174, idle 0:00:52, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:39286, idle 0:01:09, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63726, idle 0:01:09, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65482, idle 0:01:12, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65091, idle 0:01:13, bytes 61, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64976, idle 0:01:13, bytes 57, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63749, idle 0:00:51, bytes 103, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64043, idle 0:01:14, bytes 52, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64267, idle 0:01:24, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64467, idle 0:01:26, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65504, idle 0:01:26, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:38946, idle 0:01:35, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63701, idle 0:01:38, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63879, idle 0:01:46, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:58516, idle 0:01:49, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63227, idle 0:01:51, bytes 62, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:65446, idle 0:01:53, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49166, idle 0:01:55, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:56680, idle 0:02:01, bytes 33, flags -
UDP Outside 192.55.83.30:53 Inside 192.168.1.2:65073, idle 0:00:44, bytes 50, flags -
TCP Outside 74.125.193.109:993 Inside 10.10.1.2:57808, idle 0:39:33, bytes 6392, flags UFIO
TCP Outside 74.125.225.54:443 Inside 192.168.1.20:53863, idle 0:00:13, bytes 0, flags saA
TCP Outside 143.127.93.89:80 Inside 10.10.1.2:60519, idle 0:46:30, bytes 346, flags UO
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53881, idle 0:00:01, bytes 0, flags saA
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53880, idle 0:00:01, bytes 0, flags saA
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:60627, idle 0:00:39, bytes 78, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52088, idle 0:00:39, bytes 86, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50533, idle 0:00:39, bytes 76, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:63347, idle 0:00:39, bytes 80, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:62213, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52347, idle 0:00:40, bytes 46, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:58069, idle 0:00:40, bytes 32, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50753, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:50791, idle 0:01:25, bytes 35, flags -
TCP Outside 74.125.225.46:443 Inside 192.168.1.20:53870, idle 0:00:08, bytes 0, flags saA
TCP Outside 17.173.255.101:443 Inside 10.10.1.2:53851, idle 0:56:33, bytes 58, flags UfIO
TCP Outside 64.4.23.147:33033 Inside 10.10.1.2:55944, idle 0:44:45, bytes 558164, flags UFIO
TCP Outside 74.125.225.35:443 Inside 192.168.1.20:53869, idle 0:00:09, bytes 0, flags saA
UDP Outside 64.4.23.175:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 28, flags -
UDP Outside 192.54.112.30:53 Inside 192.168.1.2:65380, idle 0:00:44, bytes 49, flags -
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57908, idle 0:10:47, bytes 7895, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57907, idle 0:10:49, bytes 20323, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57906, idle 0:10:47, bytes 6539, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57868, idle 0:27:44, bytes 6395, flags UIO
TCP Outside 91.190.218.59:443 Inside 10.10.1.2:55942, idle 0:41:39, bytes 2727, flags UFIO
TCP Outside 17.172.233.123:5223 Inside 10.10.1.2:49441, idle 0:23:10, bytes 4409, flags UIO
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53862, idle 0:00:16, bytes 0, flags saA
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53861, idle 0:00:16, bytes 0, flags saA
TCP Outside 143.127.93.115:80 Inside 10.10.1.2:60406, idle 0:42:59, bytes 970, flags UFIO
TCP Outside 143.127.93.118:80 Inside 10.10.1.2:60484, idle 0:46:54, bytes 328, flags UO
TCP Outside 17.172.233.98:5223 Inside 10.10.1.2:57896, idle 0:11:28, bytes 5081, flags UIO
UDP Outside 111.221.74.16:33033 Inside 192.168.1.174:26511, idle 0:01:18, bytes 31, flags -
TCP Outside 17.149.36.103:5223 Inside 192.168.1.174:60729, idle 0:00:04, bytes 0, flags saA
UDP Outside 192.5.6.30:53 Inside 192.168.1.2:65317, idle 0:00:44, bytes 51, flags -
UDP Outside 192.12.94.30:53 Inside 192.168.1.2:65356, idle 0:00:44, bytes 54, flags -
TCP Outside 17.149.36.180:5223 Inside 10.10.1.2:55951, idle 0:46:08, bytes 14059, flags UFIO
UDP Outside 111.221.74.28:33033 Inside 192.168.1.174:26511, idle 0:01:20, bytes 33, flags -
TCP Outside 63.235.20.160:80 Inside 192.168.1.20:53873, idle 0:00:08, bytes 0, flags saA
TCP Outside 50.19.127.112:443 Inside 192.168.1.50:60678, idle 0:00:00, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60728, idle 0:00:14, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60727, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60726, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:443 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
TCP Outside 65.55.122.234:2492 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
UDP Outside 157.55.56.170:33033 Inside 192.168.1.174:26511, idle 0:01:21, bytes 37, flags -
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53866, idle 0:00:11, bytes 0, flags saA
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53865, idle 0:00:11, bytes 0, flags saA
UDP Outside 111.221.74.18:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 29, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55546, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:60277, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55618, idle 0:00:34, bytes 43, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:60627, idle 0:00:36, bytes 78, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:52088, idle 0:00:36, bytes 86, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:50533, idle 0:00:36, bytes 76, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:63347, idle 0:00:36, bytes 80, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:56958, idle 0:01:24, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:51360, idle 0:01:26, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:50791, idle 0:01:27, bytes 35, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:54134, idle 0:01:46, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:58516, idle 0:01:50, bytes 51, flags -
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59350, idle 0:00:02, bytes 0, flags saA
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59349, idle 0:00:16, bytes 0, flags saA
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:50122, idle 0:00:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:48088, idle 0:00:42, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:62213, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:52347, idle 0:00:45, bytes 92, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:58069, idle 0:00:45, bytes 64, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:50753, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:61414, idle 0:00:47, bytes 34, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:54481, idle 0:01:08, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:40285, idle 0:01:34, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:65446, idle 0:01:55, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:46155, idle 0:02:00, bytes 33, flags -
UDP Outside 66.104.81.70:5070 Inside 192.168.1.174:57609, idle 0:00:11, bytes 46, flags -
UDP Outside 64.4.23.156:33033 Inside 192.168.1.174:26511, idle 0:01:14, bytes 38, flags -
TCP Outside 65.54.167.15:12350 Inside 10.10.1.2:60491, idle 0:11:02, bytes 1405, flags UIO
TCP Outside 17.172.192.35:443 Inside 10.10.1.2:57812, idle 0:56:11, bytes 6116, flags UFIO
UDP Outside 157.55.56.176:33033 Inside 192.168.1.174:26511, idle 0:01:16, bytes 32, flags -
TCP Inside 192.168.1.20:53667 NP Identity Ifc 10.10.1.1:22, idle 0:00:00, bytes 37555, flags UOB
TCP Inside 10.10.1.2:53431 NP Identity Ifc 10.10.1.1:22, idle 0:09:03, bytes 20739, flags UOB
Ran on the ASA while overload statements were down on the router:
ASA5510# packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1988699, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Had to put these back in to get to the internet:
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#ip nat
CISCO-2811(config-if)#ip nat Outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#in
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#$de source list 1 interface FastEthernet0/0 overload
CISCO-2811(config)#
Screenshot of ASDM: -
Route Pattern/Filter Issues
Hello - I had a question that I was hoping someone could help me with. I recently had an issue on CallManager 4.1.3sr6a. I have 10 sites, each using their own set of 6 9.@ route patterns for outgoing calls. Although the patterns are distinct, they all use the same route filters. Today, all of the sites began matching on the route pattern with the seven digit filter rather than matching on the long distance filter when a 91XXXXXXXXXX number was dialed (we tested with a number of numbers in different area codes). I wasn't able to input more digits after the 7th and DNA confirmed that it matched on the seven digit filter. The filters are as follows:
Long Distance =(AREA-CODE EXISTS AND LONG-DISTANCE-DIRECT-DIAL EXISTS)
SevenDigit = (LOCAL-AREA-CODE DOES-NOT-EXIST AND INTERNATIONAL-DIRECT-DIAL DOES-NOT-EXIST AND AREA-CODE DOES-NOT-EXIST AND SERVICE DOES-NOT-EXIST).
I was able to resolve the issue by going to each site, removing the long distance 9.@ pattern and simply readding it (no changes were made to configuration).
It was like it just stopped seeing all patterns using the long distance filter.
I'm wondering if anyone is aware of a bug that may have caused this.
Thanks very much!For detailed descriptions and examples, refer to the Understanding Route Pattern Wildcards and Special Characters section of Understanding Route Plans.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/3_0_9/p1rtundr.html -
ASA5525-X and Cisco 3850 Traffiic routing
Hi,
I apologise if this question has been answered already, I tried searching but found nothing.
I have a Cisco 3850X and an ASA5525 firewall, and I want to create a specific route from a particular VLAN in order to filter the traffic.
I am using VLAN 15, which is intended for wireless access only.
I want to;
Route all wireless hosts traffic on VLAN 15 to the firewall for filtering through two physical interfaces grouped together in a channel-group
Route filtered traffic back from the firewall into the same switch via the same channel-group (same physical interfaces.)
Allow filtered traffic to communicate with other VLANs via their gateways
If somebody could point me in the right direction with this I would appreciate it. I have attached a drawing of the physical cabling to give you a better idea of how the equipment is connected.
Thank you.Hi Collin,
Thanks, I've now managed to create the trunk following your instructions.
I have set the switch up so that the trunks native vlan is 15, but vlans 10-15 are allowed. As follows:
Switch:
interface GigabitEthernet1/0/1
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active
interface GigabitEthernet1/0/2
switchport access vlan 15
switchport trunk native vlan 10
switchport trunk allowed vlan 10-15
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
channel-group 2 mode active
Firewall
interface Port-channel10.10
vlan 10
nameif inside
security-level 100
ip address 10.196.10.1 255.255.255.0
interface Port-channel10.15
vlan 15
nameif dmz
security-level 50
ip address 10.196.15.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
I am able to ping the .15 gateway from a host sitting on VLAN15 on the switch, however, even with the 'same-security' configuration I am still unable to ping across to the .10 gateway.
I tried creating a route, 'route inside 10.196.15.0 255.255.255.0 10.196.10.0' however was returned an error message 'Cannot add route connected route exists'. However when I looked at sh route, no such route exists:
C 10.196.15.0 255.255.255.0 is directly connected, dmz
C 10.196.10.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, management
I should not that I have only used the gateway addresses 10.196.10.1 and 10.196.15.1 in the firewalls configuration, I have removed these gateway addresses from the switch, as I assumed the firewall should be used as the gateway, and didn't want the switch to route between the vlans internally bypassing the firewall.
I'm obviously still missing something, might I have to setup NAT to translate the two addresses?
Thanks again for your help -
WRT54G filtering email with WEP
I enabled WEP with 128 bit encryption on my router.
I just discovered that it had been filtering emails, blocking some, allowing others and not allowing messages to be sent.
When I removed the Security, I was able to get all my messages. this is on a State Farm computer with it's own security that can't be changed.
Does anyone know why the router filtered the email, and how to disable it if I add the Security back on?
Thank youThank you for your time if I can figure out how to put WPA on the PC and Mac will do so.
Depending on the brand of wireless router, it would be similiar to how you set up WEP currently...instead you would choose the WPA/WPA Personal/WPA Preshared Key option. From either the Mac or PC, you would select your wireless network name or SSID and enter the same password. -
Weired RR issue for vpnv4 routes
We are having 2*RR for MPLs vpn routes. Any PE is having two neighborships one with each RR. But I am facing a one weird issue that update of routes of some vrfs are only forwarding to one RR not to another RR. Can anyone tell me why it is happening?
regards
shivlu jainHello Shivlu,
I've understood you have two RR Servers in your network for address-family vpnv4 that are serving a population of PE nodes.
If I understand correctly one of your RRS is missing some vpnv4 routes associated to some VRFs.
Verify if there are any form of route filtering based on route target value inbound on that RRS or outbound on PE nodes.
There is any route-map applied in AF vpnv4 in RRS or in PE nodes ?
Or are you complaining that for some VRFs some PE nodes receive only routes reflected by a single RRS ?
If the RRS are placed in different points of your topology, there is a chance that one has a better IGP metric to some PE nodes.
May you provide more details with an example of show ip bgp vpnv4 all on source PE, the two RRS, a remote PE ?
What is the memory usage on the second RRS the one with missing routes ?
Hope to help
Giuseppe -
Restrict wireless internet access on certain periods of time
Hello,
We need help on setting up a network with some restrictions for the attached clients.
We're quite new at setting up a network at this size.
Used devices:
1x SRP 540 router
1x SG 300-10P managed switch
4x AP 541N accesspoint
What we want to do:
1. Around 100 laptops and desktop computers need wireless internet access, but some of them on limited times during the day.
2. Not all wireless devices are allowed on using the wireless network.
3. There are also wired desktops that don't need restrictions.
4. We need the possibility to restrict most of the wireless devices to access certain websites or use certain applications on those computers to use internet access during the times that the computers are allowed to access the internet.
5. We want to restrict the clients for using torrents or other possibilities of downloading illegal content.
What we were able to do:
1. The accesspoints (AP 541N) are clustered to achieve 1 large wireless network.
2. Only mac-adresses that are listed in the accesspoints are capable of using the wireless network. Other mac-adresses are not allowed to use the accesspoints.
What we tried already:
1. adding the mac-adresses for the accesspoints to the list of "internet access policy" in the router. Internet access seemed still possible during periods the access wasn't supposed to be possible.
2. adding the mac-adresses from all clients in this internet access policy seemed useless. Only 10 Internet Access Policies seem to be possible to program. 8 mac-adresses per policy. Knowing there are (at least) two policies needed to restrict a group of 8 macs to access the internet in 24 hours (because blocking the internet from f.e. 22u in the evening to 6 in the morning is not possible because 6 is smaller than 22 - or 10PM).
Besides, after blocking internet access, we need also to write policies in blocking some websites or keywords.
Thanks already for your guidelines.
Wimwhat about the thoughts of radius for authentication which is connected to active directory for your wireless users. Then have those people you must limit access too during the day in their own security group that's only allowed to login to the domain during certain times of the day.
To limit sites or what they can do on the Internet will require a separate solution for content/URL filtering. Then you can make policies and apply to your security groups in active directory block by category, keyword, and so on.
This is all great assuming you can get these clients into AD.
Just a quick thought, hope it helps.
_dschlicht
Sent from Cisco Technical Support iPad App -
I think i am going nuts, cos my new BTVerve 450 is a great phone, but it will not display Caller ID. I am with Virgin for my phone line etc, with a wireless router for my laptop. Can anyone help? I really dont want to return the phones, i am really pleased with the unit, but i really need caller ID, especially as i am paying extra for it! Any suggestions would be welcome, Bernie
Try just plugging the phone in without anything else connected (BB Router, Filters, Sky box) and see if that works, if it does plug each item back in on at a time, trying an incoming call each time.
You may find problems with either a duff filter or even the router can sometimes mask the display
(If I have helped you in any way to say "Thank You" please click on the star next to the message. Thank You)
If I have solved your Issue please click the "Mark as accepted solution" button. -
Hi,
I am trying to lock groups to a specific tunnel group but unfortunitly no matter what I do the group-lock feature doesnt seem to work. Basically here is what I want to do:
1-Users detail is pulled from AD through LDAP
2-AD group is mapped to the appropriate group on the ASA using attribute mapping
3-user should only use the tunnel that he/she is locked to
4-this all should be done without the user needing to select a group the vpn portal
5-we will be using Any connect and VPN portal for communication
All works fine except the group-lock feature. If enabled and set to "group-lock value NET_ADMIN_G" I get the following error on debug webvpn and the user is not allowed in.
webvpn_auth.c:http_webvpn_post_authentication[1503]
WebVPN: user: (test) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2905]
User came in on group he wasn't supposed to come in on!
when removed no matter what I do the user is mapped to DefaultWEBVPNGroup tunnel group,
SSLVPN(config-group-policy)# sho vpn-sessiondb webvpn
Session Type: WebVPN
Username : test Index : 132
Public IP : 10.1.1.1
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)AES256 Hashing : Clientless: (1)SHA1
Bytes Tx : 252897 Bytes Rx : 48894
Group Policy : NET_ADMIN Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:18:13 EDT Fri Mar 22 2013
Duration : 0h:01m:12s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Asa is on 9.11.4.
group policy:
group-policy NET_ADMIN internal
group-policy NET_ADMIN attributes
wins-server none
dns-server value 2.2.2.2
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-session-timeout alert-interval 25
vpn-filter value VPN_SPLIT_TUNNEL
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
password-storage disable
ip-comp enable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value brightstarcorp.com
split-dns value brightstarcorp.com
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn value svgmelb.au.brightstarcorp.com
leap-bypass disable
nem disable
backup-servers clear-client-config
msie-proxy method no-modify
vlan none
nac-settings none
address-pools value SSL_POOL
ipv6-address-pools none
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list value NETADMIN_BOOKMARK
filter value INTERNAL_WEBACL
homepage use-smart-tunnel
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value posture
anyconnect profiles value net_admin_p type user
anyconnect ask none default webvpn
customization value NETADMIN_PORTAL
hidden-shares visible
activex-relay enable
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
auto-signon allow uri * auth-type all
Tunnel Group:
tunnel-group NET_ADMIN_G type remote-access
tunnel-group NET_ADMIN_G general-attributes
address-pool SSL_POOL
authentication-server-group LDAP
authorization-server-group LDAP
accounting-server-group RGROUPADMIN
default-group-policy NET_ADMIN
authorization-required
tunnel-group NET_ADMIN_G webvpn-attributes
customization NETADMIN_PORTAL
group-alias infra_network enable
group-url https://x.x.x.x/network enable
dns-group DNSGROUP
Any ideas?
Thanks in advanceHi Portu,
Heres debug Ldap:
SLVPN#
[553] Session Start
[553] New request Session, context 0x00007fff33beb228, reqType = Authentication
[553] Fiber started
[553] Creating LDAP context with uri=ldap://1.1.1.13:389
[553] Connect to LDAP server: ldap://1.1.1.13:389, status = Successful
[553] supportedLDAPVersion: value = 3
[553] supportedLDAPVersion: value = 2
[553] Binding as bind
[553] Performing Simple authentication for test to 1.1.1.13
[553] LDAP Search:
Base DN = [OU=xx ENTERPRISE,DC=xxx,DC=com]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[553] User DN = [CN=test,OU=Users,OU=xx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com]
[553] Talking to Active Directory server 1.1.1.13
[553] Reading password policy for test, dn:CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com
[553] Read bad password count 0
[553] Binding as test
[553] Performing Simple authentication for test to 1.1.1.13
[553] Processing LDAP response for user test
[553] Message (test):
[553] Authentication successful for test to 1.1.1.13
[553] Retrieved User Attributes:
[553] objectClass: value = top
[553] objectClass: value = person
[553] objectClass: value = organizationalPerson
[553] objectClass: value = user
[553] cn: value = test
[553] sn: value =
[553] c: value = AU
[553] l: value = xxx
[553] st: value = xxx
[553] title: value = test user / IT
[553] description: value = Network
[553] postalCode: value = xxx
[553] physicalDeliveryOfficeName: value = xxx
[553] telephoneNumber: value = xxx
[553] givenName: value = test
[553] distinguishedName: value = CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=br
[553] instanceType: value = 4
[553] whenCreated: value = 20110327224420.0Z
[553] whenChanged: value = 20130319223953.0Z
[553] displayName: value = test
[553] uSNCreated: value = 84454809
[553] memberOf: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] memberOf: value = CN=Networks,OU=Distribution Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = NET_ADMIN
[553] mapped to LDAP-Class: value = NET_ADMIN
[553] memberOf: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate
[553] mapped to IETF-Radius-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
aaa common debug:
AAA API: In aaa_open
AAA session opened: handle = 3
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authentication Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = ACCEPT
AAA_NextFunction: authen svr = BSTAR_LDAP, author svr = LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_USER_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating user group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
User Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_USER_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_AUTHORIZE,
AAA FSM: In AAA_InitTransaction
Initiating authorization query (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTHORIZE, auth_status = ACCEPT
AAA_NextFunction: author svr = BSTAR_LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_AUTH_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating authorization group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTH_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_TUNN_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DfltGrpPolicy)
Got server ID 0 for group policy DB
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: DfltGrpPolicy
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up DfltGrpPolicy
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
Class attribute created from LDAP-Class attribute
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
Checking simultaneous login restriction (max allowance=3) for user test
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 6 "test"
2 User-Password(2) 10 (hidden)
3 Group-Policy(4121) 9 "NET_ADMIN"
4 AAA-AVP-Table(4243) 11268 "[04],[00][00]t[00][00][00][F8][03][00][00][0F][04][00]"
5 LDAP-Class(20520) 10 "NET_ADMIN[00]"
6 LDAP-Class(20520) 11 "USERS[00]"
user policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff35d685e0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 3
6 Primary-DNS(4101) 4 IP: 1.1.1.13
7 Secondary-DNS(4102) 4 IP: 1.1.1.30
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 52
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
14 Default-Domain-Name(4124) 18 "xxxxcorp.com"
15 Secondary-Domain-Name-List(4125) 18 "xxxxcorp.com"
16 Nat-Enabled-IPSec(4130) 4 0
17 IPSec-UDP-Port(4131) 4 10000
18 IPComp(4135) 4 1
19 Authentication-On-Rekey(4138) 4 0
20 Required-Firewall-Vendor-Code(4141) 0 0x0000000002e006b0 ** Unresolved Attribute **
21 Required-Firewall-Product-Code(4142) 0 0x0000000002e006b0 ** Unresolved Attribute **
22 Required-Firewall-Description(4143) 0 0x00007fff35d687fa ** Unresolved Attribute **
23 Secure-unit-config(4144) 4 0
24 Individual-user-auth-config(4145) 4 0
25 User-auth-idle-timeout(4146) 4 0
26 Cisco-IP-telephony-config(4147) 4 0
27 Split-Tunneling-Policy(4151) 4 1
28 Required-Firewall-Capability(4152) 0 0x0000000002e006b0 ** Unresolved Attribute **
29 Client Firewall Optional(4154) 0 0x0000000002e006b0 ** Unresolved Attribute **
30 Backup-Ip-Sec-Peers-Enabled(4155) 4 2
31 Network-Extension-Mode-Allowed(4160) 4 0
32 URL list name(4167) 17 "NETADMIN_BOOKMARK"
33 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
34 Cisco-LEAP-Passthrough-config(4171) 4 0
35 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff35d68835 ** Unresolved Attribute **
36 IE-Proxy-Server-Method(4177) 4 1
37 The tunnel group that tunnel must be associated with(4181) 11 "NET_ADMIN_G"
38 User ACL for inbound traffic(4182) 8 ""
39 User ACL for outbound traffic(4183) 8 ""
40 Indicates whether or not PFS is required for IPSec(4184) 4 0
41 WebVPN URL Entry enable(4189) 4 1
42 WebVPN File Server Entry enable(4191) 4 1
43 WebVPN File Server Browsing enable(4192) 4 1
44 WebVPN SVC Keep enable(4201) 4 1
45 WebVPN SVC Keepalive interval(4203) 4 20
46 WebVPN SVC Client DPD period(4204) 4 30
47 WebVPN SVC Gateway DPD period(4205) 4 30
48 WebVPN SVC Rekey period(4206) 4 0
49 WebVPN SVC Rekey method(4207) 4 0
50 WebVPN SVC Compression(4208) 4 2
51 WebVPN Customization(4209) 15 "NETADMIN_PORTAL"
52 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
53 WebVPN SVC DTLS Compression(4213) 4 2
54 Extended Authentication-On-Rekey(4218) 4 0
55 WebVPN SVC DTLS enable(4219) 4 1
56 WebVPN SVC MTU(4221) 4 1406
57 CIFS hidden shares(4222) 4 1
58 CVC-Modules(4223) 7 "posture"
59 CVC-Profile(4224) 17 "net_admin_p#user,"
60 CVC-Ask(4227) 4 4
61 CVC-Ask-Timeout(4228) 4 0
62 WebVPN ActiveX Relay(4233) 4 1
63 VLAN ID(4236) 4 0
64 NAC Settings(4237) 0 0x00007fff35d68985 ** Unresolved Attribute **
65 WebVPN Session timeout alert interval(4245) 4 25
66 List of address pools to assign addresses from(4313) 13 "SSL_POOL"
67 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff35d68998 ** Unresolved Attribute **
68 Smart tunnel on home page enable(4324) 4 1
69 Disable Always-On VPN(4325) 4 0
70 SVC ignore DF bit(4326) 4 0
71 Client Bypass Protocol(4331) 4 0
72 Gateway FQDN(4333) 29 "xxx.xxxxcorp.com"
73 CA URL for SCEP enrollment(20530) 0 0x00007fff35d689c7 ** Unresolved Attribute **
tunnel policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff351cddd0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 0
6 Primary-DNS(4101) 4 IP: 10.125.3.7
7 Secondary-DNS(4102) 4 IP: 10.125.3.5
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 124
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Group-Policy(4121) 13 "DfltGrpPolicy"
14 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
15 Default-Domain-Name(4124) 18 "xxxxcorp.com"
16 Secondary-Domain-Name-List(4125) 0 0x00007fff351cdfc7 ** Unresolved Attribute **
17 Nat-Enabled-IPSec(4130) 4 0
18 IPSec-UDP-Port(4131) 4 10000
19 IPComp(4135) 4 0
20 Authentication-On-Rekey(4138) 4 0
21 Secure-unit-config(4144) 4 0
22 Individual-user-auth-config(4145) 4 0
23 User-auth-idle-timeout(4146) 4 30
24 Cisco-IP-telephony-config(4147) 4 0
25 Split-Tunneling-Policy(4151) 4 1
26 Client Firewall Optional(4154) 0 0x00007fff351cdfec ** Unresolved Attribute **
27 Backup-Ip-Sec-Peers-Enabled(4155) 4 1
28 Group-giaddr(4157) 4 IP: 0.0.0.0
29 Intercept-DHCP-Configure-Msg(4158) 4 0
30 Client-Subnet-Mask(4159) 4 IP: 255.255.255.255
31 Network-Extension-Mode-Allowed(4160) 4 0
32 WebVPN Content Filter Parameters(4165) 4 0
33 WebVPN Parameters configuration(4166) 4 1
34 URL list name(4167) 0 0x00007fff351ce008 ** Unresolved Attribute **
35 Forwarded ports(4168) 0 0x00007fff351ce009 ** Unresolved Attribute **
36 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
37 Cisco-LEAP-Passthrough-config(4171) 4 0
38 Default WebVPN homepage(4172) 0 0x00007fff351ce016 ** Unresolved Attribute **
39 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff351ce017 ** Unresolved Attribute **
40 Application Access Name(4175) 18 "Application Access"
41 IE-Proxy-Server(4176) 0 0x00007fff351ce02b ** Unresolved Attribute **
42 IE-Proxy-Server-Method(4177) 4 1
43 IE-Proxy-Server-Exceptions(4178) 0 0x00007fff351ce030 ** Unresolved Attribute **
44 IE-Proxy-Server-Bypass-Local(4179) 4 0
45 The tunnel group that tunnel must be associated with(4181) 0 0x00007fff351ce035 ** Unresolved Attribute **
46 Indicates whether or not PFS is required for IPSec(4184) 4 0
47 NAC Enable/Disable(4185) 4 0
48 NAC Status Query Timer(4186) 4 300
49 NAC Revalidation Timer(4187) 4 36000
50 NAC Default ACL(4188) 8 ""
51 WebVPN URL Entry enable(4189) 4 0
52 WebVPN File Server Entry enable(4191) 4 0
53 WebVPN File Server Browsing enable(4192) 4 0
54 WebVPN Port Forwarding enable(4193) 4 0
55 WebVPN Port Forwarding Exchange Proxy enable(4194) 4 0
56 WebVPN Port Forwarding HTTP Proxy enable(4195) 4 0
57 WebVPN SVC enable(4199) 4 0
58 WebVPN SVC Required enable(4200) 4 0
59 WebVPN SVC Keep enable(4201) 4 0
60 WebVPN SVC Keepalive interval(4203) 4 20
61 WebVPN SVC Client DPD period(4204) 4 30
62 WebVPN SVC Gateway DPD period(4205) 4 30
63 WebVPN SVC Rekey period(4206) 4 0
64 WebVPN SVC Rekey method(4207) 4 0
65 WebVPN SVC Compression(4208) 4 2
66 WebVPN Customization(4209) 0 0x00007fff351ce08a ** Unresolved Attribute **
67 Single Sign On Server Name(4210) 0 0x00007fff351ce08b ** Unresolved Attribute **
68 WebVPN SVC Firewall Rule(4211) 17 "private#,public#,"
69 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
70 WebVPN SVC DTLS Compression(4213) 4 2
71 HTTP compression method(4216) 4 0
72 Maximum object size to ignore for updating the session timer(4217) 4 4
73 Extended Authentication-On-Rekey(4218) 4 0
74 WebVPN SVC DTLS enable(4219) 4 1
75 WebVPN SVC MTU(4221) 4 1406
76 CIFS hidden shares(4222) 4 0
77 CVC-Modules(4223) 20 "dart,vpngina,posture"
78 CVC-Profile(4224) 15 "IPSEC_VPN#user,"
79 CVC-IKE-Retry-Timeout(4225) 4 10
80 CVC-IKE-Retry-Count(4226) 4 3
81 CVC-Ask(4227) 4 2
82 CVC-Ask-Timeout(4228) 4 0
83 IE-Proxy-Pac-URL(4229) 0 0x00007fff351ce1a4 ** Unresolved Attribute **
84 IE-Proxy-Lockdown(4230) 4 1
85 WebVPN Smart Tunnel(4232) 0 0x00007fff351ce1a9 ** Unresolved Attribute **
86 WebVPN ActiveX Relay(4233) 4 1
87 WebVPN Smart Tunnel Auto Download enable(4234) 4 0
88 WebVPN Smart Tunnel Auto Sign On enable(4235) 0 0x00007fff351ce1b2 ** Unresolved Attribute **
89 VLAN ID(4236) 4 0
90 NAC Settings(4237) 0 0x00007fff351ce1b7 ** Unresolved Attribute **
91 MemberOf(4241) 0 0x00007fff351ce1b8 ** Unresolved Attribute **
92 WebVPN Idle timeout alert interval(4244) 4 1
93 WebVPN Session timeout alert interval(4245) 4 1
94 Maximum object size for download(4253) 4 2147483647
95 Maximum object size for upload(4254) 4 2147483647
96 Maximum object size for post(4255) 4 2147483647
97 User storage(4256) 0 0x00007fff351ce1cd ** Unresolved Attribute **
98 User storage objects(4257) 19 "cookies,credentials"
99 User storage shared key(4258) 0 0x00007fff351ce1e2 ** Unresolved Attribute **
100 VDI configuration(4259) 0 0x00007fff351ce1e3 ** Unresolved Attribute **
101 NAC Exception List(4312) 4 0
102 List of address pools to assign addresses from(4313) 0 0x00007fff351ce1e8 ** Unresolved Attribute **
103 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff351ce1e9 ** Unresolved Attribute **
104 IPv6 filter-id(4315) 8 ""
105 WebVPN Unix user ID(4317) 4 65534
106 WebVPN Unix group ID(4318) 4 65534
107 Disconnect VPN tunnel when a Smartcard is removed(4321) 4 1
108 WebVPN Smart Tunnel Tunnel Policy(4323) 0 0x00007fff351ce1fe ** Unresolved Attribute **
109 Disable Always-On VPN(4325) 4 1
110 SVC ignore DF bit(4326) 4 0
111 SVC client routing/filtering ignore(4327) 4 0
112 Configure the behaviour of DNS queries by the client when Split tunneling is enabled(4328) 4 0
113 Client Bypass Protocol(4331) 4 0
114 IPv6-Split-Tunneling-Policy(4332) 4 0
115 Gateway FQDN(4333) 0 0x00007fff351ce217 ** Unresolved Attribute **
116 CA URL for SCEP enrollment(20530) 0 0x00007fff351ce218 ** Unresolved Attribute **
Auth Status = ACCEPT
AAA API: In aaa_close
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 3
In aaai_close_session (3)
Thanks, -
AnyConnect client reconnects after 1 minute
AnyConnect client reconnects after 1 minute; WHY
version 3.1.02026
ASA:asa911-k8.bin
[25-4-2013 8:16:11] Establishing VPN session...
[25-4-2013 8:16:11] Checking for profile updates...
[25-4-2013 8:16:11] Checking for product updates...
[25-4-2013 8:16:11] Checking for customization updates...
[25-4-2013 8:16:11] Performing any required updates...
[25-4-2013 8:16:12] Establishing VPN session...
[25-4-2013 8:16:12] Establishing VPN - Initiating connection...
[25-4-2013 8:16:12] Establishing VPN - Examining system...
[25-4-2013 8:16:12] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:16:15] Establishing VPN - Configuring system...
[25-4-2013 8:16:16] Establishing VPN...
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:17:19] Reconnecting to my.vpn.com...
[25-4-2013 8:17:19] Establishing VPN - Examining system...
[25-4-2013 8:17:24] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:17:25] Reconnecting to my.vpn.com...
[25-4-2013 8:17:25] Establishing VPN - Examining system...
[25-4-2013 8:17:25] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:16:11] Establishing VPN session...
[25-4-2013 8:16:11] Checking for profile updates...
[25-4-2013 8:16:11] Checking for product updates...
[25-4-2013 8:16:11] Checking for customization updates...
[25-4-2013 8:16:11] Performing any required updates...
[25-4-2013 8:16:12] Establishing VPN session...
[25-4-2013 8:16:12] Establishing VPN - Initiating connection...
[25-4-2013 8:16:12] Establishing VPN - Examining system...
[25-4-2013 8:16:12] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:16:15] Establishing VPN - Configuring system...
[25-4-2013 8:16:16] Establishing VPN...
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:16:16] Connected to my.vpn.com.
[25-4-2013 8:17:19] Reconnecting to my.vpn.com...
[25-4-2013 8:17:19] Establishing VPN - Examining system...
[25-4-2013 8:17:24] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.
[25-4-2013 8:17:25] Reconnecting to my.vpn.com...
[25-4-2013 8:17:25] Establishing VPN - Examining system...
[25-4-2013 8:17:25] Establishing VPN - Activating VPN adapter...
[25-4-2013 8:17:25] Establishing VPN - Configuring system...
[25-4-2013 8:17:25] Establishing VPN...
[25-4-2013 8:17:25] Connected to my.vpn.com.Hello Michael,
The problem here is because we cannot succesfully establish a DTLS tunnel. This could happen because:
- DTLS is blocked somewhere in the path
- A non-default DTLS port is being used
If DTLS is blocked in the middle the issue is because as of ASA Release 9.x and AnyConnect Release 3.x, an optimization has been introduced in the form of distinct Maximum Transition Units (MTUs) that are negotiated for TLS/DTLS between the client/ASA. Previously, the client derived a rough estimate MTU which covered both TLS/DTLS and was obviously less than optimal. Now, the ASA computes the encapsulation overhead for both TLS/DTLS and derives the MTU values accordingly.
As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect).
In order to eliminate this visible transition of DTLS > TLS, you can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions).
1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.
group-policy ac_users_group attributes
webvpn
anyconnect mtu 1300
This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.
2. The second option is to allow fragmentation.
group-policy ac_users_group attributes
webvpn
anyconnect ssl df-bit-ignore enable
With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.
3. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:
sysopt conn tcpmss 1460
In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.
If DTLS is not blocked in the middle another potential cause for the DTLS failure that DTLS is configured on a non-default port after the WebVPN is enabled (for example, when the webvpn enable outside command is entered). This is due to Cisco bug ID CSCuh61321 and has been seen in Release 9.x where the ASA pushes the non-default port to the client, but continues to listen to the default port. Consequently, the DTLS is not built and AnyConnect reconnects.
The workaround for this problem is:
Disable the WebVPN.
Enter the DTLS port.
Enable the WebVPN.
Regards,
-Gustavo Medina -
Hi
Where do I start?
I had BT BB (unlimited ) for ages now and until recently (January) never had a problem with speed, I normally could get around 5mb, I noticed back in January it started to slow down - reported it did various tests prior to calling the help desk including replacing the router, filters, using the engineers plug, removing everything and trying again although I could not use the BT speedtest site as it said they could not verify that the number was BB activated, then and was told there was an issue with the line and it will be resolved, a month went by and still no improvement - again spoke to India -told that the 10 stabilisation period would be a factor, (then told him it had been a month).. doh! and was assured the issue would be resolved, again no improvement - the third time was told there was some maintenance at my exchange due to the number of faults reported, but I would see a drastic improvement with in 10 days stabilisation period (MY A**E)
Again a further 10 days down the line - its bottomed out at 1.5 mb at 1:30 am so shouldn't have been shaped / throttled either.
In June I spoke with the Help (ha) desk again and went through tests again!, and was told we will send an engineer out. The engineer could not find anything wrong although he changed the master socket as there was slight corrosion on the interior of the socket, he did a few tests with his box of tricks and said that I should be getting at least 5mb, did a test there and then.. on the BT site and it showed 3mb - he did mention that perhaps I was being throttled and should speak to the helpdesk but there was no fault with line, we even changed the router for a version 3 to see if there was an improvement ( also had an issue with port forwarding) - again no improvement
I spoke with the desk - was told there was an issue with my profile and it would take 10 days to stabilise again, a further 10 days down the line it slowed even more - 2.5Mb (any time of day) and had to reboot the box every other day as it kicked all the wireless connections off? - and my profile was still stuck at 3000kb .
again I spoke with the desk, and was told ahh yes well it will either improve or get worse?? (told them that's rubbish) but was told not to switch the box off (which I didn't) as they would send another profile and this would sort the issue once and for all..
10 days later.. We still had the same issue although I didn't have to reset half as much (but did some investigation and the router still shows the attached devices as present (wifi) when it bombs the wifi connection, (set to auto) changed it since and had no issues.
Anyway back to the issue - I called back to the helpdesk and again explained all the issues - after further line tests - was told it was an issue with my profile - (must be a standard card they read from) - I explained that they had changed it several times, and it had NOT resolved it.. IN FACT MADE IT WORSE!..
I was then passed to a supervisor who promised (yes Promised) that this issue would be resolved by 5:30pm of that day. I was rung back within 5 minutes of ending that call but the advisor I previously called just confirming that I was happy with the result and that her or someone from her team would contact me at 6pm to confirm it was all running as it should.
WHHOOHOO! Finally some light at the end of the tunnel.. (although it may have been throttled!..lol)
We received a call at 6 PM where the advisor on the end told my wife (NOT the account holder) that it would take a further 48 hrs - and promptly hung up.
Very 'MIFFED' I called cancellations - who apologised and offed me half price broadband - if I signed up for a further 12 months.. ( I currently pay £47 for a unlimited package) ... ALL I WANT IS MY BANDWIDTH BACK! and im not going to pay half - for what I consider 1/4 of the bandwidth I should be getting.
We have just had a bank holiday in the UK so I have give them the benefit of the doubt and gave them till today (from Friday- Friday) - guess what NO CHANGE!
In the meantime a friend has just had his BT BB installed (200 YDS) down the street - so I poped round with my laptop and did a test...
8/30/2011 9:28 AM GMT
86.153.210.***
6.31 Mb/s
0.37 Mb/s
45 ms
Coventry
< 50 mi
Makes you think (his profile is set @ 8 Mb)
Again I spoke with the desk - again after further line tests was told that the problem is with my profile - I asked again to speak to a supervisor- who then told me that it would be sorted by end of play today (here we go again!)
sorry for the long winded waffle - but my question is .... is there anyone who can fix this??
cheers
ps below are the tests / router stats
Download speedachieved during the test was - 2730 Kbps
For your connection, the acceptable range of speeds is 600-7150 Kbps.
Additional Information:
Your DSL Connection Rate :3872 Kbps(DOWN-STREAM), 448 Kbps(UP-STREAM)
IP Profile for your line is - 3000 Kbpsed
Line state:
Connected
Connection time:
3 days, 02:09:23
Downstream:
3.781 Mbps
Upstream:
448 Kbps
ADSL Settings
VPI/VCI:
0/38
Type:
PPPoA
Modulation:
G.992.1 Annex A
Latency type:
Interleaved
Noise margin (Down/Up):
14.0 dB / 21.0 dB
Line attenuation (Down/Up):
44.1 dB / 27.0 dB
Output power (Down/Up):
19.1 dBm / 11.9 dBm
FEC Events (Down/Up):
78993 / 278
CRC Events (Down/Up):
2279 / 44
Loss of Framing (Local/Remote):
0 / 0
Loss of Signal (Local/Remote):
0 / 0
Loss of Power (Local/Remote):
0 / 0
HEC Events (Down/Up):
5063 / 21
Error Seconds (Local/Remote):
1710 / 42Hi
thanks John46 for your reply, It seems like an awful lot of people are having the same issue right across he UK.. Just cant help thinking is this a sales ploy for all of us to transfer to Infinity... or even this is because of infiniy.. and BT have to throttle to ensure they get their stated bandwidth.
just had enough of paying out hard earned money(£47 per month) for less than sub- standard service.
I feel a cancelation coming on....
cheers anyway
'awaiting to be dispaointed at yet again'
Spoiler (Highlight to read)
Just cant help thinking is this a sales ploy for all of us to transfer to Infinity...
Just cant help thinking is this a sales ploy for all of us to transfer to Infinity... -
Hello All,
I've run into a compiling error that has me stumped. I'm using labview 8.5.1, NRIO 2.4.0, and FPGA 8.5.1 on a CRIO-9014 & 9104. When compiling the code attached I get the following error:
Analyzing generic Entity <bushold> in library <work> (Architecture <rtl>).
ERROR:Xst:807 - "C:/NIFPGA85/srvrTmp/LOCALH~1/PLANEV~1/bushold.vhd" line 1541: arguments of 'or' operator must have same lengths.
-->
Total memory usage is 546644 kilobytes
Number of errors : 1 ( 0 filtered)
Number of warnings : 540 ( 0 filtered)
Number of infos : 2 ( 0 filtered)
ERROR:Xflow - Program xst returned error code 6. Aborting flow execution...
My best guess is this error has something to do with the metafiles generated by labview before final compilation into the FPGA bitstream. I've tried tweaking the code here and there and haven't found the source of the error yet. I'm going to go through with disable blocks and see where the error lies.
Anyone else run into something like this? I could use some help.
Attachments:
FPGA Code.zip 1354 KBHi mmalluck,
Clusters of 1D arrays are supported in LabVIEW FPGA. I was able to compile a small VI with code similar to yours - a for loop with four autoindexed tunnels bundled into a cluster.
I am not entirely sure why separating the arrays eliminated that error, but I am glad to hear that your program compiles now.
Jennifer R.
National Instruments
Applications Engineer
Maybe you are looking for
-
Captivate 4 - after patch, published projects won't pause but skip ahead
Last week, I installed the patch to bring my version up to Version 4.0.1 Build 1658. After the patch was installed, if I publish a file with a Table of Contents, it runs fine the first time. However, the second time I launch the published file, the
-
EJB Service , 11g, Error on deployment.
I am trying to use EJB adapter in my SOA Composite. I used Eclipselink's sdo-compiler to generate the SDO from a schema definition, and then imported them to the project. The approach to be followed is given in this link [http://download.oracle.com/d
-
i have the following data uri for an image (see http://jsfiddle.net/VnnhS/). it works on every other brower except safari? is it siae limit issue?
-
Batch Number Transactions Report - TURN OFF
We are managing our batches in B1 2007A; however, our customers do not care what batches they're receiving, per se. That being said, we do not want batch reports to be created each time an invoice is readied to be printed, as we simply X each report
-
Basic questions about permanent Collections
I am just learning about Collections, discovering that a Collection preserves all of the work I done in the collection. I am assuming then, that the images in a collection are virtual copies that can be adjusted in the Develop Module to be different