TACACS+ fallback problem ASA 5520

Hi,
I have configured tacacs in ASA 5520, it is working fine, I can login into ASA with tacacs credentials..authentication is successfull when tacacs server is unreachable Local authentication is also successfull.....But after that when Tacacs server is reachable again...I am not able to login with tacacs credentials.
Is the the bug of Cisco ASA 5520 software image?
Below are the configurations:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 1.1.1.1
key tacacs_key
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+

Hello Arun,
Can you share the following command with us when the AAA authentication against the tacacs+ database is not working
show aaa-server TACACS+ host 1.1.1.1
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura

Similar Messages

Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
Daniel

What is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

ASA 5520 Upgrade From 8.2 to 9.1

To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.

Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni

Multiple Public IP's on ASA 5520

Hi,
I have ASA 5520 with Ver 8.2.
Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.
There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.
I did Static NAT 198.24.210.226 to 192.168.1.20 and 198.24.210.227 to 192.168.1.91.
When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.
I checked the inside traffic, it even did not get into the firewall.
Is this the problem with ISP's router? How can we route all of our public IP's to the outside interface(198.24.210.226)?
interface GigabitEthernet0/1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
interface GigabitEthernet0/0
nameif outside
ip address 198.24.210.226 255.255.255.248
security-level 0
no shutdown
route outside 0.0.0.0 0.0.0.0 198.24.210.225
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 198.24.210.226 255.255.255.255
static (inside,outside) tcp 198.24.210.226 3389 192.168.1.10 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.226 9070 192.168.1.10 9070 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 3389 192.168.1.20 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 80 192.168.1.20 80 netmask 255.255.255.255 dns
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
access-group OUTSIDE-IN in interface outside

Also,
You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.
You can naturally check the following
show run sysopt
Check that you DONT have the following
sysopt noproxyarp outside
At the moment you are not actually configuring Static NAT but rather Static PAT.
You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.
Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.
If you wanted to staticly assing public IPs to both of these servers you could do
static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255
static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
- Jouni

ASA 5520 intervlan routing at low speed

I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
ASA Version 8.4(2)
hostname ***
domain-name ***
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
dns-guard
interface GigabitEthernet0/0
nameif DMZ
security-level 50
ip address 10.2.5.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
interface GigabitEthernet0/1.100
vlan 100
nameif Devices
security-level 100
ip address 10.2.0.1 255.255.255.0
interface GigabitEthernet0/1.101
vlan 101
nameif Common
security-level 100
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet0/1.102
vlan 102
nameif Design
security-level 100
ip address 10.2.2.1 255.255.255.0
interface GigabitEthernet0/1.103
vlan 103
nameif Ruhlamat
security-level 90
ip address 10.2.3.1 255.255.255.0
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
interface GigabitEthernet0/2.10
vlan 10
nameif HOLOGR
security-level 40
ip address 10.1.2.4 255.255.0.0
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address ***
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
no ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WWW
host 10.2.1.6
object network MAIL
host 10.2.5.5
object network TEST
host 10.2.1.85
object-group network DM_INLINE_NETWORK_1
network-object host 10.1.0.88
network-object host 10.1.6.1
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object 10.2.0.0 255.255.255.0
network-object host 10.1.6.4
network-object host 10.1.1.57
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2080
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_6
network-object host 10.1.4.42
network-object host 10.1.4.234
network-object host 10.1.4.175
network-object host 10.1.4.217
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.14
network-object host 10.2.1.91
object-group network DM_INLINE_NETWORK_4
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
object-group service DM_INLINE_TCP_2 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_5
network-object host 10.2.1.14
network-object host 10.2.1.39
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.85
network-object host 10.2.1.31
network-object host 10.2.1.32
network-object host 10.2.1.40
network-object host 10.2.1.55
network-object host 10.2.1.35
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_3 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_7
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_9
network-object host 10.2.1.4
network-object host 10.2.1.3
object-group network DM_INLINE_NETWORK_2
network-object host 10.1.1.101
network-object host 10.1.6.1
network-object host 10.1.6.4
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object host 10.1.1.57
object-group network DM_INLINE_NETWORK_10
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_4 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_12
network-object host 10.2.0.11
network-object host 10.2.0.14
object-group service DM_INLINE_TCP_5 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_13
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_14
network-object host 8.8.4.4
network-object host 8.8.8.8
network-object host 10.1.1.1
object-group network DM_INLINE_NETWORK_15
network-object host 10.2.1.39
network-object host 10.2.1.57
object-group network DM_INLINE_NETWORK_16
network-object host 10.2.1.14
network-object host 10.2.1.6
access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
access-list Common_access_in extended permit icmp any any
access-list Common_access_in extended permit ip host 10.2.1.76 host ***
access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
access-list HOLOGR_access_in extended permit icmp any any log disable
access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
access-list test extended permit tcp any host 10.2.5.1 eq telnet
access-list test extended permit tcp any host 10.2.5.1 eq https
access-list test extended permit tcp host 10.2.5.1 any eq https
access-list test extended permit tcp host 10.2.5.1 any eq telnet
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered critical
logging trap warnings
logging asdm informational
logging from-address ***
logging recipient-address *** level critical
logging host Common 10.2.1.2
logging flash-bufferwrap
logging flash-maximum-allocation 8192
logging permit-hostdown
no logging message 106014
no logging message 313005
no logging message 313001
no logging message 106023
no logging message 305006
no logging message 733101
no logging message 733100
no logging message 304001
logging message 313001 level critical
logging message 106023 level errors
mtu DMZ 1500
mtu inside 1500
mtu Devices 1500
mtu Common 1500
mtu Design 1500
mtu Ruhlamat 1500
mtu HOLOGR 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ
icmp permit any Common
icmp permit any HOLOGR
icmp permit any outside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
object network WWW
nat (Common,outside) static interface service tcp *** ***
object network MAIL
nat (DMZ,outside) static interface service tcp smtp smtp
nat (DMZ,outside) after-auto source dynamic any interface
nat (Common,outside) after-auto source dynamic any interface
nat (Devices,outside) after-auto source dynamic any interface
access-group Common_access_in in interface Common
access-group Design_access_in in interface Design
access-group Ruhlamat_access_in in interface Ruhlamat
access-group HOLOGR_access_in in interface HOLOGR
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 10.2.1.6 255.255.255.255 Common
snmp-server host Common 10.2.1.6 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp DMZ
sysopt noproxyarp inside
sysopt noproxyarp Devices
sysopt noproxyarp Common
sysopt noproxyarp Design
sysopt noproxyarp Ruhlamat
sysopt noproxyarp HOLOGR
sysopt noproxyarp outside
sysopt noproxyarp management
service resetoutside
telnet 10.2.1.0 255.255.255.0 Common
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Common
dhcprelay setroute Common
threat-detection basic-threat
threat-detection scanning-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.1.4 source Common prefer
webvpn
smtp-server 10.2.5.5
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
: end

Hi Philip,
I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
https://supportforums.cisco.com/docs/DOC-1222
-Mike

Asa 5520 "loosing" code after code has been put in and operating

Sorry to ask this if it has all ready been covered. We have an asa 5520 running 8.3.2(1) code. Three times now I have entered code and rules in our asa and had things working, only to have the code "dissapear" and thus things stop working. We upgraded to 8.3.2(1) back in January of 2011, and have not had this problem until the last month. I was wondering if there is a bug with 8.3.2(1) code that has decided to show itself for whatever reason now. We have also had some other things relating to the VPN that were "working" and at some point just stopped working. We do have a second asa 5520 that is the failover/standby. We also have two 6509 with firewall services modules, one primary and the other standby. Just wondering how to troubleshoot something like this. I have putty logs of me putting the code in and doing a write mem saving the changes, yet on three occations those things stopped working, and I had to put the code in again.
**update** as I was typing this, we realised there was a problem with the two ASA's. For some reason, failover had stopped working, and both ASA's were trying to be the primary and causing issues. After several reboots, we wound up turning failover back on on the second ASA, and things seem to be normal now. No idea what would have caused the failover to break. Not sure how long this had been going on, it may have had to do with my code seeming to dissapear?

Here is the output of the show ver. I removed the serial number.
ACH-2nd-EXT-ASA01#sh ver
Cisco Adaptive Security Appliance Software Version 8.3(2)1
Device Manager Version 6.4(7)
Compiled on Wed 04-Aug-10 21:41 by builders
System image file is "disk0:/asa832-1-k8.bin"
Config file at boot was "startup-config"
ACH-2nd-EXT-ASA01 up 4 days 22 hours
failover cluster up 4 days 22 hours
Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Ext: GigabitEthernet0/0 : address is 001d.a298.c41c, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.a298.c41d, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.a298.c41e, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.a298.c41f, irq 9
4: Ext: Management0/0       : address is 001d.a298.c420, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited      perpetual
Maximum VLANs                  : 150            perpetual
Inside Hosts                   : Unlimited      perpetual
Failover                       : Active/Active perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
Security Contexts              : 2              perpetual
GTP/GPRS                       : Disabled       perpetual
SSL VPN Peers                  : 10             perpetual
Total VPN Peers                : 750            perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Enabled        perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Enabled        perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual
This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces    : Unlimited      perpetual
Maximum VLANs                  : 150            perpetual
Inside Hosts                   : Unlimited      perpetual
Failover                       : Active/Active perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
Security Contexts              : 4              perpetual
GTP/GPRS                       : Disabled       perpetual
SSL VPN Peers                  : 20             perpetual
Total VPN Peers                : 750            perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Enabled        perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Enabled        perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 4              perpetual
Total UC Proxy Sessions        : 4              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: xxxxxxxxxxx
Running Permanent Activation Key: 0xf730cf7a 0x0449cabf 0xc922e5d4 0xc7bc5cb0 0x851ed6bb
Configuration register is 0x1
Configuration has not been modified since last system restart.
ACH-2nd-EXT-ASA01#

ASA 5520 - LU allocate xlate failed - Failover unit reloads

We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007: LU allocate xlate failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9
Device Manager Version 6.0(2)
Compiled on Mon 01-Feb-10 10:36 by builders
System image file is "disk0:/asa805-9-k8.bin"
Config file at boot was "startup-config"
CP-ASA up 17 days 21 hours
failover cluster up 17 days 22 hours
Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0025.45d7.6e62, irq 9
1: Ext: GigabitEthernet0/1 : address is 0025.45d7.6e63, irq 9
2: Ext: GigabitEthernet0/2 : address is 0025.45d7.6e64, irq 9
3: Ext: GigabitEthernet0/3 : address is 0025.45d7.6e65, irq 9
4: Ext: Management0/0       : address is 0025.45d7.6e66, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2
This platform has an ASA 5520 VPN Plus license.
I noted a report on errors with verison 7 and a conflict between nat(0) and static commands. I don't show nat(0) being used on these units.
nat (public) 0 access-list NO_NAT
nat (public) 1 10.190.16.64 255.255.255.192
nat (public) 1 172.16.22.0 255.255.255.0
nat (dmz) 0 access-list NO_NAT
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (csacelb) 0 access-list NO_NAT
nat (csacelb) 1 0.0.0.0 0.0.0.0
nat (app) 0 access-list NO_NAT
nat (app) 1 0.0.0.0 0.0.0.0
nat (db) 0 access-list NO_NAT
nat (db) 1 0.0.0.0 0.0.0.0
nat (internal) 0 access-list NO_NAT
nat (internal) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NO_NAT
nat (management) 1 0.0.0.0 0.0.0.0
no crypto isakmp nat-traversal
static (app,dmz) 10.190.15.0 10.190.15.0 netmask 255.255.255.192
static (csacelb,public) 999.999.999.999 10.190.14.70 netmask 255.255.255.255 (The external address was replaced with 999.999.999.999 intentionally for this forum)
static (db,app) 10.190.16.0 10.190.16.0 netmask 255.255.255.192

Do you have any solution ? we have the same problem.
Thanks .

ASA 5520 with multiple contexts becomes unresponsive

Hi all. We have encountered a perculiar problem with a pair of our ASA 5520 firewalls with 2 contexts(each context being active on different ASA). What we are seeing is that sometimes when we have a sudden increase of inbound traffic(mostly HTTP) towards servers behind the firewalls they seem to go bananas for the lack of a better expression.
They become unaccessible via ssh and the traffic drops significantly. The problem is mitigated by disabling one of the monitored interfaces for failover(on one of the switches the firewall is connected to) so that both contexts become active on one firewall. After that the firewalls seem to come to their senses and we can enable the switch interface again but sometimes one of the pair needs to be rebooted to restore full funcionality.
To us it seems like there is a problem with failover and contexts but we haven't been able to pin it down. The failover link isn't stateful and when we tested the failover it works fine both ways with each ASA taking up the full load when the other ASA of the pair is not available.
Did anyone come across a similar situation with their firewalls?

We are using ASA version 8.2(5).
The configuration of the failover is:
failover
failover lan unit primary
failover lan interface fail_int GigabitEthernet0/3
failover interface ip fail_int x.x.x.x 255.255.255.252 standby x.x.x.x
failover group 1
preempt
failover group 2
secondary
preempt
Output of the "show failover":
This host:    Primary
Group 1       State:          Active
                Active time:    399409 (sec)
Group 2       State:          Standby Ready
                Active time:    111 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  admin Interface out (x.x.x.x): Normal (Waiting)
                  admin Interface inside (x.x.x.x): Normal (Waiting)
                  admin Interface dmz4 (x.x.x.x): Normal
                  admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                  C1 Interface out (x.x.x.x): Normal (Waiting)
                  C1 Interface inside (x.x.x.x): Normal (Waiting)
                  C1 Interface dmz5 (x.x.x.x): Normal
                  C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                slot 1: empty
Other host:   Secondary
Group 1       State:          Standby Ready
                Active time:    0 (sec)
Group 2       State:          Active
                Active time:    398992 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  admin Interface out (x.x.x.x): Normal (Waiting)
                  admin Interface inside (x.x.x.x): Normal (Waiting)
                  admin Interface dmz4 (x.x.x.x): Normal
                  admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                  C1 Interface out (x.x.x.x): Normal (Waiting)
                  C1 Interface inside (x.x.x.x): Normal (Waiting)
                  C1 Interface dmz5 (x.x.x.x): Normal
                  C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                slot 1: empty
Stateful Failover Logical Update Statistics
        Link : Unconfigured.
When I disabled the monitored interface it was always the same interface altough I believe the same effect could be achieved with disabling any of the monitored interfaces.
As for memory and CPU when it happens I cannot access the units to get a reading but I asume it's through the roof.
The thing that troubles me more is that the situation persists when the load drops and I have to perform the solution from the first post. One would assume that with the drop of the load that both firewalls would start to behave normally.
And I see that I haven't mentioned it before but when the load drops both units continue to handle traffic normally but I sometimes see as a side effect that I cannot SSH to one of the units. That unit usually has to be restarted.

ASA 5520: Configuring Active/Standby High Availability

Hi,
I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.
I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).
I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
I tried this using a crossover cable to connect the interfaces directly with the same result.
Any ideas?
Thanks.
Dan

The command Varun is right.
Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.
In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".
For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.
Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.
You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.
This is the configuration
failover lan unit primary
failover lan interface failover gig0/3
failover link failover gig0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
failover lan unit secondary
failover lan interface failover gig0/3
failover link failover gig0/3
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
Make sure that you can ping each other secondary/primary IP and then put the command
failover first on the primary and then on the secondary.
That would fine.
Let me know if you have further doubts.
Link for reference
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
Mike

Older version of openssl in cisco asa 5520

Hi,
Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have to check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
Thanks,
Sridhar

Sridhar,
W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
Marcin

Performance Issue behind ASA 5520

Hi Community!
I've got an ASA 5520 (8.4.3) Failover Cluster.
Behind this ASA i have a couple of DMZ Networks. In one of these Networks (lets call it DMZ-A) i have an performance issue.
So, in DMZ-A i have 2 Windows2012R2 servers.
IP Server1: 10.0.233.10/24
IP Server2: 10.0.233.12/24
If i do an RDP session to Server1 from my Client Computer (at the inside Network - IP: 10.0.20.199) it is really slow. Also File Transfer is very slow. Ping gives me a "normal" replay.
If i do an RDP session to Server2 from my Client Computer everything works normal.
If i do an RDP session from Server2 to Server1 everything works normal.
I did a apcket capture to both servers, and when i analyse them with wireshark there is (at a sertain packet) a big difference. -> see attached files
ASA_10 -> 10.0.233.10
ASA_12 -> 10.0.233.12
Can anybody help me finding out whats going wong there?
Thanks a lot!!

Hi ... thanks for the answer.
Here is the Config. Hope i got all the relevant things in it.
Somehow the NAT statement causes the trouble:
object network 10.0.233.10
nat (dmz233,outside) static XXX.XXX.XXX.133
Because if i delete this statement, the RDP connection to the server works normal.
I delete all the network objects and object groups.
Also all the VPN configs are missing.
DELETED THE ASA CONFIG BECAUSE I SOLVED THE PROBLEM!!!! -> misconfiguration
Thanks !!

Different between ASA-5520-K9 & ASA-5520-K8

Hello Dear ...
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8. can any one please advise me what features we will miss or get.
thanks in advanced.
regards/
Mannan

They are exactly the same hardware. It's the license that makes it K9 which you can request from the licensing team at Cisco.

Tacacs authentication problem.

Hy,
I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
I have an ACS v.4.x to use as a Tacacs server.
In all the equipments I have aaa authentication with tacacs and vlans.
To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
With this scenario the tacacs authentication works.
If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
I do not understand why!!?
I have another problem, this time with the firewall.
I configured the tacacs and the aaa in the firewall, as advised by Cisco.
But it seems that it doesn’t work!
In this two cases only the local authentication works.
Can you help me, please?
Thanks in advance,
Rui Oliveira

Hy,
I am doing tests in a Lab.
So, the addresses presented here are not Internet routable.
The configuration for the tacacs at the ASA is:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
key mykey
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command LOCAL
aaa accounting enable console TACACS
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa local authentication attempts max-fail 5
aaa authorization exec LOCAL
I´m doing the tests with an ASA with a the IP address 10.183.0.61.
And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
I have another interface that a called GESTAO, with IP address 10.183.0.61.
This interface GESTAO is connected to a management vlan.
My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
I send the logging file that I take from my firewall.
Thanks,
Rui

Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

Recently i have installed ASA 5520 firewall, Below is the detail for my network
ASA 5520 inside ip: 10.12.10.2/24
Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
Cisco Call Manager 3825 IP: 10.12.110.2/24
The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
the Default Gateway for Data user is 10.12.10.2/24 and
for the voice users is 10.12.110.2/24
now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
ASA Version 8.2(1)
name x.x.x.x Mobily
interface GigabitEthernet0/0
nameif inside
security-level 99
ip address 10.12.10.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object icmp
service-object udp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More ---> ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 86.51.34.17 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-Users
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end

VPN clients not able to ping Remote PCs & Servers : ASA 5520

VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
Remote ip section : 192.168.1.0/24
VPN IP Pool : 192.168.5.0/24
Running Config :
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
passwd z40TgSyhcLKQc3n1 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone GST 4
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 213.42.20.20
domain-name default.domain.invalid
access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.113 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
access-list outtoin extended permit tcp any host 83.111.113.114 eq https
access-list outtoin extended permit tcp any host 83.111.113.114 eq www
access-list outtoin extended permit tcp any host 83.111.113.115 eq https
access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
92.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
2.168.5.0 255.255.255.0
access-list inet_in extended permit icmp any any time-exceeded
access-list inet_in extended permit icmp any any unreachable
access-list inet_in extended permit icmp any any echo-reply
access-list inet_in extended permit icmp any any echo
pager lines 24
logging enable
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging recipient-address [email protected] level emergencies
logging recipient-address [email protected] level errors
mtu outside 1500
mtu inside 1500
ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
access-group inet_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have no
been met or due to some specific group policy, you do not have permission to u
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy fualavpn internal
group-policy fualavpn attributes
dns-server value 192.168.1.111 192.168.1.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value fualavpn_splitTunnelAcl
username test password I7ZgrgChfw4FV2AW encrypted privilege 0
username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
username Moghazi attributes
password-storage enable
username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
username fualauaq attributes
password-storage enable
username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
username Basher password Djf15nXIJXmayfjY encrypted privilege 0
username Basher attributes
password-storage enable
username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
username fualafac attributes
password-storage enable
username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
username fualaab attributes
password-storage enable
username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
username fualaadh2 attributes
password-storage enable
username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
username fualaain2 attributes
password-storage enable
username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
username fualafj2 attributes
password-storage enable
username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
username fualakf2 attributes
password-storage enable
username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
username fualaklb attributes
password-storage enable
username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
username fualastr attributes
password-storage enable
username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
username fualauaq2 attributes
password-storage enable
username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
username fualastore attributes
password-storage enable
username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
username fualadhd attributes
password-storage enable
username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
username fualaabi attributes
password-storage enable
username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
username fualaadh attributes
password-storage enable
username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
username fualajuh attributes
password-storage enable
username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
username fualadah attributes
password-storage enable
username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
username fualarak attributes
password-storage enable
username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
username fualasnk attributes
password-storage enable
username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
username rais attributes
password-storage enable
username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
username fualafuj attributes
password-storage enable
username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
username fualamaz attributes
password-storage enable
username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
username fualashj attributes
password-storage enable
username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
username fualabdz attributes
password-storage enable
username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
username fualamam attributes
password-storage enable
username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
username fualaajm attributes
password-storage enable
username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
username fualagrm attributes
password-storage enable
username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
username fualakfn attributes
password-storage enable
username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
username Fualaain attributes
password-storage enable
username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
username John password D9xGV1o/ONPM9YNW encrypted privilege 15
username John attributes
password-storage disable
username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
username wrkshopuaq attributes
password-storage enable
username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
username Faraj attributes
password-storage enable
username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
username Hameed attributes
password-storage enable
username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
username Riad password iB.miiOF7qMESlCL encrypted privilege 0
username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
username Azeem attributes
password-storage disable
username Osama password xu66er.7duIVaP79 encrypted privilege 0
username Osama attributes
password-storage enable
username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
username Wissam attributes
password-storage enable
username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.4 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.111 255.255.255.255 inside
http 192.168.1.200 255.255.255.255 inside
http 83.111.113.117 255.255.255.255 outside
http 192.168.1.17 255.255.255.255 inside
http 192.168.1.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn type ipsec-ra
tunnel-group fualavpn general-attributes
address-pool fualapool
address-pool VPNPool
default-group-policy fualavpn
tunnel-group fualavpn ipsec-attributes
pre-shared-key *
tunnel-group fualavpn ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
Cryptochecksum:38e41e83465d37f69542355df734db35
: end

Hi,
What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
Regards,

TACACS+ fallback problem ASA 5520

Similar Messages

Maybe you are looking for