TLSv1 through asa 5520

Hi,                  
There is a site that we are trying to connect to that appears to only accept TLSv1.  When we try to connect from broadband, it is fine but behind the firewall it  does not load.  it looks like TLS is not being permitted.  Based on a packet capture, it looks like the client is only trying SSL, which is then denied at the server because it's disabled.
When I try from outside the firewall, it works fine.
What on the ASA could prevent a web client from trying to negotiate TLS?

Hi,
I think there is a bit progress in that; when i removed the "Inspect SIP" the traffic is successfully passed through the VPN tunnel (# of bytes increased in the tunnel) where this was a problem before this change. But the call is still not successful & the below output is received (Different from the first output in my first post):
6|Nov 24 2008|08:11:34|305011|10.43.11.86|5060|62.Y.98.30|31875|Built dynamic UDP translation from Voice:10.43.11.86/5060 to outside(Voice_nat_outbound):62.Y.98.30/31875
6|Nov 24 2008|08:11:36|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 511462 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/22931)
6|Nov 24 2008|08:11:38|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511702 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
6|Nov 24 2008|08:11:42|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511703 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
6|Nov 24 2008|08:11:46|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511705 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
6|Nov 24 2008|08:11:50|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511709 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
The difference is that I send only one (Built outbound UDP connection) and then multiple (Teardown) while before it was one (Build) then one (Teardown).
I still don't get it!!...

Similar Messages

  • ASA 5520 Upgrade From 8.2 to 9.1

    To All Pro's Out There,
    I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
    In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
    I appreciate all the help in advance.

    Hi,
    My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
    In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
    What you can basically do is
    Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
    You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
    So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
    If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
    If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
    https://supportforums.cisco.com/docs/DOC-31116
    My personal approach when starting to convert NAT configurations for the upgrade is
    Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
    Divide NAT configurations based on type   
    Dynamic NAT/PAT
    Static NAT
    Static PAT
    NAT0
    All Policy Dynamic/Static NAT/PAT
    Learn the basic configuration format for each type of NAT configuration
    Start by converting the easiest NAT configurations   
    Dynamic NAT/PAT
    Static NAT/PAT
    Next convert the NAT0 configurations
    And finally go through the Policy NAT/PAT configurations
    Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
    The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
    One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
    For example
    static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
    In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
    Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
    So to summarize
    Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
    Learn the new NAT configuration format
    Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
    Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
    Convert the configurations manually
    Lab/test the configurations on an test ASA
    During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
    Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
    Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
    Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
    Will add more later if anything comes to mind as its getting quite late here
    Hope this helps
    - Jouni

  • ASA 5520: Retrieve user, group -and- lanlist (ACL) from openldap

    hi,
    while migrating from a VPN Concentrator 3000 to ASA 5520 (IOS 8.0.4), we'd like to put all VPN-related configuration settings in an openldap server (2.3.27).
    We have trouble finding ways to put group settings, LanLists (as they were called on the Concentratror, or ACLs) and Lan2Lan configurations in LDAP.
    Authenticating users through openldap works, and there seems to be a aaa-server command "ldap-group-dn-base", but it seems this is only used in conjunction with Active Directory, while we only use openldap.
    Furthermore, ACL's seem to be indices refering to ACLs locally stored on the ASA: how to put the complete ACL in LDAP?
    Preferred LDAP configuration:
    VPN-users: ou=users,dc=vpn,dc=COMPANY,dc=com
    VPN-groups: ou=groups,dc=vpn,dc=COMPANY,dc=com
    VPN-L2L: ou=lantolan,dc=vpn,dc=COMPANY,dc=com
    How to refer the ASA to an entry in ou=groups,... from an entry residing in ou=users?
    Same question for LanLists. Is this possible?

    Thank you. I did find the attribute map option, but the manuals and explanations that describe this feature all refer to group-settings (ACLs etc) that are _already configured_ on the ASA. They refer to a groupname or ACL-name that is "known" in the ASA configuration.
    What we'd like to do is put -all- possible group, ACL, lan2lanlists, data in ldap. So when a user authenticates:
    1. his user-credentials are checked against LDAP and relevant configurations (using attribute maps) are loaded into the ASA
    2. his group-credentials are checked against LDAP and relevant group-configurations (using attribute maps) are loaded into the ASA
    3. possible lan/network-lists to which his group-information refers, are loaded from LDAP into the ASA.
    Perhaps I'm missing something, but I've found only ways to put the _name_ (/ID) of these settings in LDAP, referring to settings/configurations already existing in the ASA. I'd like to put _all_ the settings/configurations in LDAP as well.

  • ASA 5520 with multiple contexts becomes unresponsive

    Hi all. We have encountered a perculiar problem with a pair of our ASA 5520 firewalls with 2 contexts(each context being active on different ASA). What we are seeing is that sometimes when we have a sudden increase of inbound traffic(mostly HTTP) towards servers behind the firewalls they seem to go bananas for the lack of a better expression.
    They become unaccessible via ssh and the traffic drops significantly. The problem is mitigated by disabling one of the monitored interfaces for failover(on one of the switches the firewall is connected to) so that both contexts become active on one firewall. After that the firewalls seem to come to their senses and we can enable the switch interface again but sometimes one of the pair needs to be rebooted to restore full funcionality.
    To us it seems like there is a problem with failover and contexts but we haven't been able to pin it down. The failover link isn't stateful and when we tested the failover it works fine both ways with each ASA taking up the full load when the other ASA of the pair is not available.
    Did anyone come across a similar situation with their firewalls?

    We are using ASA version 8.2(5).
    The configuration of the failover is:
    failover
    failover lan unit primary
    failover lan interface fail_int GigabitEthernet0/3
    failover interface ip fail_int x.x.x.x 255.255.255.252 standby x.x.x.x
    failover group 1
      preempt
    failover group 2
      secondary
      preempt
    Output of the "show failover":
      This host:    Primary
      Group 1       State:          Active
                    Active time:    399409 (sec)
      Group 2       State:          Standby Ready
                    Active time:    111 (sec)
                    slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                      admin Interface out (x.x.x.x): Normal (Waiting)
                      admin Interface inside (x.x.x.x): Normal (Waiting)
                      admin Interface dmz4 (x.x.x.x): Normal
                      admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                      C1 Interface out (x.x.x.x): Normal (Waiting)
                      C1 Interface inside (x.x.x.x): Normal (Waiting)
                      C1 Interface dmz5 (x.x.x.x): Normal
                      C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                    slot 1: empty
      Other host:   Secondary
      Group 1       State:          Standby Ready
                    Active time:    0 (sec)
      Group 2       State:          Active
                    Active time:    398992 (sec)
                    slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                      admin Interface out (x.x.x.x): Normal (Waiting)
                      admin Interface inside (x.x.x.x): Normal (Waiting)
                      admin Interface dmz4 (x.x.x.x): Normal
                      admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                      C1 Interface out (x.x.x.x): Normal (Waiting)
                      C1 Interface inside (x.x.x.x): Normal (Waiting)
                      C1 Interface dmz5 (x.x.x.x): Normal
                      C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                    slot 1: empty
    Stateful Failover Logical Update Statistics
            Link : Unconfigured.
    When I disabled the monitored interface it was always the same interface altough I believe the same effect could be achieved with disabling any of the monitored interfaces.
    As for memory and CPU when it happens I cannot access the units to get a reading but I asume it's through the roof. 
    The thing that troubles me more is that the situation persists when the load drops and I have to perform the solution from the first post. One would assume that with the drop of the load that both firewalls would start to behave normally.
    And I see that I haven't mentioned it before but when the load drops both units continue to handle traffic normally but I sometimes see as a side effect that I cannot SSH to one of the units. That unit usually has to be restarted.

  • Asa 5520 | CPU Spikes above 90% for 5 Seconds then it went down to 35 - 40%

    Hi Experts
    i have ASA 5520 , some times the CPU Spikes above 90% for 5 Seconds then it went down to 35 - 40% ,but what happened when it shoots to 90% all connection go through this ASA gets drops then i receive complain since application traffic traverse this FW ,so how can i see the CPU History for last 1 week , i need to see the times and the date WHEN THE CPU went above 90% for 4 seconds
    thanks
    jamil

    Hi Ibrahim,
    from he ASA you would not be able to pull data for last one week, you would need an SNMP server or anyother monitoring server for pulling reports.
    For high CPU issues, I would suggest opening a TAC case for it, since it requires detailed investigation and access to your box. Just as in initial pointer, these outputs might help you identifying the cause:
    show proc cpu-usage
    show traffic
    show conn count
    show interface
    Remember these outputs are useful only if they are from the time of the issue, check what traffic is hogging the CPU and if the ASA is being overwhelmed or not.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • SSLv3 through ASA

    Trying to establish a connection to a site using SSLv3 through my ASA 5520 Verison 7.2. The download of the data starts and just stops after a few seconds. I ran ethereal on my client and it is showing me "TCP segment lost" "TCP Dup ACK" and "TCP Fast Retransmission" errors during the conversation. My ASA is set to "SSL Client version any" which should negotiate any protocol. Any help would be appreciated and rated.
    Thanks!

    And you already checked it SSH is working on Server1? Can you SSH from Server2 to Server1?
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

    I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
    home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

    Hi,
    Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

  • POODLE vulnerability - ASA 5520

    Hi
    I would like to know if my firewalls ASA 5520 (Cisco Adaptive Security Appliance Version 8.4(6), 8.2(1)) are vulnerables to the Poodle vulnerability.
    Which workaround should i do??? it would have any impact in my VPN or servers DMZ????
    Thanks...

    Hi ,
    Both these  ASA versions are vulnerable 
    Conditions:
    The default configuration of SSL on all versions of the ASA enables SSLv3.
    Due to CSCug51375, the ASA is unable to disable SSLv3 on ASA v9.0.x and v9.1.1.x.
    To see the SSL configuration:
    show run all ssl
    Default configuration of the ASA:
    ssl client-version any
    ssl server-version any
    The following non-default configuration values also enable SSLv3:
    ssl client-version sslv3-only
    ssl client-version salve
    ssl server-version sslv3-only
    ssl server-version sslv3
    The following versions are vulnerable regardless of ssl configuration:
    * 9.0.x
    * 9.1.1.x
    Workaround:
    Disable SSLv3, write the changes to the startup-config.
    This workaround only applies to the following versions:
    * 7.x and later
    * 8.2 and later
    * 8.3 and later
    * 8.4 and later
    * 8.5 and later
    * 8.6 and later
    * 8.7 and later
    * 9.1.2 and later (with CSCug51375 fix)
    * 9.2.1 and later (with CSCug51375 fix)
    * 9.3.1 and later
    Use the following config-mode commands:
    ssl server-version tlsv1
    ssl client-version tlsv1-only
    There is no need to reboot. The configuration must be saved via "write memory".
    Here is the bug details CSCur23709
    Known fixed ASA versions 9.0(4.201) ,9.2(2.103),9.3(1.1)
    Thanks,
    Prashant Joshi

  • ASA 5520 RA VPN performance

    I need to configure RA VPN in ASA 5520 for about 100 mobile users.set up is
    Mobile users----->internet cloud------->1mbps.router1---->ASA---->inside n/w-----router2.8mbps-------->MPLS cloud---->512 mbps.eight Branches
    router1, asa, router 2 are in data centre and branches are connected via mpls.
    Remote users want to access their own application, file share and mail in their respective branch network.No internet connection on branches.So all users have to come to data centre and through mpls they reache their branch network.what could be the performance and any issue?

    I would pay close attention on bandwidth more than anything else, it would all depend on what type of traffic the 100 RA mobile users will be using at any given time that be traversing a 1meg pipe, for example 1 single RA user may copy 1 gig file from corporate server or vise versa which can saturate that pipe. You would have to create some sort of baseline on all link points before RA implementation to sort of get you a picture of current link utilization to plan accordinly and worry about bandwidth performance and plan accordingly.
    Rgds
    Jorge

  • Cisco ASA 5520 traffic between interfaces

    Hello,
    I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
    ciscoasa# ping esx_management 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ciscoasa# ping home_network 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Thank you in advance.

    Hi,
    Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
    I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
    packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
    I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
    I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
    Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
    Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
    Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
    Static Identity NAT
    static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    OR
    NAT0
    access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
    nat (home_network) 0 access-list HOMENETWORK-NAT0
    Hope this helps
    - Jouni

  • Cisco ASA 5520 Traffic monitoring

    Hello ,
    We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
    Thanks a lot

    Hi,
    I dont think the ASA alone can give you a really clear picture of the real time situation.
    It however should be able to give you some clue and simple statistics on the ASDM Firewall Dashboard
    My ASDM version is 7.1 but it should be there in your version also.

  • VPN clients not able to ping Remote PCs & Servers : ASA 5520

    VPN is connected successfully. But not able to ping any remote ip or fqdn from client pc. But able to ping ASA 5520 firewalls inside interface. Also some clients able to access, some clients not able to access. I new to these firewalls. I tried most of ways from internet, please any one can help asap.
    Remote ip section : 192.168.1.0/24
    VPN IP Pool : 192.168.5.0/24
    Running Config :
     ip address 192.168.1.2 255.255.255.0
    interface GigabitEthernet0/2
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    interface Management0/0
     shutdown
     no nameif
     no security-level
     no ip address
     management-only
    passwd z40TgSyhcLKQc3n1 encrypted
    boot system disk0:/asa722-k8.bin
    ftp mode passive
    clock timezone GST 4
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group DefaultDNS
     name-server 213.42.20.20
     domain-name default.domain.invalid
    access-list outtoin extended permit tcp any host 83.111.113.114 eq 3389
    access-list outtoin extended permit tcp any host 83.111.113.113 eq https
    access-list outtoin extended permit tcp any host 83.111.113.114 eq smtp
    access-list outtoin extended permit tcp any host 83.111.113.114 eq https
    access-list outtoin extended permit tcp any host 83.111.113.114 eq www
    access-list outtoin extended permit tcp any host 83.111.113.115 eq https
    access-list outtoin extended permit tcp any host 94.56.148.98 eq 3389
    access-list outtoin extended permit tcp any host 83.111.113.117 eq ssh
    access-list fualavpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0
    92.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 1
    2.168.5.0 255.255.255.0
    access-list inet_in extended permit icmp any any time-exceeded
    access-list inet_in extended permit icmp any any unreachable
    access-list inet_in extended permit icmp any any echo-reply
    access-list inet_in extended permit icmp any any echo
    pager lines 24
    logging enable
    logging asdm informational
    logging from-address [email protected]
    logging recipient-address [email protected] level errors
    logging recipient-address [email protected] level emergencies
    logging recipient-address [email protected] level errors
    mtu outside 1500
    mtu inside 1500
    ip local pool fualapool 192.168.5.10-192.168.5.50 mask 255.255.255.0
    ip local pool VPNPool 192.168.5.51-192.168.5.150 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound outside
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) 94.56.148.98 192.168.1.11 netmask 255.255.255.255
    static (inside,outside) 83.111.113.114 192.168.1.111 netmask 255.255.255.255
    access-group inet_in in interface outside
    route outside 0.0.0.0 0.0.0.0 83.111.113.116 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy DfltGrpPolicy attributes
     banner none
     wins-server none
     dns-server none
     dhcp-network-scope none
     vpn-access-hours none
     vpn-simultaneous-logins 10
     vpn-idle-timeout 30
     vpn-session-timeout none
     vpn-filter none
     vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
     password-storage disable
     ip-comp disable
     re-xauth disable
     group-lock none
     pfs disable
     ipsec-udp disable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelall
     split-tunnel-network-list none
     default-domain none
     split-dns none
     intercept-dhcp 255.255.255.255 disable
     secure-unit-authentication disable
     user-authentication disable
     user-authentication-idle-timeout 30
     ip-phone-bypass disable
     leap-bypass disable
     nem disable
     backup-servers keep-client-config
     msie-proxy server none
     msie-proxy method no-modify
     msie-proxy except-list none
     msie-proxy local-bypass disable
     nac disable
     nac-sq-period 300
     nac-reval-period 36000
     nac-default-acl none
     address-pools none
     client-firewall none
     client-access-rule none
     webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have no
     been met or due to some specific group policy, you do not have permission to u
    e any of the VPN features. Contact your IT administrator for more information
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy fualavpn internal
    group-policy fualavpn attributes
     dns-server value 192.168.1.111 192.168.1.100
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value fualavpn_splitTunnelAcl
    username test password I7ZgrgChfw4FV2AW encrypted privilege 0
    username Mohamed password Vqmmt8cR/.Qu7LhU encrypted privilege 0
    username Moghazi password GMr7xgdqmGEQ2SVR encrypted privilege 0
    username Moghazi attributes
     password-storage enable
    username fualauaq password E6CgvoOpTKphiM2U encrypted privilege 0
    username fualauaq attributes
     password-storage enable
    username fuala password IFtijSYb7LAOV/IW encrypted privilege 15
    username Basher password Djf15nXIJXmayfjY encrypted privilege 0
    username Basher attributes
     password-storage enable
    username fualafac password VGC/7cKXW1A6eyXS encrypted privilege 0
    username fualafac attributes
     password-storage enable
    username fualaab password ONTH8opuP4RKgRXD encrypted privilege 0
    username fualaab attributes
     password-storage enable
    username fualaadh2 password mNEgLxzPBeF4SyDb encrypted privilege 0
    username fualaadh2 attributes
     password-storage enable
    username fualaain2 password LSKk6slwsVn4pxqr encrypted privilege 0
    username fualaain2 attributes
     password-storage enable
    username fualafj2 password lE4Wu7.5s7VXwCqv encrypted privilege 0
    username fualafj2 attributes
     password-storage enable
    username fualakf2 password 38oMUuwKyShs4Iid encrypted privilege 0
    username fualakf2 attributes
     password-storage enable
    username fualaklb password .3AMGUZ1NWU1zzIp encrypted privilege 0
    username fualaklb attributes
     password-storage enable
    username fualastr password RDXSdBgMaJxNLnaH encrypted privilege 0
    username fualastr attributes
     password-storage enable
    username fualauaq2 password HnjodvZocYhDKrED encrypted privilege 0
    username fualauaq2 attributes
     password-storage enable
    username fualastore password wWDVHfUu9pdM9jGj encrypted privilege 0
    username fualastore attributes
     password-storage enable
    username fualadhd password GK8k1MkMlIDluqF4 encrypted privilege 0
    username fualadhd attributes
     password-storage enable
    username fualaabi password eYL0j16kscNhhci4 encrypted privilege 0
    username fualaabi attributes
     password-storage enable
    username fualaadh password GTs/9BVCAU0TRUQE encrypted privilege 0
    username fualaadh attributes
     password-storage enable
    username fualajuh password b9QGJ1GHhR88reM1 encrypted privilege 0
    username fualajuh attributes
     password-storage enable
    username fualadah password JwVlqQNIellNgxnZ encrypted privilege 0
    username fualadah attributes
     password-storage enable
    username fualarak password UE41e9hpvcMeChqx encrypted privilege 0
    username fualarak attributes
     password-storage enable
    username fualasnk password ZwZ7fVglexrCWFUH encrypted privilege 0
    username fualasnk attributes
     password-storage enable
    username rais password HrvvrIw5tEuam/M8 encrypted privilege 0
    username rais attributes
     password-storage enable
    username fualafuj password yY2jRMPqmNGS.3zb encrypted privilege 0
    username fualafuj attributes
     password-storage enable
    username fualamaz password U1YUfQzFYrsatEzC encrypted privilege 0
    username fualamaz attributes
     password-storage enable
    username fualashj password gN4AXk/oGBTEkelQ encrypted privilege 0
    username fualashj attributes
     password-storage enable
    username fualabdz password tg.pB7RXJx2CWKWi encrypted privilege 0
    username fualabdz attributes
     password-storage enable
    username fualamam password uwLjc0cV7LENI17Y encrypted privilege 0
    username fualamam attributes
     password-storage enable
    username fualaajm password u3yLk0Pz0U1n.Q0c encrypted privilege 0
    username fualaajm attributes
     password-storage enable
    username fualagrm password mUt3A60gLJ8N5HVr encrypted privilege 0
    username fualagrm attributes
     password-storage enable
    username fualakfn password ceTa6jmvnzOFNSgF encrypted privilege 0
    username fualakfn attributes
     password-storage enable
    username Fualaain password Yyhr.dlc6/J7WvF0 encrypted privilege 0
    username Fualaain attributes
     password-storage enable
    username fualaban password RCJKLGTrh7VM2EBW encrypted privilege 0
    username John password D9xGV1o/ONPM9YNW encrypted privilege 15
    username John attributes
     password-storage disable
    username wrkshopuaq password cFKpS5e6Whp0A7TZ encrypted privilege 0
    username wrkshopuaq attributes
     password-storage enable
    username Talha password 3VoAABwXxVonLmWi encrypted privilege 0
    username Houssam password Cj/uHUqsj36xUv/R encrypted privilege 0
    username Faraj password w2qYfE3DkYvS/oPq encrypted privilege 0
    username Faraj attributes
     password-storage enable
    username gowth password HQhALLeiQXuIzptCnTv1rA== nt-encrypted privilege 15
    username Hameed password 0Kr0N1VRmLuWdoDE encrypted privilege 0
    username Hameed attributes
     password-storage enable
    username Hassan password Uy4ASuiNyEd70LCw encrypted privilege 0
    username cisco password IPVBkPI1GLlHurPD encrypted privilege 15
    username Karim password 5iOtm58EKMyvruZA encrypted privilege 0
    username Shakir password BESX2bAvlbqbDha/ encrypted privilege 0
    username Riad password iB.miiOF7qMESlCL encrypted privilege 0
    username Azeem password 0zAqiCG8dmLyRQ8f encrypted privilege 15
    username Azeem attributes
     password-storage disable
    username Osama password xu66er.7duIVaP79 encrypted privilege 0
    username Osama attributes
     password-storage enable
    username Mahmoud password bonjr0B19aOQSpud encrypted privilege 0
    username alpha password x8WO0aiHL3pVFy2E encrypted privilege 15
    username Wissam password SctmeK/qKVNLh/Vv encrypted privilege 0
    username Wissam attributes
     password-storage enable
    username Nabil password m4fMvkTgVwK/O3Ms encrypted privilege 0
    aaa authentication telnet console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.1.4 255.255.255.255 inside
    http 192.168.1.100 255.255.255.255 inside
    http 192.168.1.111 255.255.255.255 inside
    http 192.168.1.200 255.255.255.255 inside
    http 83.111.113.117 255.255.255.255 outside
    http 192.168.1.17 255.255.255.255 inside
    http 192.168.1.16 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    tunnel-group fualavpn type ipsec-ra
    tunnel-group fualavpn type ipsec-ra
    tunnel-group fualavpn general-attributes
     address-pool fualapool
     address-pool VPNPool
     default-group-policy fualavpn
    tunnel-group fualavpn ipsec-attributes
     pre-shared-key *
    tunnel-group fualavpn ppp-attributes
     authentication pap
     authentication ms-chap-v2
     authentication eap-proxy
    telnet 0.0.0.0 0.0.0.0 outside
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:38e41e83465d37f69542355df734db35
    : end

    Hi,
    What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP
    Regards,

  • DHCP question on VPN to ASA 5520

    Our VPN uses the Microsoft VPN client to connect to an ASA 5520 running 8.0(3). Clients get address from our internal DHCP server. How do I get the ASA to send the client computer name in the DHCP request, rather the the group name and some number it appends to it? This is an issue for us because those entries show up as "rogue" registrations in DNS, because they don't match our naming structure.

    Make sure if the client is forwarding it's name in the DHCP messages. Parameters can't be added at ASA.

  • Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

    Hi,
    I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
    The scanario:
    Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
    Any help or advice is much appreciated.
    Thanks.

    Hello Bernard,
    What you are looking for is a Remote Ipsec VPN mode not a L2L.
    Here is the link you should use to make this happen:)
    https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
    Regards,
    Julio

  • Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

    Hi,
    i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
    I have installed 50 Site-to-Site VPN tunnels, and they work fine.
    but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
    it happens when there is no TRAFIC on, i suspect.
    in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
    this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
    in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
    i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
    Any idea?
    Thanks,
    Daniel

    What is the lifetime value configured for in your crypto policies?
    For example:
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400

Maybe you are looking for

  • Multiple copies of same photo on same page seems to assume A4?

    I'm trying hard to work out how to print out multiple copies of the same picture. I want to get 2 copies on each 4x6" sheet of photo paper and have followed all the steps... Selected 1 picture, hit print, went to Settings, selected "Multiple of the s

  • Time machine restarts instead of pausing when I stop backing up

    I am using time machine for the first time on my new imac 2012.  When I am doing something computer intensive like video editing, I want to pause the time machine.  It is on its first backup which will take 3 days.  Apple says that if you click stop

  • DVD not showing up in Finder

    When I pop in a blank DVD, it doesn't show up in my finder even though I have CDs, DVDs, and Ipods enabled in the finder preference under sidebar.

  • Upgrading Oracle 11.1.0.6.0 to 11.2

    I am upgrading Oracle 11g to a new version of 11g in Windows 2003 environment and need some your thoughts. What are the steps involved - just install the software and let it copy on the old copy? Or create in new folder (db_2)? Do need to create a ne

  • Calling Methods in BADI

    Hi, Can anyone tell me how to invoke a method in a BADI from another method which is in the same class. Sample code will be more useful. Thanks Sowmmya VB