UCS "FI" direct conneted to ASA
Dear All,
Thanks to clarify if is it possible to connect ASA to FI directly from technical prospective ? and if there is any retractions?
Thanks
While probably technically doable....
With sufficient thrust, pigs fly just fine. However, this is
not necessarily a good idea.
(RFC1925)
How would you treat traffic between blades pinned to different FIs?
All best practices doc I work with (flexpod/vblock) require that you use a L2 high performing hop.
Similar Messages
-
Can the Cisco UCS 6120XP direct attach the EMC CX4-120 by fibre protocol ?
Hi all
I have two question for Cisco UCS
Q1: Can the Cisco UCS 6120XP direct attach the EMC CX4-120 by fibre protocol ?
Q2: I know the UCS 61XX Series support the Cisco SAN Switch(MDS).But we are only Brocade san switch ,
so UCS 61XX Series supoort Brocade san switch ?
Thanks , I really want to know the information .Q1: The 6120s run in NPV (N_Port Virtualization) mode which means it acts as a proxy for the blade vHBAs and doesn't participate in flogi (fabric logins). When a fabric switch runs in this mode it requires an uplink to a faber switch for flogi and zoning. Due to this you cannot direct attach the the 6120 to an array's front-end fiber ports.
Q2: Yes you can uplink the 6120 to a Brocade fabric as long as the Brocade supports NPIV. -
Cisco UCS FC Direct Attach Question
We are looking at the Cisco UCS as a replacement for our existing servers and SAN switches. As I understand the fabric interconnect can replace our existing SAN switches and that we will still be able to zone the ports just like we do on our SAN switches today.
Can someone confirm how using the fabric interconnects as a replacement for our SAN switches will work? I read that the fabric interconnects have to be in switch mode for this to work. How does this affect the other connections we will have to our Ethernet network?
Thanks.Q1: The 6120s run in NPV (N_Port Virtualization) mode which means it acts as a proxy for the blade vHBAs and doesn't participate in flogi (fabric logins). When a fabric switch runs in this mode it requires an uplink to a faber switch for flogi and zoning. Due to this you cannot direct attach the the 6120 to an array's front-end fiber ports.
Q2: Yes you can uplink the 6120 to a Brocade fabric as long as the Brocade supports NPIV. -
Internet directly on ASA device?
Hi all,
I need a suggestion on something very basic. There is a requirement for having a Site-to-Site tunnel.
Instead of terminating internet connectvity on a cisco router and connecting router to an ASA firewall, can we terminate the internet connectivity directly on the Firewall and have a site-to-site tunnel? Will there be any disadvantages if we do this? Kindly help me understand.
Regards,
RamHi,
There should be no problems doing this.
It depends totally on the media which is used to connect the ISP to your firewall.
If you have some xDSL type connection you would traditionally use a modem/router in bridged mode and have the public IP address directly on the ASA either statictly configured or with DHCP depending how your connection with ISP is.
I would see having the public IP address directly on the ASA the preferred setup. If the public IP address was on the router you would have to do NAT and access control on 2 devices and it would needlesly complicated the setup.
- Jouni -
Hi All
After some advise and direction
Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website
called http://partners.highnet.com/login/ ip address 62.233.82.181.
Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x
to any website and brings back the details
However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)
on checking the ASA under Home TAB - Firewall Dashboard - and then under - Top 10 protected Servers under SYN attack we are receiving the below error.
Rank Server IP-Port Interface Average Current Total Source IP (Last Attack Time)
5
62.233.82.181:80
INSIDE
0
0
8
192.168.254.130 (1 mins ago)
I have tried rebooting the ASA firewall (Still did not resolve).
I have also disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection (Still did not resolve).
Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).
Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).
Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).
So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.
If you can help or advise it is much appreciated.Hi,
Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?
On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.
packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80
You could maybe also try to generate TCP SYNs directly from the ASA
ping tcp 62.233.82.181 80
And see if the server replies
- Jouni -
Cisco ASA 5505 Blocking LAN Domain Queries
Hi guys,
Okay my scenario, datacentre hosted system with 4 servers connected to a CISCO ASA5505, everything was working fine with 4x windows server 2003 machines but since pulling 2 out and replacing them with windows server 2008 machines i get a flood of the error below and it blocks communications back to the IP listed which is the domain controller so naturally this makes the 2 new servers unusable.
1: they are all connected to the inside VLAN directly via the ASA's switch ports.
2: the are all in the same 255.255.255.0 subnet including the ASA inside interface
3: removing the gateway on the affected machines makes no difference the ASA continues to block it which indicates whether or not the machines use the asa as a gateway its inspecting the traffic and blocking
I have posted the error below and my config, its strange its only affecting the new server 2008 machines and im hoping you can offer suggestions.
Errors:
2 Dec 08 2012 12:02:41 106007 10.50.15.117 55068 DNS Deny inbound UDP from 10.50.15.117/55068 to 10.50.15.5/53 due to DNS Query
Result of the command: "show run"
: Saved
ASA Version 8.2(1)
hostname xxxxx-ASA5505
domain-name xxx.local
enable password
passwd
names
name 10.50.17.0 Hobart description Hobart
name 10.50.16.0 Launceston description Launceston
name 10.50.18.0 Burnie description Burnie
name 10.50.24.0 Devonport description Devonport
name 10.50.23.0 burniewilmot description burniewilmot
name 10.50.35.0 Warrnamboolmain description warrnamboolmain
name 10.50.30.0 hamilton description hamilton
name 10.50.20.0 Portland description Portland
name 10.50.31.0 Camperdown description Camperdown
name 10.50.32.0 wboolsh description wboolsh
name 10.50.33.0 wblthy description wblthy
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address 10.50.15.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.223.228.154 255.255.255.248
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name xxx.local
object-group service IpPrinting tcp
port-object eq 9100
object-group icmp-type icmp
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group network dns_servers
network-object host 10.50.15.5
object-group service domain udp
port-object eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any object-group domain
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq www
access-list vpnusers_splitTunnelAcl standard permit 111.223.231.120 255.255.255.248
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 111.223.228.152 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 14.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Devonport 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
access-list outside_4_cryptomap extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
access-list outside_5_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
access-list outside_6_cryptomap extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
access-list outside_7_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
access-list outside_8_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
access-list outside_9_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
access-list outside_10_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
access-list dmz_access_in extended permit tcp any interface outside eq www inactive
access-list dmz_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1300
mtu outside 1300
mtu dmz 1500
ip local pool vpnclient 14.0.0.1-14.0.0.15 mask 255.0.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.50.15.0 255.255.255.0
static (outside,inside) tcp 10.50.15.5 www 0.0.0.0 www netmask 255.255.255.255
static (inside,outside) tcp interface www 10.50.15.5 www netmask 255.255.255.255 dns
static (inside,outside) tcp interface smtp 10.50.15.5 smtp netmask 255.255.255.255 dns
static (inside,inside) 10.50.15.0 255.255.255.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 111.223.228.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.50.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 58.96.86.56
crypto map outside_map 1 set transform-set esp-des-sha
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer 59.167.207.106
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 59.167.204.53
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 203.45.159.34
crypto map outside_map0 3 set transform-set ESP-3DES-SHA
crypto map outside_map0 4 match address outside_4_cryptomap
crypto map outside_map0 4 set peer 203.45.134.39
crypto map outside_map0 4 set transform-set ESP-3DES-SHA
crypto map outside_map0 5 match address outside_5_cryptomap
crypto map outside_map0 5 set peer 58.96.75.47
crypto map outside_map0 5 set transform-set ESP-3DES-SHA
crypto map outside_map0 6 match address outside_6_cryptomap
crypto map outside_map0 6 set peer 58.96.85.151
crypto map outside_map0 6 set transform-set ESP-3DES-SHA
crypto map outside_map0 7 match address outside_7_cryptomap
crypto map outside_map0 7 set peer 58.96.78.238
crypto map outside_map0 7 set transform-set ESP-3DES-SHA
crypto map outside_map0 8 match address outside_8_cryptomap
crypto map outside_map0 8 set peer 58.96.69.82
crypto map outside_map0 8 set transform-set ESP-3DES-SHA
crypto map outside_map0 9 match address outside_9_cryptomap
crypto map outside_map0 9 set peer 58.96.83.244
crypto map outside_map0 9 set transform-set ESP-3DES-SHA
crypto map outside_map0 10 match address outside_10_cryptomap
crypto map outside_map0 10 set peer 58.96.80.122
crypto map outside_map0 10 set transform-set ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.50.15.50-10.50.15.55 inside
dhcpd dns 10.50.15.5 interface inside
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.194.10.150
webvpn
group-policy xxx internal
group-policy xxx attributes
dns-server value 10.50.15.5
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dhcp-network-scope 14.0.0.0
vpn-tunnel-protocol IPSec webvpn
ipv6-address-pools none
group-policy vpnusers internal
group-policy vpnusers attributes
dns-server value 10.50.15.5 139.130.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnusers_splitTunnelAcl
username aspireremote password
username aspireremote attributes
service-type remote-access
username richard.lawes password
username netscreen password
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool (outside) vpnclient
address-pool vpnclient
default-group-policy GroupPolicy1
dhcp-server 192.168.0.5
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group vpnusers type remote-access
tunnel-group vpnusers general-attributes
address-pool vpnclient
default-group-policy vpnusers
tunnel-group vpnusers ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.207.106 type ipsec-l2l
tunnel-group 59.167.207.106 ipsec-attributes
pre-shared-key *
tunnel-group aspirevpn type remote-access
tunnel-group aspirevpn general-attributes
address-pool vpnclient
default-group-policy xxxvpn
tunnel-group xxxvpn ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 59.167.204.53 type ipsec-l2l
tunnel-group 59.167.204.53 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.159.34 type ipsec-l2l
tunnel-group 203.45.159.34 ipsec-attributes
pre-shared-key *
tunnel-group 203.45.134.39 type ipsec-l2l
tunnel-group 203.45.134.39 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.75.47 type ipsec-l2l
tunnel-group 58.96.75.47 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.85.151 type ipsec-l2l
tunnel-group 58.96.85.151 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.78.238 type ipsec-l2l
tunnel-group 58.96.78.238 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.69.82 type ipsec-l2l
tunnel-group 58.96.69.82 ipsec-attributes
pre-shared-key *
tunnel-group 58.96.83.244 type ipsec-l2l
tunnel-group 58.96.83.244 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
tunnel-group 58.96.80.122 type ipsec-l2l
tunnel-group 58.96.80.122 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 2
prompt hostname contextHello Richard,
My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
Anyway try the following
same-security-traffic permit intra-interface
Let me know how it goes
Julio -
ASA 5505 9.1(2) NAT/return traffic problems
As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: endHi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni -
ASA 5505 Failure replaced and need to move the license key?
Can someone point me in the right direction? My ASA 5505 died due to a power surge and I swapped it with a spare. I had Security Plus and a 50 user license and need to move the license keys from the failed ASA 5505 to the new one. I kept both my emails with the activation keys, but not sure how I get this transferred? Thanks in advance.
JoeI think this is totally unacceptable. For anyone else who uses a 5505 at home and has bought licenses and the hardware out of their own pocket, the idea here should be that you've already bought the hardware and the license. Seems obvious, right?
Yes I can see the license being device specific if not only because that's the way you've designed your licensing activation schema; but if I've just had your product fail and bought another replacement, there should be an understanding or agreement between Cisco and the user that we can reinstate any licenses we've already bought.
Do you really believe it's fair to make someone buy something from you twice, something that they've already bought from you? Do you actually believe that? I believe that the people in the Cisco Licensing department would agree with my viewpoint and I have a pending case with them for this issue right now. I will post my result here.
Make your products last and perhaps I can give credence to your licensing beliefs, until then your products fail and so does your licensing logic. -
Cisco ASA 5505 - Can't Login from Public & Local IP Anymore!
Hello,
We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
Any advice would be greatly appreciated. Thank you.
UPDATE: I'm able to find the way! I need to use https to login! I'm able to download ASDM tool and login! Thanks to these resources:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
http://cyruslab.wordpress.com/2010/09/09/how-to-download-asdm-from-asa5505-and-install-it/Hi Srinath,
If that ASA5505 has factory-default configuration on it , then it probably has 192.168.1.1 ip address on the LAN side and has got dhcp server turned on to provide you ip address dynamically the moment you hook up a machine to it directly or through a switch.
If you've access to ASDM.
You can go the Configuration Tab>>Device Management>>Device Access and turn on the SSH & Telnet from the LAN interface because by default only HTTPS/ASDM is enabled on LAN interface.
You will still need to generate crypto keys and create a username in order to get ssh working
For this you can click at the TOP at TOOLS>> Command Line Interface.
And in the box below type this
crypto key generate rsa modulus 1024
add a username
username <> password <> priv 15
and enable aaa authentication for ssh like this
aaa authentication ssh console LOCAL
Let me know if this helps.
Puneet -
ASA 5505 to allow 2nd network segment through mpls
I have been having a heck of a time trying to configure my 5505 to allow the second segment on my network to use the internet.
Office 1 has a fiber internet connection, and all traffic flows fine.
Office 2 had gotten it's internet from AT&T, via a network based firewall injecting a default route into the mpls cloud.
both offices connunicate to each other through the mpls.
When we added the fiber to office 1, we had the mpls people change the default internet route to the inside address of the 5505 and things worked fine.
when AT&T attempted to remove the NBF defaut route, and inject the 5505's address as default, things didn't go so well.
AT&T claims that it is within my nat cmmands on the 5505, but won't tell me anything else. I assume that they are correct, and I assume that I am not good enough with the 5505 ASDM to tell it what to do.
Office 1 uses 10.10.30.xx addresses and Office 2 uses 10.10.10.xx - the 5505 inside interface is 10.10.30.2 the internal interfaces of the mpls are 10.10.30.1 and 10.10.10.1
I don't know what other information you would need, but am stuck here at Office 1 until I can get this working.
ThanksHi,
Ok, so IF I have not understood anything wrong (which is still possible ), it would seem to me that the network mask of the ASA is atleast one reason that will cause problems for WI LAN if they try to use the Internet through the ASA5505 on the PA site.
This is what I would presume will happen when a host on the WI LAN initiates a connection to the Internet
WI PC 10.10.10.10 sends a TCP SYN to initiate/open a TCP connection with a Web server on the Internet
The TCP SYN gets forwarded to the default gateway of the PC which is 10.10.10.1
The TCP SYN packet traverses the ISP MPLS network all the way to the PA Site
The PA Site 3900 has a default route probably towards PA ASA 10.10.30.2
TCP SYN gets forwarded from the PA 3900 to the PA ASA according to the above mentioned default route on the PA 3900
TCP SYN arrives on the ASA and gets forwarded to the Internet
TCP SYN,ACK from the Web server arrives on the ASA
ASA will ARP for the MAC address of the WI PC IP address of 10.10.10.10 because it thinks that the host is directly connected to the ASAs "inside" interface because of the "inside" interfaces large /16 network mask which contains addresses between 10.10.0.0 - 10.10.255.255
The ARP request sent from the ASA never receives a reply since the WI PC isnt directly connected
PA ASA will never be able to forward the traffic to the WI PC which is trying to open the connection to the Internet because of the above mentioned problem. Therefore the TCP connection from WI PC never succeeds and timeouts.
Now you might ask, why does the connections between the PA and WI LAN work. To my understanding is that because the traffic from the PA hosts gets first forwarded to the PA 3900 then they have a working route to the WI LAN. The same way the WI LAN has a working route towards the PA LAN since the ASA isnt not involed in anyway.
The PA Internet connection naturally works as the 10.10.30.0/24 hosts are directly connected to the ASA so the above mentioned ARP will not fail on their part and traffic is forwarded just fine between the PA LAN and the Internet.
So to my understanding the solution to this problem would be to change the PA ASA "inside" subnet mask from 255.255.0.0 to 255.255.255.0.
If you are unsure of the of this change I would suggest you do it when there is low network use (so you can revernt the change) Naturally if you are on the PA LAN then you can probably access the Console connection if something were to go wrong. I cant see any configurations on the PA ASA which would imply that you configure the device remotely through the Internet.
Hope I made sense and hope this helps
Naturally ask more if needed
- Jouni -
ASA 5505 Speed Issue - Help Requested if possible
Hi All,
I am wondering if anybody here can shed some light on any potential configuration issues with the configuration below (Sanitized). Current State:
1. SIte to Site VPN is up and running perfectly.
2. Client to Site VPNs work through L2PT/IPSEC and through mobile devices such as IPhone.
3. The outside interface is at line speed - approximately 5-6MBits per second.
4. When performing a download of a service pack from microsoft - Bit rate on the inside interface is approximately 1/3rd of the outside interface (A lot of loss). Interface shows no CRC errors and no input errors.
5. The outside interface shows CRC errors and INPUT errors but due to the line speed being optimal (as the client experienced via their WAN router direct (with the ASA out of the mix), have not looked in to this further. I suspect the device it is directly attached to does not auto negotiate correctly even though the interface is set to 100Mb Full Duplex.
6. Outside interface MTU is set to 1492, purposely set this way due to PPPOE over head (Please correct me if I am wrong). (Approx 8 bytes)
7. Inside Interface MTU is set to 1500, no drops or loss detected on that interface so have left it as is.
8. All inspection has been disabled on the ASA as I thought that scans on the traffic could have impaired performance.
Current Environment Traffic Flow:
1. All hosts on the network have there DNS pointed to external IP addresses currently as the DNS server is out of the mix. This usually points to DNS servers in the US. If the hosts use this, the DNS queries are performed over the site-to-site VPN but the internet traffic is routed around the VPN as the traffic is a seperate established session. Split tunneling is enabled on the ASA to only trust the internal hosts from accessing the US hosts. Everything else uses the default route.
2. The version of software on this ASA is 8.2(1). I have checked and there does not seem to be any underlying issues that would cause this type of behaviour.
3. Memory is stable at roughly 190Mb out of 512Mb
4. CPU is constant at approximately 12%.
5. WAN and INSIDE switch are Fast Ethernet and the ASA interfaces are all Ethernet - Potential compatibility issue between standards? I'm aware they should be compatible - any body that has experienced any issues regarding this would be greatly apprecaited.
Current Issues:
1. Speed on the inside interface is approximately 1/3rd of the WAN/Outside interface - download speeds are sitting at approximately 250 - 300kb (should be sitting at approximately 700-800kb).
2. Noticed that when the DC is pointed to the USA Root Domain Controller (Across the tunnel) latency is approximately 400ms average. (Performed using host name).
3. I ping the IP address of the exact same server and the latency is still 400ms.
4. Changing the DCs DNS address to 8.8.8.8, I perform the same ping to the same servers. Still 400ms.
5. I ping google.co.nz and I still get 400ms (You would expect it to route out the default gateway but session is still active for that IP on the ASA).
6. I ping 74.x.x.x (The IP from the resolution from step 5) and I get the same result.
7. I flush dns, same issue for 5/6.
8. I clear xlate on the ASA and the same issue persists.
9. I close command line, repen it, and perform the test again - latency is now back to 40 - 50ms as we would expect for non-vpn traffic.
I am currently out of ideas and would like some advice on what I have actually missed.
Things I suspect that I may need to do:
1. Upgrade IOS to latest version (Other than that - I'm out of ideas).
ASA Version 8.2(1)
hostname BLAH
enable password x.x.x.x encrypted
passwd x.x.x.x encrypted
names
name x.x.x.x BLAHPC
name 8.8.8.8 Google-DNS description Google-DNS
name 202.27.184.3 Telecom-Alien-Pri description Telecom-Alien-Pri
name 202.27.184.5 Telecom-Terminator-Sec description Telecom-Terminator-Sec
name 203.96.152.4 TelstraClearPri description TCL-PRI
name 203.96.152.12 TelstraClearSec description TCL-Sec
name x.x.x.x BLAH_Network description BLAH-Internal
name x.x.x.x DC description DC VPN Access
name x.x.x.x Management-Home description Allow RDP Access from home
name x.x.x.x SentDC description BLAHDC
name x.x.x.x Outside-Intf
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoex
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
banner login If you are Unauthorized to use this device, leave now. Prosecution will follow if you are found to access this device without being Authorized.
banner asdm [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
ftp mode passive
clock timezone WFT 12
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Google-DNS
name-server Telecom-Alien-Pri
name-server Telecom-Terminator-Sec
name-server TelstraClearPri
name-server TelstraClearSec
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network BLAH-US
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network x.x.x.x
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group service Management_Access_Secure
description Management Access - SECURE
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq 4434
object-group service FileTransfer tcp
description Allow File Transfer
port-object eq ftp
port-object eq ssh
object-group service WebAccess tcp
description Allow Web Access
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service AD_Access udp
description Allow Active Directory AD ports - UDP Only
port-object eq 389
port-object eq 445
port-object eq netbios-ns
port-object eq 636
port-object eq netbios-dgm
port-object eq domain
port-object eq kerberos
object-group network DM_INLINE_NETWORK_2
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_3
group-object x.x.x.x
group-object x.x.x.x
object-group network BLAH_DNS
description External DNS Servers
network-object host Telecom-Alien-Pri
network-object host Telecom-Terminator-Sec
network-object host TelstraClearSec
network-object host TelstraClearPri
network-object host Google-DNS
object-group service AD_Access_TCP tcp
description Active Directory TCP protocols
port-object eq 445
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
port-object eq domain
port-object eq kerberos
port-object eq 88
object-group network DM_INLINE_NETWORK_4
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_6
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_1
group-object x.x.x.x
group-object x.x.x.x
access-list inside_access_in remark Allow Internal ICMP from BLAH
access-list inside_access_in extended permit icmp Sentinel_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_access_in remark Allow Internal ICMP to BLAH
access-list inside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 BLAH 255.255.255.0
access-list inside_access_in remark External DNS
access-list inside_access_in extended permit object-group TCPUDP BLAH 255.255.255.0 object-group BLAH_DNS eq domain
access-list inside_access_in remark Allows Web Access
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group WebAccess
access-list inside_access_in remark Allow Remote Desktop Connections to the Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group RDP
access-list inside_access_in remark Allow File Transfer Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group FileTransfer
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit udp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_4 object-group AD_Access
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_5 object-group AD_Access_TCP
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap_65535.1 extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_6
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list nonat extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list tekvpn extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 10.1.118.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging monitor informational
logging buffered notifications
logging trap informational
logging asdm informational
logging class auth monitor informational trap informational asdm informational
mtu inside 1500
mtu outside 1492
ip local pool ipsec_pool x.x.x.x-x.x.x.x mask 255.255.255.0
ip local pool Remote-Access-DHCP x.x.x.x-x.x.x.x mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 BLAH 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable RANDOM PORT
http 0.0.0.0 0.0.0.0 outside
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1428
sysopt connection tcpmss minimum 48
auth-prompt prompt You are now authenticated. All actions are monitored! if you are Unauthorized, Leave now!!!
auth-prompt accept Accepted
auth-prompt reject Denied
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname **************
vpdn group pppoex ppp authentication pap
vpdn username ************** password PPPOE PASSPHRASE HERE
dhcpd auto_config outside
dhcpd address x.x.x.x/x inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source outside prefer
tftp-server outside x.x.x.x /HOSTNAME
webvpn
group-policy DfltGrpPolicy attributes
banner value Testing ONE TWO THREE
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_cryptomap_65535.1
user-authentication enable
nem enable
address-pools value Remote-Access-DHCP
webvpn
svc keepalive none
svc dpd-interval client none
USER CREDENTIALS HERE
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key SITETOSITE PSK
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key CLIENTTOSITE PSK
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
authentication eap-proxy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspect_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:894474af5fe446eeff5bd9e7f629fc4f
: endHi all, this post can be officially closed. The issue had nothing to do with the ASA but required a firmware upgrade on the WAN router which boosted the throughput on the external interface on the ASA to 10Mbps and the inside throughput naturally corrected itself to what was expected.
Thanks to everybody who looked at this issue.
Andrew -
ASA 5510 Guest Internet Access
I have a subnet for guest network access, both wired and wireless. We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'. For most internal traffic, it all stays behind the ASA. But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA. The question is, how can I still permit those users to access our internal DNS servers? Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.? I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
Regards,
ScottHello Scott,
Your ASA will need to have a route for both networks
You also will need the following command:
-same-security-traffic permit intra-interface
The thing is that the packets from the guest vlan will go directly to the ASA as its default gateway, then packets will be routed to the Router on stick and finally to the DNS server, the reply will go from the DNS to the Router on stick and then directly to the Guest user.
Nat exemption will look like this:
access-list nonat permit ip 192.168.14.0 255.255.255.0 host 192.168.11.6
access-list nonat permit ip 192.168.14.0 255.255.255.0 host 192.168.11.4
nat (inside) 0 access-list nonat
Please give it a try, also please provide packet tracer
packet-tracer input inside udp 192.168.14.10 1025 192.168.11.4 53
Regards,
Julio
Rate helpful posts -
Link to configuration convertor tool from PIX to ASA
Hi,
I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
Regards,
Masoodhello again,
this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut
and the STANDBY:
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
so how does it works with the failover configuration?
can you please advise on how I go about the followings:
1- configure failover before I past the PIX config onto the ASA?
2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
Please advise.
Regards,
Masood -
Best Pactice for Connecting ASA to Catalyst Switch with Mulitple VLANs
Hi all,
Have the following network topology that was in place when I started the job (See attached pdf). Am thinking it might be better if I could eliminate the Cisco 2811 router and connect directly from the ASA to my 12 port fiber switch (192.168.7.1). In my thinking this would eliminate an unnecessary piece of equipment and also give me a gig link to my ASA as opposed to the 100 meg link I have now with the old router. The 12 port fiber has links to most of my IDFs and is acting as my VLAN gateway for all inter VLAN routing.
Is my current topology ideal or would I be better served to remove router and connect directly to the 3750G-12s Fiber switch or my Master Switch (192.168.7.4)? Only thing I don’t like about direct connect to Master switch is that it takes scheduling a major outage for me to reboot it. However, if that is best practice in this case, I can live with it.
It appears the 12 port fiber cannot have IP addresses assigned directly to Ports, only to VLANs. So would I have to create a separate vlan for my ASA and assign IPs to the vlan on each end of the connection?
I have read some suggestions that say it is better to terminate all VLANs on the ASA. So as I understand that would require creating subinterfaces on my ASA LAN port and assigning each subinterface to its own VLAN Inter VLAN routing would then be controlled by ASA.
Does not seem practical to me as I have about 15 VLANs total. Not showing everything in the drawing.
Guess my main question is “What is best practice for topology and routing in my scenario?”Hi Mcreilly,
You should be able to assign an ip address on cat6k sup720 if you are running native ios on sup 720.
If you are running catos then you will not be able to do that and you can have it configured as trunk and connect to the router.Also I do not think that you need subinterfaces on router and trunk on switch because your cat6k with sup720 must be doing intervlan routing between vlans.
You can just connect it on some port on any vlan and same subnet ip address which you have it on msfc for that vlan you can assign on the router interface and anybody want to go out via t3 link will get routes on sup720 and move out via router vlan.
For suppose you do not want the router to be part of existing vlan you can create one vlan on cat6k sup720 and assign one port to that new vlan and connect the royter to that new vlan port and then create logical interface on msfc for that new vlan and assign an ip address range on that logical vlan and same subnet ip address range you can assign on router physical interface.
Any one from other vclan get routed on sup 720 msfc and will move out via the vlan on which you have connected the router.
because you have only one router you will not be able to maintain box level redundancy by which i mean if the router goes down t3 will be unreachable.
HTH
Ankur -
Installing ASA FWSM into VSS Switches
I am getting ready to install a pair of ASA FWSM modules (WS-SVC-ASA-SM1) into a pair of VSS 6509-E switches on our College campus network. The VSS chassis' have dual ten GigE connections to our data closets and consist of primarily wired and wireless campus network users. Apparently there several options of how to install the FWSM modules and several options of active/standby configurations in a VSS environment. I was wondering if anyone has had experience doing this and if they could share with me their experiences? And if there is a best practice for this type of deployment i.e. transparent mode vs. non-transparent mode (no NAT on these firewalls), load balancing issues, active/standby deployment, etc.? Any information would be greatly appreciated.
There's not a whole lot of ASA Service Module deployments out there that I've seen. Most customers are opting for the 5585-X in that performance / price range.
If you haven't already looked at it, there are some general principles outlines in the document "Service Module Design with ACE and FWSM". Much of the FWSM info there can be applied directly to the ASA SM.
A lot depends on the environment into which they will be integrated so it's hard to answer the question in a general sense. I would say that I have seen transparent mode on perhaps 5% of the ASA implementations of any kind that I have seen.
The ASA SM does not support clustering, so a pair is limited to HA mode. Whether you use Active/Standby or Active/Active depends partly on whether you have multiple contexts and how much complexity you feel comfortable adding.
Hope this helps.
Maybe you are looking for
-
Error while issuing billing documents
Hi all, I have created a billing document and i wanted to issue it using "VF31" transaction. When i enter my no in the billing doc no in VF31 transaction and i run it, i get two errors: 1) Processing log for program RSNASTED routine ALE_PROCESSING 2)
-
"NO Symbol" on startup after Apple icon; had just ran an auto Mac Update-
Hi! Okay, I'm freaking out. I have a late model G4, mirrored 2003 model. A Maxtor master drive taken out from my first gen G4 as my boot drive is installed, along with two slave drives internally. Yesterday, I was getting my freelance work loaded up
-
Connecting a Smart Card Reader to Intel iMac
Im using a SCR331 CAC reader on my 2.5ghz MBP, I cant seem to get the system to recognize my CAC in the Keychain access list. Can someone help me out? Ive tried this link http://caconmac.openboxconcepts.com/safari, but you have to have the CAC recogn
-
Essbase Studio- DTS Issue 11.1.2.1
Hi Everyone, A few months ago, we built our cube through Essbase Studio so that we could allow drill through reports on the cube. We set Dynamic Time Series on our PERIOD dimension at the Year and Quarter Level. Our hierarchy looks like this: PERIOD
-
Icon for "outbox" is on screen
Icon for "outbox" is on screen homepage and was not there previously. I checked the outbox and it shows (no messages). How can this icon be removed?