UDP Broadcast Traffic from Cisco ASA
Hi,
I want to know that, like Cisco IOS Router, Does Cisco ASA pass the UDP Broadcast traffic e.g., TFTP etc...?
Any thoughts ???
BR,
Mubasher Sultan
Hi Mubasher,
Unlike the router the ASA does not forward any kind of broadcast packet (with the exemption of the DHCP broadcasts when DHCP Relay is enabled).
I understand that your DHCP server is providing here the IP address for your TFTP servers. I guess you are using DHCP option 150.
So if the DHCP server is on one interface and the client is on another you can configure DHCP Relay on your ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
In regards of the TFTP requests these will be normal unicast packets as Cadet said so just make sure that you have the proper ACLs and NAT rules for that.
Similar Messages
-
UDP broadcast traffic on port 4554 from Wireless Access Points
Hello,
I am seeing a lot of broadcast traffic coming from my AP541N-A-K9 access points at port 4554/UDP . I have 5 of these in a cluster. I cant seem to find anything in the manual in regards to this port traffic. Any help is apprecietedHi
I found this reference for this. As per this it is used for "internal use"
https://www.cisco.com/assets/sol/sb/WAP561_Emulators/WAP561_Emulator_v1.0.4.4/device_info.html
HTH
Rasika
**** Pls rate all useful responses **** -
Getting Broadcast traffic from one 3745 to another
The topology is simple. Three 3550 switches as the backbone tied together using spanning-tree layer 2 wire speed switching. Very simple stuff there. Introduce 3745 access routers, one attached to each 3550, each loaded with 16port ESW, 1 GigE GBic card, and a 8A/S card.
The problem is we have systems that blow out broadcast traffic that needs to traverse accross all 16-ESWs. We have tried all manor of things but we can not get broadcast traffic to traverse the 1GE port. We can see packets hitting the interface but they are simply getting dropped on the floor.
I can go into more detail if needed but we think we're missing a painfully simple detail. Perhaps something to do with L3 and L2? Perhaps something to do with bridge groups or vlans or helper protocols?
Any wisdom to help us out would be greatly appreciated!Dwayne
As you probably already know, the helper-address is configured on the interface that receives the broadcast to be forwarded. So if the broadcast source is in a 16ESW then I would expect the helper address to be configured on whatever interface (probably virtual) repersents the layer 3 interface for those layer 2 ports.
The function of helper address is that it takes a broadcast packet and forwards to some destination address. The general assumption is that the destination address will be unicast. The destination address can be a subnet broadcast (directed broadcast) and I assume that this is what you are trying to do. Is this correct? If so then be sure that you have ip directed-broadcast enabled on the interface where the destination subnet is located.
Another potential issue is identification of broadcast packets to be forwarded. Helper address is not intended to forward ALL broadcasts. There is a group of protocols that are enabled by default (DHCP, TFTP, etc). If the broadcast packets that you want to forward are not one of these default protocols then you need to use the ip forward-protocol udp command which would be configured on the interface receiving the initial broadcast (the same interface as the helper-address).
You probably have these already. But I can not find a good description of what is configured where and thought that a review of these principles might be helpful.
It probably would be quite helpful to post configs of at least one 3745 and also its associated 3550. If you do not want to post these on the forum please feel free to EMail them to me. My EMail address is available from my forum profile.
HTH
Rick -
Bridged network only gets UDP broadcast traffic?
I've created a bridged network Mac OS X 10.8.5 using ifconfig and TUNTAP for OS X to bridge my wireless connection, en0, with a virtual interface, tap0, which I can use for guest VMs:
$ sudo sysctl -w net.inet.ip.forwarding=1
$ sudo sysctl -w net.link.ether.inet.proxyall=1
$ sudo sysctl -w net.inet.ip.fw.enable=1
$ sudo ifconfig bridge0 create
$ sudo ifconfig bridge0 addm en0 addm tap0
$ sudo ifconfig bridge0 up
$ ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 28:cf:xx:xx:xx:xx
inet6 xxxx::xxxx:xxxx:xxxx:xxxx%en0 prefixlen 64 scopeid 0x4
inet 192.168.100.64 netmask 0xffffff00 broadcast 192.168.100.1
media: autoselect
status: active
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether ac:de:xx:xx:xx:xx
Configuration:
priority 0 hellotime 0 fwddelay 0 maxage 0
ipfilter disabled flags 0x2
member: en0 flags=3<LEARNING,DISCOVER>
port 4 priority 0 path cost 0
member: tap0 flags=3<LEARNING,DISCOVER>
port 8 priority 0 path cost 0
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether ca:3d:xx:xx:xx:xx
open (pid 88244)
I'm using this with QEMU and the guest VM never gets a DHCP lease. If I `tcpdump -i tap0`, I only see broadcast traffic. Shouldn't I see a mirror of everything on en0? (192.168.100.33, the host doing the broadcasting, is another unrelate, noisy server on my LAN.)
Any ideas?IGMP snooping may be enabled by default on the 6509. Disabling it may solve your problem.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/snooigmp.htm#wp1020466 -
Cannot ping inside IP behind sonicwall from Cisco ASA 5500
I have a sonicwall at site B and the cisco asa5500 at the main office. (site A)
The site to site VPN is working, but I can not ping the inside ip (10.1.5.2) of the sonic wall from Site A. I need this only to access the computers behind the sonicwall for remote desktop and dameware.
I have another office that also has a sonicwall (same config) and I can ping that inside IP from Site A.
I can not see why I can ping one site and not the other.
What needs to be configured on the ASA 5500 to be able to ping inside the sonicwall at site B?
I prefer the wizard over the CLI.
Thanks,Hi
AFAIK No you can not make vpn, transparent and routing in the same unit.
I would not want the DMZ and the outside interface to have overlapping ip address ranges.
logging and trying to keep track of it all would be way to confusing for me.
so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
good luck
HTH -
Getting syslog from cisco 5585 how to segerate from traffic logs?
Support ,
I need some help, I want syslog from cisco asa 5585 to come to siem , but the networking guy says he can configure cisco asa 5585 to send both traffic and syslog together; there is no segerration; I don't want this to happen im just interested in getting the syslog events. In almost every firewall e.g juniper to send only traffic logs.
If its true what the networking guy says, its a very poor desgin where there is high coupling between processes;if they are dependent and one is needed to get the other what about if one thing fails?
I'm the sec guy; and I don't have the config guide about how cisco asa works at that level; i will appreciate if someone can verify or better suggest me a workaround if there exists to this issue.
Thanks.Hi,
So you have been told that some other traffic would be also sent through the interface? That should not be the case. I dont know why the ASA would need to send any traffic to your server other than UDP/514 port traffic. If I remember correctly that is the UDP ports used.
If I would have to guess there might be a little missunderstanding between you. They might mean that they are already sending logs to some Syslos Server and the log level has been set so that the logs include all logs of connection forming through the ASA and therefore would send you very specific logs about the ASA.
The logging level set for logs that are sent to Syslog server applies to every target Syslog server. I dont think you can even specify different logging levels to different servers. But I might be mistaken.
But I am not sure what the situation is. Sounds a bit wierd.
We use a dedicated interface on ASAs to send logs to Syslog server. We might also use link for some remote management connections and monitoring.
- Jouni -
Why WRT54G ver 7 blocks all UDP broadcasts?
My WRT54G seems to be blocking all UDP broadcasts in the intranet side. Is there an option somewhere, which controls this behaviour, because I have not found one.
It does not matter, if I connect my laptop with a cable or by WLAN, no UDP broadcast packets from my server to the laptop go through.
If I connect to either one of my regular switches, UDP broadcast works perfectly.
Note that I'm not using the WAN port at all, so I would expect no filtering on the traffic.Interesting!
For sake of argument, can you try using the broadcast address of 255.255.255.255 - this is a limited (local network only) broadcast.
Can you see the MAC (layer 2/ethernet) portion with your tool?
The MAC of the destination needs to be all FFs (all ones) for broadcasts.
I am wondering if something is happening at a lower level - like in how switching is implemented in the linksys. I wonder if a linksys switch (only) also does this.
NOTE - ICMP echo (PINGS) do go through my WRV54G to specific addresses and broacdcast the x.x.x.255 addresses. -
Hello,
I have a couple of questions. I am upgrading from ASA to ASA CX. This is an existing firewall with configurations, policies, nat rules, etc.
1. When you upgrade to CX, does the firewall keep the configuration: ip address of interfaces, security levels, acls, access-groups, nats, anyconnect, etc.?
2. If you don't have the PRSM, can you manage that firewall from the PRSM web interface by https to the ip address?
3. Can you still manage the firewall from CLI and asdm or you can't do that after you upgrade to CX?
Thanks in advance.1. Yes, the base ASA configuration is unchanged.
2. On-box PRSM (aka single device mode) manages the Next Generation Firewall (NGFW - AVC, WSE and IPS) features depending on which are licensed. You do access it via the PRSM web UI (very limited setup steps are done via sessioning into the module from the ASA cli) and you physically use the ASA management interface. (Although the PRSM interface has its own distinct IP address whether or not you have the interface configured / used in the base ASA.)
3. Yes. Think of CX like the older CSC-SSM modules running IPS or Trend Micro AV services. With CX you similarly redirect traffic from the ASA processing path using a service-policy and the CX runs it through its logic (policies, inspections, etc.) and then hands it back to the base ASA for the remaining steps of the packet flow.
Depending on how your ASA was originally purchased, you may need to purchase the SSD hardware (required for CX) in addition to the licensing you need for the NGFW features. -
Hi
Recently we want to replace the CSC for a Fortimail, my quetion is how I redirect the smtp trafic to the Fortimail Appliance from the ASA because the ASA received the traffic SMTP.You don't redirect the traffic from the ASA to the Fortimail. That's (to my knowledge) not a possible design. You have probably two ways to deploy the Fortimail in your environment:
Gateway mode
For that you configure your internal mail-server with the Fortimail as a smarthost. On the ASA you change the port-forwarding which is configured to your internal Mailserver to the Fortigate.
Transparent mode
Here you place the FortiMail inline between your Mail-Server and the ASA.
For the rest it is probably better to ask in a Fortinet-support-forum. -
Help with broadcast traffic on PIX !!!
Hi,
i have an issue with a UPS software to automatically shut down clients in the event of UPS battery draining completely after a power cut....
we have 3 different subnet on our PIX and the software uses broadcast method to discover clients and list them in the control panel...of course the PIX blicks broadcasts and hence my server control panel cannot 'discover' the clients.
What would you reccoment to pass broadcast traffic from a specific IP to other specific IPs (not all subnet) on the PIX E interfaces !!!! ????
Thanks,
GeorgeHi Leo,
I am aware of the ip helper commands on the router... i tried looking up the same command for the PIX (im not very familiar with PIXs) and could not find it, and realized that it should not exist....
is there another way around this though... ??? without using something similat to ip helper-directed broadcasts commands ???
Thanks,
George -
Time Capsule firewall allows broadcast traffic
It appears that Time Capsule will forward broadcast traffic from the LAN side to WAN and allow responses back. I would have thought that when the Router Mode was set to "DHCP and NAT" that this wouldn't happen. It seems like this might be a security flaw.
Here's my setup, and why I believe this is the case:
Comcast Xfinity service -> Motorola SB6121 -> Time Capsule (latest generation 7.6.1 software) -> Netgear GS116 -> home network with airport express and various hard-wired and WiFi devices.
The SB6121 cable modem is wired direclty to the WAN port on the Time Capsule. And then the first LAN port on the Time Capusule is wired direclty the Netgear switch. And then everything else is wired directly to the Netgear switch. The Time Capsule's DHCP server is set to hand out addresses in the 172.16.0.2 to 172.16.0.200 range and so everything in my home network should be getting addresses in that range.
The SB6121 is not a gateway or router - its just a modem, but does still have a weird little DHCP server that is supposedly only active when the cable service is dead, but in practice (at least for me) seems to always be on. And there's no way to turn it off, at least from my end - perhaps Comcast could, but that's a black hole. This weird little DHCP server is hard-wired to hand out addresses between 192.168.100.11 and 192.168.100.42 and there's no way to configure it differently.
What I see though I (which makes me think there is a security flaw in the Time Capsule firewall) is that DHCP requests from my home network are sometimes answered by the SB6121's DHCP server instead of the Time Capsule's. I say "sometimes" because most of my Apple equipment (laptops, iPhones, iPads and a Mac Mini) get configured with 172.16.0.X addresses. But most non-Apple equipment is getting 192.168.100.X addresses - this includes a Denon AV reciever and Comcast cable box. But I also have an Airport Express (latest version, 7.6.2 software) - its Router Mode is set to "Off (Bridge Mode)", but if its Internet -> Connect Using: is set to DHCP it also gets a 192.168 address.
I thought maybe it was just the hard-wired devices getting the 192.168 addresses, but they're not. The Mac Mini is hardwired and gets the right address range. And then I thought that all WiFi devices were getting 172.16 addresses, but they're not. I have a "Nest" thermostat that connects to the WiFi and gets a 192.168 address.
Obviously there are several problems here - having multiple DHCP servers on a network is a recipe for disaster. But it seems to me that the Time Capusule is mis-behaving. The weird little DHCP server on the cable modem on the WAN side of the Time Capsule shouldn't be accessible from my home network. The Time Capsule shouldn't be passing broadcast DHCPDiscover packets from the LAN side through to the WAN side.
I've been all through the Time Capsule settings and don't see a way to further lock down the WAN-LAN connection. I suppose I could get a managed switch or "real" firewall to stick between the cable modem and the Time Capsule and use it to block traffic, but I shouldn't have to. And I suppose I could ask Comcast to disable the DHCP server on the cable modem, but I don't have the fortitue to sit on hold for hours trying to explain it to them. Or I suppose I could get a different cable modem that doesn't have the silly DHCP server, and maybe that's the ultimate answer, but I still think the Time Capsule has a flaw.
I got the SB6121 plus Time Capsule combination specifically because I didn't want fidgety stuff to deal with. I could have gotten a router supporting DD-WRT if I wanted to play network engineer at home, but I do that at work and just wanted something I didn't have to debug or think about.
Anybody in a similar situation or have suggestions?
If you got this far, thanks for listening.
-dave.
(Oh yeah, I swapped the Time Capsule with the Aiport Express -- latest model with WAN and LAN ports -- and got the exact same behavior. I suspect that all Airport models just treat the multple ethernet ports as a dumb layer two switch and blindly forward ethernet broadcast traffic from one port to all the others.)Thanks for reporting this.. I think you should advise Apple of this flaw.. It is a serious flaw.
The cable modems are always made with local IP address so you can check the settings and the DHCP in them is designed for using a block of public IP addresses.. ie.. if you were extremely rich.. you buy a block of IP addresses from the ISP, plug the modem directly to a switch. And every client that joined would get a public IP address. Since the ISP are not that generous as to actually hand out more than one IP, (our local cable ISP in Australia, Telstra actually gives out 3 for free). The modem however will switch from public to private IP address when it does so, once the first address is allocated. There is no security risk as that private IP has no internet connection. (Test it and see, but any device getting 192.168 address should have no internet connection). The Modem has no NAT.. so it is purely for internal purposes.
When you tested the Airport Express, did you set it up to 172.16.x.x range as well?
Could you please test if you haven't already the TC at its native IP address and range?
Domestic routers often fail to work properly if used off their default range.. somewhere in the coding they have fixed some addressing, instead of correctly using settings you put in. This is not at all unusual actually. My advice to people is always stick with default unless you really want some pain.
If you are happy with pain, I would ensure all names are set to SMB standard.. as it sounds like you know networks I presume you would already do this. Apple names are ghastly things.
Stick to short, no spaces, pure alphanumeric names for everything.
Make sure the dhcp range includes enough addresses that it cannot run out..the normal standard is 2-200.
If the lease time is set to 1day default, set it to 20min.
I would also turn off ipv6 (maybe only possible on the client). That does seem to lead to confusion.
If necessary you should be able to use static IP reservation via the dhcp setting in the TC.. that might also help.
Are you running a 5.6 utility to do the setup?? If not you must!!
You can load it even into Mountain Lion with a bit of fiddling.
Check logs and setup the reservation for any devices failing to get IP correctly.
And yes, in the end you may have to simply use a more standard router.. and hive off the TC to bridged role. -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across
This is my first Cisco configuration ever so go easy on me. A lot of the commands that I used here I don't really understand. I got them from Googling configs. I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
The first VPN I setup, labeled vpn1 here works perfectly. I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0). I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN. I'm using the address 10.4.0.1 to test pings. The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
Here is my config (edited for names and passwords)
ciscoasa# show run
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password ********** encrypted
passwd ********** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP_DSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif private
security-level 100
ip address 10.4.13.10 255.255.240.0
ftp mode passive
access-list 100 extended permit icmp any any
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu private 1500
ip local pool vpn1pool 192.168.2.100-192.168.2.110
ip local pool vpn2pool 192.168.3.100-192.168.3.110
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (private) 0 access-list nonat
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
crypto map vpn1 interface outside
crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group ISP_DSL request dialout pppoe
vpdn group ISP_DSL localname [email protected]
vpdn group ISP_DSL ppp authentication chap
vpdn username [email protected] password **********
dhcp-client update dns
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn2 internal
group-policy vpn2 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
group-policy vpn1 internal
group-policy vpn1 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username cssadmin password ********** encrypted
username vpn2user password ********** encrypted
username vpn1user password ********** encrypted
tunnel-group vpn1-VPN type remote-access
tunnel-group vpn1-VPN general-attributes
address-pool vpn1pool
default-group-policy vpn1
tunnel-group vpn1-VPN ipsec-attributes
pre-shared-key **********
tunnel-group vpn2-VPN type remote-access
tunnel-group vpn2-VPN general-attributes
address-pool vpn2pool
default-group-policy vpn2
tunnel-group vpn2-VPN ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
: end
Theories: after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24. I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
So, what do I do? Maybe NAT the VPN traffic? If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
Thanks in advance for any insight you can provide.Hello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505
Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problemany1 can help me ?
-
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik
Maybe you are looking for
-
When using URLConnection read input stream error
hi, In my applet I build a URLConnection, it connect a jsp file. In my jsp file I refer to a javaBean. I send two objects of request and response in jsp to javaBean. In javabean return output stream to URLConnect. At that time a error happened.WHY???
-
What kind of display can I add to my MacBook Pro 13 mid 2010?
I have a MacBook Pro 13 mid 2010. Please see the specs below. It is still working great, but I would like to add an external display so I have a bigger screen to work from when I remote into my office desktop. What would be an economical way of
-
Problem with BLOB image retrieval
We are on Coldfusion 9,0,1,274733. I checked on "Enable binary large object retrieval (BLOB)" on the database but the image is still cut off (3/4 partly grey). On our dev server it works perfectly, our production server just gives off the partly grey
-
Official receipt for Incoming payments
Hi Gurus, I had reveived a payment from Customer for the sales invoice. N i want to issue a receipt for the amount. But in the corresporndance i cannot see any official receipt. In standard correspondance i see some official receipts for Phil
-
Hi, this is arvind , I have some queries in FDM Q1. What is the difference between FM9i-G4-A.xml and FM2.9i-G4-B.xml adapters? Q2. Whether we have the same .dll file to register both the ICP and Normal adapters, If No, then where we could find the .d