ASA 5505 Flash files

Hi all

I want to make a file any cleaning on my 5505 without affecting any of its services.

could someone throw me a glance and to highlight what should be removed?

Thanks in advance!

ASA5505 # dir

Directory of disk0: /.

152 - rwx 27260928 13:53:20 November 24, 2012 asa901 - k8.bin

153 - rwx 4181246 07:32:20 5 June 2010 securedesktop - asa - 3.2.1.103 - k9.pkg

154 - rwx 398305 sslclient-victory - 1.1.0.154.pkg June 5, 2010 07:32:38

155 - rwx 17449432 13:23:38 November 24, 2012 asdm - 701.bin

156 - rwx 14240396 15:53:48 asdm - 631.bin March 11, 2010

drwx 17 4096 07:36:28 crypto_archive June 5, 2010

10 drwx 4096 Journal 22:12:48 December 4, 2010

158 - rwx 1530 04:31:54 7_2_4_0_startup_cfg.sav May 17, 2013

18 drwx 4096 22:13:20 coredumpinfo December 4, 2010

159 - rwx 4096 03:00:06 14 April 2013 ._asa901 - k8.bin

160 - rwx 4096 03:00:10 14 April 2013 ._asdm - 701.bin

drwx 161 4096 12:01:08 .fseventsd 14 April 2013

162 - rwx 4096 23:38:12 December 4, 2010. _. Trashes

drwx 163 4096 23:38:12 December 4, 2010. Trashes

drwx 164 4096 23:38:14 December 4, 2010. Spotlight-V100

165 - rwx 15943680 15:51:14 March 11, 2010 asa831 - k8.bin

166 - rwx 28119320 13:23:52 24 November 2012 asdm-demo - 701.msi

167 - rwx 4096 03:00:16 14 April 2013 ._asdm-demo - 701.msi

168 - rwx 1189 00:42:28 upgrade_startup_errors_201304140042.log 14 April 2013

169 - rwx 1189 09:36:58 upgrade_startup_errors_201304140936.log 14 April 2013

170 - rwx 1189 22:13:20 upgrade_startup_errors_201012042213.log December 4, 2010

171 - rwx 1189 04:11:30 upgrade_startup_errors_201305060411.log 6 may 2013

172 - rwx 1189 22:52:32 upgrade_startup_errors_201012042252.log December 4, 2010

173 - rwx 1189 06:41:10 upgrade_startup_errors_201305090641.log may 9, 2013

174 - rwx 1189 02:45:26 upgrade_startup_errors_201012050245.log December 5, 2010

175 - rwx 1189 06:34:08 May 10, 2013 upgrade_startup_errors_201305100634.log

176 - rwx 1189 15:19:34 upgrade_startup_errors_201012111519.log December 11, 2010

177 - rwx 1189 03:38:04 16 may 2013 upgrade_startup_errors_201305160338.log

178 - rwx 1189 17:04:14 upgrade_startup_errors_201012121704.log December 12, 2010

179 - rwx 1189 04:31:58 upgrade_startup_errors_201305170431.log may 17, 2013

180 - rwx 1189 21:44:30 upgrade_startup_errors_201101252144.log January 25, 2011

181 - rwx 100 05:50:40 upgrade_startup_errors_201306300550.log 30 June 2013

182 - rwx 200 06:20:12 upgrade_startup_errors_201306300620.log June 30, 2013

183 - rwx 14524416 05:50:46 July 27, 2013 asa802 - k8.bin

184 - rwx 2142 05:23:44 8_0_2_0_startup_cfg.sav 25 October 2013

185 - rwx 1138 03:33:20 upgrade_startup_errors_201308290333.log August 29, 2013

186 - rwx 1138 05:23:48 upgrade_startup_errors_201310250523.log October 25, 2013

total 127111168 bytes (2596864 bytes free)

first check what ASA version you are running (see version). If you run the 9.1 version then you can remove

183 - rwx 14524416 05:50:46 July 27, 2013 asa802 - k8.bin

165 - rwx 15943680 15:51:14 March 11, 2010 asa831 - k8.bin

check what ASDM version you are running (version show and show run asdm). If you are running version 7.1 so you can remove

56 - rwx 14240396 15:53:48 asdm - 631.bin March 11, 2010

You have two 7.1 pictures and a few demo also. Demos, you should be able to withdraw without a problem, but you must identify what VersionYesYou ASDM are running before you remove the extra 7.1

166 - rwx 28119320 13:23:52 24 November 2012 asdm-demo - 701.msi

167 - rwx 4096 03:00:16 14 April 2013 ._asdm-demo - 701.msi

160 - rwx 4096 03:00:10 14 April 2013 ._asdm - 701.bin

155 - rwx 17449432 13:23:38 November 24, 2012 asdm - 701.bin

You should be able to remove any of the upgrade starts the error logs... unless you need it for future documentation.

Tags: Cisco Security

Similar Questions

ASA 5505 TFTP to one subnet to another creates the empty file

Hello world

The Cisco ASA 5505 does not seem to allow the TFTP connection between 192.168.5.103/24 and 192.168.10.202/24. TFTP is normally used in the same subnet, but not in my case. I have a DHCP relay that works, but when I use the free tool from one side to the other tool TFTPD TFTPD, it creates an empty file. Anyone know what config I could be missing in my Cisco ASA?

Thank you in advance.

---

Nathan

Hi Jonathan,.

1. check that tftp server is using the correct interface of the given subnet. (under Server Interfaces on tftpd32)

2. check if the default gateway have a correct route to the TFTP server.

3 make sure that TFTP server can reach the subnet of the client.

HTH

ASA 5505 possibly interfere/blocking calls Incound UC560

ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462

All,

We had this problem the phone when we lose connectivity for some reason any. Here is an example:

We have an ASA 5505 before our UC560. Power lost to ASA (power connector from main Board loose) primary did identical backup with config. The layout-design is the following:

UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">

After the passage of the ASAs, incoming calls have been piecemeal. I can see the traffic on the firewall when the calls log, nothing otherwise. OS on the device are:

UC560 - 15.0 XA (1r).

ASA 5505-4, 0000 38

Contacted the provider and after calls debugging support have been expire with the 408 SIP error.

Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.

So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA. Here is the config ASA (it's pretty long, sorry):

Output of the command: "show run".

: Saved
:
: Serial number:
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA 4,0000 Version 38
!
XXXXX-CA hostname
activate the encrypted password of WUGxGkjzJJSPhT9N
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
WUGxGkjzJJSPhT9N encrypted passwd
names of
DNS-guard
192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
!
interface Ethernet0/0
Description-> Internet
switchport access vlan 2
!
interface Ethernet0/1
Description-> inside
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
Shutdown
No nameif
no level of security
no ip address
!
interface Vlan2
Description-> Internet<>
nameif outside
security-level 0
address IP XXX.XXX. XXX.242 255.255.255.240
!
interface Vlan10
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
!
exec banner * W A R N I N G *.
banner exec unauthorised access prohibited. All access is
banner exec monitored and the intruder may be continued
exec banner to the extent of the law.
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
Banner motd this is a private computer system.
Banner motd, access is allowed only by authorized employees or agents of the
company banner motd.
Banner motd system can be used only for the authorized company.
Banner motd business management approval is required for all access privileges.
Banner motd, as this system is equipped with a safety system designed to prevent
Banner motd and attempts of unauthorized access record.
Banner motd
Banner motd unauthorized access or use is a crime under the law.
banner asdm XXXXX Enterprises Inc. $(hostname)
boot system Disk0: / asa904-38 - k8.bin
boot system Disk0: / asa904-29 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS domain-lookup outside
permit same-security-traffic intra-interface
object obj voip network
10.1.1.0 subnet 255.255.255.0
network object obj - 192.168.254.0

192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
object obj cue-network
10.1.10.0 subnet 255.255.255.0
object obj priv-network
192.168.10.0 subnet 255.255.255.0
object obj data network
subnet 10.0.1.0 255.255.255.0
network object obj - 192.168.0.0
192.168.0.0 subnet 255.255.255.0
Description not used
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
Description not used
object obj nj-asa-private-network
Subnet 192.168.2.0 255.255.255.0
network obj object -? asa-private-network
192.168.5.0 subnet 255.255.255.0
network obj object -? asa-private-network
192.168.6.0 subnet 255.255.255.0
network obj object -? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network obj object -? asa-priv-networl
subnet 192.168.4.0 255.255.255.0
network obj object -? asa-private-network
192.168.7.0 subnet 255.255.255.0
object obj-asa-Interior-voip-nic network
host 10.1.1.1
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
network object obj - 0.0.0.0
host 0.0.0.0
object obj-vpn-nic network
Home 192.168.10.20
object obj XXXX-asa-private-network
192.168.8.0 subnet 255.255.255.0
House of XXXX description
network obj object -? asa-private-network
192.168.9.0 subnet 255.255.255.0
object asa inside-network data
subnet 10.0.1.0 255.255.255.0
asa data-outside-network object
subnet XXX.XXX. XXX.240 255.255.255.240
network of china-education-and-research-network-center object
Home 202.194.158.191
Acl explicitly blocked description
China unicom shandong network item
60.214.232.0 subnet 255.255.255.0
Acl explicitly blocked description
pbx-cue-Interior-nic network object
Home 10.1.10.2
pbx-cue-outside-nic network object
host 10.1.10.1
telepacific-voip-trunk network object
Home 64.60.66.250
Description is no longer used
us-la-mianbaodianying network object
Home 68.64.168.46
Acl explicitly blocked description
object network cue
10.1.10.0 subnet 255.255.255.0
private-network data object
192.168.10.0 subnet 255.255.255.0
pbx-outside-data-nic network object
host 10.0.1.2
pbx-voip-Interior-nic network object
host 10.1.1.1
voip network object
10.1.1.0 subnet 255.255.255.0
vpn-server-nic network object
Home 192.168.10.20
asa-data-outside-nic network object
host XXX.XXX. XXX.242
asa-voip-ctl-outside-nic network object
host XXX.XXX. XXX.244
the object 192.168.0.0 network
192.168.0.0 subnet 255.255.255.0
Description not used
the object 192.168.1.0 network
subnet 192.168.1.0 255.255.255.0
Description not used
nj-asa-priv-netowrk network object
Subnet 192.168.2.0 255.255.255.0
network of the 192.168.254.0 object
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
network of the object? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network of the object? asa-private-network
subnet 192.168.4.0 255.255.255.0
network of the object? asa-private-network
192.168.5.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.6.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.7.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.9.0 subnet 255.255.255.0
the XXXX-asa-private-network object network
192.168.8.0 subnet 255.255.255.0
network object XXX.XXX. XXX.242
host XXX.XXX. XXX.242
service object 47
tcp source eq eq 47 47 destination service
object network dvr
Home 192.168.10.16
network dvr-nat-tcp8888 object
Home 192.168.10.16
network dvr-nat-tcp6036 object
Home 192.168.10.16
network dvr-nat-udp6036 object
Home 192.168.10.16
dvr-8888 service object
destination eq 8888 tcp service
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service dvr-6036-tcp - udp
port-object eq 6036
détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
access-list out_in note remote access attempted
out_in list extended access deny ip object China unicom shandong network any4
access-list out_in note remote access attempted
out_in list extended access deny ip object we-the-mianbaodianying any4
out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
out_in list extended access allow icmp any4 object vpn-server-nic
out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
out_in list extended access allow accord any4 object vpn-server-nic
out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
Comment from out_in-HTTPS access outside the access list
out_in list extended access permitted tcp any4 object data-private-network eq https
outside_access_in list extended access allow icmp host 192.168.10.20 any4
access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
outside_access_in list extended access allowed host any4 object 47 192.168.10.20
outside_access_in list extended access allow accord any4 host 192.168.10.20
outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
outside_access_in list extended access allowed object dvr-8888 any object dvr
outside_access_in list extended access allow icmp any4 host 10.1.1.1
access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
go to list of access outside_access_in note incoming https.
outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
pager lines 24
Enable logging
exploitation forest-size of the buffer 1048576
monitor debug logging
debug logging in buffered memory
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
exploitation forest flash-bufferwrap
No registration message 106015
No message logging 313001
No registration message 313008
no logging message 106023
No message logging 710003
no logging message 106100
No message logging 302015
No message recording 302014
No message logging 302013
No message logging 302018
No message logging 302017
No message logging 302016
No message logging 302021
No message logging 302020
destination of exports flow inside 192.168.10.20 4432
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 3 burst-size 1
ICMP allow any response of echo outdoors
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
ICMP permitted host 75.140.0.86 outside
ICMP allow any inside
ASDM image disk0: / asdm-715 - 100.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
!
object obj-asa-Interior-voip-nic network
NAT XXX.XXX static (inside, outside). XXX.244
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT (inside, outside) dynamic obj - 0.0.0.0
object obj-vpn-nic network
NAT XXX.XXX static (inside, outside). XXX.254
network dvr-nat-tcp8888 object
NAT (inside, outside) interface static 8888 8888 tcp service
network dvr-nat-tcp6036 object
NAT (inside, outside) interface static 6036 6036 tcp service
network dvr-nat-udp6036 object
NAT (inside, outside) interface static service udp 6036 6036
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 192.168.254.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
authentication & encryption v3 private Server SNMP group
SNMP server group No_Authentication_No_Encryption v3 /noauth
SNMP-server host inside the 192.168.10.20 community *.
Server SNMP Ontario, CA location
SNMP Server contact [email protected] / * /
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
Crypto ca trustpoint CAP-RTP-001_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint CAP-RTP-002_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_0 key pair
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_1 key pair
Configure CRL
Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
registration auto
full domain name no
name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
_internal_PP_ctl_phoneproxy_file key pair
Configure CRL
Crypto ca trustpoint Cisco-Mfg-CA
Terminal registration
Configure CRL
Crypto ca trustpoint phoneproxy_trustpoint
registration auto
full domain name XXXXXXXXXX.com
name of the object CN = XXXXXX - ASA
phoneproxy_trustpoint key pair
Configure CRL
trustpool crypto ca policy
string encryption CAP-RTP-001_trustpoint ca certificates
certificate ca 7612f960153d6f9f4e42202032b72356
quit smoking
string encryption CAP-RTP-002_trustpoint ca certificates
certificate ca 353fb24bd70f14a346c1f3a9ac725675
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
certificate e1aee24c
CA
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
certificate e4aee24c
quit smoking
Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
certificate e8aee24c
quit smoking
a string of ca crypto Cisco-Mfg-CA certificates
certificate ca 6a6967b3000000000003
quit smoking
Crypto ca certificate chain phoneproxy_trustpoint
certificate 83cbe64c
quit smoking
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.0.1.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access inside

priority-queue outdoors
TX-ring-limit of 256
!
maximum-session TLS-proxy 24
!
!
TLS-proxy tls_proxy
_internal_PP_ctl_phoneproxy_file point server trust
CTL-file ctl_phoneproxy_file
file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
!
Media-termination asdm_media_termination
address XXX.XXX. XXX.245 outside interface
address interface inside 10.0.1.245

!
Phone-proxy asdm_phone_proxy
Media-termination asdm_media_termination
interface address 10.1.1.1 TFTP server on the inside
TLS-proxy tls_proxy
no settings disable service
XXX.XXX proxy server address. Outside the xxx.242 80 interface
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.168.10.60 source inside
internal group myGROUP strategy
Group myGROUP policy attributes
VPN-idle-timeout no
VPN-session-timeout no
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ezvpn1
allow to NEM
XXXXX group policy / internal remote
attributes of group XXXXX policy / remote
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
username fstorm attributes
type of remote access service
username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
attributes username cisco
type of remote access service
username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu8 attributes
type of remote access service
username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
username XXXXXU1 attributes
Strategy Group-VPN-XXXXX / remote
type of remote access service
username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu3 attributes
type of remote access service
username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu2 attributes
type of remote access service
username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu5 attributes
type of remote access service
username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu4 attributes
type of remote access service
username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu7 attributes
type of remote access service
username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu6 attributes
type of remote access service
tunnel-group XXXXX type remote access / remote
attributes global-tunnel-group XXXXX / remote
XXXXX address pool / remote
Group Policy - by default-XXXXX / remote
IPSec-attributes tunnel-group XXXXX / remote
IKEv1 pre-shared-key *.
type tunnel-group mytunnel remote access
tunnel-group mytunnel General-attributes
strategy - by default-group myGROUP
mytunnel group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-card CM-VOICE-SIGNAL
match dscp af31
class-map-outside-phoneproxy
match eq 2443 tcp port
class-map inspection_default
match default-inspection-traffic
Class-map data
match flow ip destination-address
match tunnel-group mytunnel
class-card CM-VOICE
match dscp ef
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
inspect the icmp
class class by default
Statistical accounting of user
flow-export-type of event all 192.168.10.20 destination
outside-policy policy-map
class outside-phoneproxy
inspect the thin phone-proxy asdm_phone_proxy
CM-VOICE class
priority
CM-VOICE-SIGNAL class
priority
World-Policy policy-map
!
global service-policy global_policy
207.46.163.138 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
: end

If someone could give a clue as to what could be the problem, I would appreciate it.

/ / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //

Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!

Now, given that your issue is resolved, you must mark the thread as "answered" :)

Thank you for evaluating useful messages!

Key to mounting USB on an ASA 5505?

Hello

I have an ASA 5505 and the built-in flash is small enough and I put 3 .pkg on it for 4 Anyconnect.

I formatted a memory stick (4 GB) to FAT32 and put in the USB Port 2 port on the back and restarted the firewall.

But in file manager, I see disk0 and disk1, disk1 does not work, does not list anything but I can't create folders on this subject.

Can I mount the USB key manually or something?

Kind regards.

The USB port on the 5505 is not a supported file storage location.

In the most recent series 5500-X (including the X 5506), you can do this.

ASA 5505 transparent mode dosnt pass traffic

Hi all

need help

ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?

ciscoasa # sh ver

Cisco Adaptive Security Appliance Version 8.2 software (5)

Version 6.4 Device Manager (5)

Updated Saturday, May 20, 11 16:00 by manufacturers

System image file is "disk0: / asa825 - k8.bin.

The configuration file to the startup was "startup-config '.

ciscoasa until 55 minutes 31 seconds

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11

1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255

2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255

3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255

4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255

5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255

6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255

7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255

8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255

9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

10: Int: not used: irq 255

11: Int: not used: irq 255

The devices allowed for this platform:

The maximum physical Interfaces: 8

VLAN: 3, restricted DMZ

Internal guests: 10

Failover: disabled

VPN - A: enabled

VPN-3DES-AES: enabled

SSL VPN peers: 2

The VPN peers total: 10

Double ISP: disabled

Junction ports VLAN: 0

Sharing license: disabled

AnyConnect for Mobile: disabled

AnyConnect Cisco VPN phone: disabled

AnyConnect Essentials: disabled

Assessment of Advanced endpoint: disabled

Proxy sessions for the UC phone: 2

Total number of Sessions of Proxy UC: 2

Botnet traffic filter: disabled

This platform includes a basic license.

Registry configuration is 0x1

Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012

ciscoasa #.

ciscoasa #.

ciscoasa # sh run

: Saved

:

ASA Version 8.2 (5)

!

transparent firewall

ciscoasa hostname

activate 8eeGnt0NEFObbH6U encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

I haventerface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

Shutdown

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

Shutdown

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

passive FTP mode

outs_in of access allowed any ip an extended list

outs_in list extended access permit icmp any one

pager lines 24

Within 1500 MTU

Outside 1500 MTU

no ip address

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

outs_in access to the interface inside group

Access-group outs_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

: end

ciscoasa #.

ciscoasa #.

ciscoasa #.

ciscoasa # sh - access list

access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied

alert interval 300

outs_in list of access; 2 elements; hash name: 0xd6c65ba5

permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842

allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5

ciscoasa #.

Hello

Exactly... Good to know it works now.

Do you know why he needs the IP address (such as a transparent firewall)?

The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.

We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.

Please check the question as answered, so future users can pull of this

Julio Carvajal

Costa Rica

Selection of ASA 5505 license and Smartnet

Hello

We bought an ASA 5505 (ASA5505-BUN-K9) and more recently bought the license to upgrade from 10 to 50 users (L-ASA5505-10-50).

I want to provide remote access to users via AnyConnect - specifically, AnyConnnect under Windows as well as iPhone/iPad and Android. My understanding is that I should buy the Anyconnect Essentials (L-ASA-AC-E-5505) and permits Anyconnect Mobile (L-ASA-AC-M-5505). Is this correct? If I do this, simultaneous remote access VPN connections (via the Anyconnect customers) how the ASA will then support?

In addition, we did not purchase initially Smartnet with this device, but I want to do to access the software updates. Y at - it a document or a site where I can locate the SKU # s Smartnet contracts that would be appropriate with our device? Or could someone provide a few example SKU #?

The output of 'see the version' is below:

Cisco Adaptive Security Appliance Software Version 8.3 (1)

Version 6.3 Device Manager (1)

Updated Friday, March 4, 10 16:56 by manufacturers

System image file is "disk0: / asa831 - k8.bin.

The configuration file to the startup was "startup-config '.

asa1 until dry 42

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

0: Int: internal-Data0/0: the address is 649e.f3b3.c2bb, irq 11

1: Ext: Ethernet0/0: the address is 649e.f3b3.c2b3, irq 255

2: Ext: Ethernet0/1: the address is 649e.f3b3.c2b4, irq 255

3: Ext: Ethernet0/2: the address is 649e.f3b3.c2b5, irq 255

4: Ext: Ethernet0/3: the address is 649e.f3b3.c2b6, irq 255

5: Ext: Ethernet0/4: the address is 649e.f3b3.c2b7, irq 255

6: Ext: Ethernet0/5: the address is 649e.f3b3.c2b8, irq 255

7: Ext: Ethernet0/6: the address is 649e.f3b3.c2b9, irq 255

8: Ext: Ethernet0/7: the address is 649e.f3b3.c2ba, irq 255

9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

10: Int: not used: irq 255

11: Int: not used: irq 255

The devices allowed for this platform:

The maximum physical Interfaces: 8 perpetual

VLAN: 3 restricted DMZ

Double ISP: Disabled perpetual

Junction VIRTUAL LAN ports: perpetual 0

The hosts on the inside: 50 perpetual

Failover: Disabled perpetual

VPN - A: enabled perpetual

VPN-3DES-AES: activated perpetual

SSL VPN peers: 2 perpetual

Counterparts in total VPN: 10 perpetual

Shared license: disabled perpetual

AnyConnect for Mobile: disabled perpetual

AnyConnect Cisco VPN phone: disabled perpetual

AnyConnect Essentials: Disabled perpetual

Assessment of Advanced endpoint: disabled perpetual

Proxy UC phone sessions: 2 perpetual

Proxy total UC sessions: 2 perpetual

Botnet traffic filter: disabled perpetual

Intercompany Media Engine: Disabled perpetual

This platform includes a basic license.

---

Thank you!

Yes you are right, you must purchase the license key AnyConnect and AnyConnect Mobile, and you can run 25 maximum simultaneous AnyConnect

Here are the compatible Android devices for your reference:

http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect25/release/notes/RN-AC2.5-Android.html#wp1159723

For Smartnet, whereby the service level you need, here are a few examples for ASA5505:

-SMARTnet Premium 24 x 7 x 4 (SNTP): SNTP-CON-AS5B50K9

-SMARTnet 8x5xNBD (SWW): CON-SNT-AS5B50K9

Save the configuration to ASA 5505

Hi all, I have this problem, I save the configuration to the ASA 5505 help RAM or using the copy, run start but whe I unplug the power cord and plug it back to the ASA gets its default factory configuration... so what I do is a copy start run to get the active configuration...

Why is it so? even if I saved the config to Flash... greetings!

You have bad start to register:

Please follow the following document:

http://www.Cisco.com/en/us/docs/security/ASA/asa71/configuration/guide/trouble.html#wp1062992

You must set the default value 0 x 1

___

HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".

ASA 5505 Security Plus license question

Hi all!

I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):

The activation key running is not valid, using the default

......

This platform includes a basic license.

......

Unable to retrieve the activation key permanent flash

I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?

Thank you!!!

-ken

ciscoasa # sh - activation key

Serial number: JMXXXXXXHU

Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

The activation key running is not valid, using the default settings:

The devices allowed for this platform:

The maximum physical Interfaces: 8 perpetual

VLAN: 3 restricted DMZ

Double ISP: Disabled perpetual

Junction VIRTUAL LAN ports: perpetual 0

The hosts on the inside: 10 perpetual

Failover: Disabled perpetual

VPN - A: enabled perpetual

VPN-3DES-AES: disabled perpetual

AnyConnect Premium peers: 2 perpetual

AnyConnect Essentials: Disabled perpetual

Counterparts in other VPNS: 10 perpetual

Total VPN counterparts: 25 perpetual

Shared license: disabled perpetual

AnyConnect for Mobile: disabled perpetual

AnyConnect Cisco VPN phone: disabled perpetual

Assessment of Advanced endpoint: disabled perpetual

Proxy UC phone sessions: 2 perpetual

Proxy total UC sessions: 2 perpetual

Botnet traffic filter: disabled perpetual

Intercompany Media Engine: Disabled perpetual

This platform includes a basic license.

Unable to retrieve the activation key permanent flash.

The permanent activation key flash is the SAME as the key permanent running.

Hi Ken,

If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.

If you have lost the key, you'll want to open a support case to get it retrieved.

Hope that helps.

-Mike

VPN site-to-site between ASA 5505 and 2911

Hi all

I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.

2911 config:

version 15.2

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

host name 2911

boot-start-marker

Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin

boot-end-marker

Min-length 10 Security passwords

logging buffered 51200 warnings

No aaa new-model

min-threshold queue spd IPv6 62

Max-threshold queue spd IPv6 63

No ipv6 cef

the 5 IP auth-proxy max-login-attempts

max-login-attempts of the IP 5 admission

DHCP excluded-address IP 192.168.10.1 192.168.10.99

DHCP excluded-address IP 192.168.22.1 192.168.22.99

DHCP excluded-address IP 192.168.33.1 192.168.33.99

DHCP excluded-address IP 192.168.44.1 192.168.44.99

DHCP excluded-address IP 192.168.55.1 192.168.55.99

192.168.10.240 IP dhcp excluded-address 192.168.10.254

DHCP excluded-address IP 192.168.22.240 192.168.22.254

DHCP excluded-address IP 192.168.33.240 192.168.33.254

DHCP excluded-address IP 192.168.44.240 192.168.44.254

DHCP excluded-address IP 192.168.55.240 192.168.55.254

desktop IP dhcp pool

import all

network 192.168.33.0 255.255.255.0

router by default - 192.168.33.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

wi - fi IP dhcp pool

import all

network 192.168.44.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.44.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

DMZ IP dhcp pool

import all

network 192.168.55.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.55.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.22.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP domain name of domain

name-server IP 192.168.10.10

IP cef

connection-for block 180 tent 3-180

Timeout 10

VLAN ifdescr detail

Authenticated MultiLink bundle-name Panel

Crypto pki token removal timeout default 0

Crypto pki trustpoint TP-self-signed-3956567439

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3956567439

revocation checking no

rsakeypair TP-self-signed-3956567439

TP-self-signed-3956567439 crypto pki certificate chain

certificate self-signed 01 nvram:IOS - Self-Sig #1.cer

license udi pid sn CISCO2911/K9

the FULL_NET object-group network

full range of the network Description

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

object-group network limited

description without servers and router network

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

VTP version 2

password username admin privilege 0 password 7

redundancy

no passive ftp ip

crypto ISAKMP policy 10

BA aes 256

sha512 hash

preshared authentication

ISAKMP crypto key admin address b.b.b.b

invalid-spi-recovery crypto ISAKMP

Crypto ipsec transform-set esp - aes esp-sha-hmac SET

10 map ipsec-isakmp crypto map

the value of b.b.b.b peer

Set transform-set

match address 160

Interface Port - Channel 1

no ip address

waiting-150 to

Interface Port - channel1.1

encapsulation dot1Q 1 native

IP 192.168.11.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.10

encapsulation dot1Q 10

IP address 192.168.10.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.22

encapsulation dot1Q 22

IP 192.168.22.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.33

encapsulation dot1Q 33

IP 192.168.33.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.44

encapsulation dot1Q 44

IP 192.168.44.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.55

encapsulation dot1Q 55

IP 192.168.55.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

interface GigabitEthernet0/0

Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

no ip address

Shutdown

automatic duplex

automatic speed

interface GigabitEthernet0/1

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/2

Description $ES_LAN$

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/0/0

IP address a.a.a.a 255.255.255.224

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

crypto map

IP forward-Protocol ND

no ip address of the http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0

IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static

IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

NAT_INTERNET extended IP access list

refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255

refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255

permit ip FULL_NET object-group everything

access-list 1 permit 192.168.44.100

access-list 23 allow 192.168.10.7

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

control plan

Line con 0

password password 7

opening of session

line to 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

access-class 23 in

privilege level 15

local connection

entry ssh transport

line vty 5 15

access-class 23 in

privilege level 15

local connection

entry ssh transport

Scheduler allocate 20000 1000

end

The ASA config:

: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1   no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable

ASA:

# show crypto ipsec his

There is no ipsec security associations

# show crypto isakmp his

There are no SAs IKEv1

There are no SAs IKEv2

2911:

#show crypto ipsec his

Interface: GigabitEthernet0/0/0

Tag crypto map: map, addr a.a.a.a local

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)

current_peer b.b.b.b port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors of #send 4, #recv errors 0

local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b

Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

-Other - arrival ah sas:

-More-

-More - CFP sas on arrival:

-More-

-More - outgoing esp sas:

-More-

-More - out ah sas:

-More-

-More - out CFP sas:

Thanks for your time,

Nick

Please add

map Office 2 set transform-set OFFICE ikev1 crypto

If it is not helpful, please enable debug crypto ipsec 255 and paste here.

HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.

Impossible to establish a VPN to ASA 5505

I'm trying to set up a network VPN from Site to Site. Right now I'm doing this work in the laboratory. I have the Internet port on the Linksys connected directly to port 0 on the cisco that has been set up as the internet port.

My configuration is:

Remote site

Laptop 1 - IP 192.168.2.100 address 255.255.255.0 GW 192.168.2.1

The Router 1 (Linksys BEFSX41) - LAN IP 192.168.2.1 255.255.255.0

209.168.145.49 WAN IP address 255.255.255.0 GW 209.168.145.50

Host site

Laptop 2 - address 192.168.1.100 IP 255.255.255.0 GW 192.168.1.1

Router 2 (Cisco ASA 5505) - LAN IP 0 address 192.168.1.1 255.255.255.0

IP WAN (Port 0) 209.168.145.50 255.255.255.0

My problems:

I use ASDM 5.2 to configure the router of the SAA. With the configuration I currently have my linksys is not able to establish a VPN connection. The journal of ASA reported via the ASDM is as shown in the attachment ciscolog.txt.

My linksys journal is as listed in the attachment linksyslog.txt.

I also tried to create a Cisco VPN client connection using the cisco client software and a laptop connected directly to the internet port of the router cisco (port 0) and was not able to establish a connection with that either. I used the wizard of ASDM VPN to try to implement the Site-site as well as the scenarios of connection remotely. This has been unsuccessful in both cases.

The only one, I am really interested in getting to work is the site to site.

My current configuration of cisco is shown in the attachment cisco.txt.

If anyone has any input I would appreciate it a lot. I have been through the manuals of cisco as to scouring the internet and am unable to find an answer.

I enclose 3 files, cisco log (ciscolog.txt), linksys (linksyslog.txt) log and config cisco (cisco.txt) in the form of text files.

Thank you.

Sean

I hope that path statement solves your problem.

-Gilbert

Good job, Adam!

ASA 5505 SSL VPN license update

Hi all.

Our ASA 5505 with DATABASE default license allowing only 10 simultaneous vpn sessions (including 2 Anyconnect + IPsec). attached a TXT file with the license information. This Firewall is's use only for vpn access, and we less vpn tunnel vpn IPSec-L2L, anyconnect client SSL and IPSec client access configurations vpn to the top and race walk,.

We are in terms of upgrading vpn license to archive IPSec 10 and 10 Anyconnect and 1 anyconect mobile VPN sessions in time. so my questions are;

1. can I buy "ASA5500-SSL-10 =" accounting and to upgrade our ASA 5505 without having to buy "L-ASA5505-SEC-PL =" license of pus of security.

2. asa use to upgrade only Anyconnect SSL vpn license while keeping 10 vpn IPSec comes with the base license.

Thank you & you expects value comment

Thank you

JCK

1. Yes.

2.Yes.

If you want to keep Clientless SSL VPN you do not want to continue with the addition of the ASA5500-SSL-10 = part. If you can do without client (including the conversion the two existing ones), more economically, you can opt for Security Plus and AnyConnect Essentials licenses. (US$ 800 vs price $1250).

In both cases, the Mobile requires the AnyConnect Mobile (ASA-AC-M-5505) license.

Problem with ASA 5505 VPN remote access

After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?

Here is the cfg running of the ASA

----------------------------------------------------------------------------------------

: Saved

:

ASA Version 8.4 (1)

!

hostname NCHCO

enable encrypted password xxxxxxxxxxxxxxx

xxxxxxxxxxx encrypted passwd

names of

description of NCHCO name 192.168.2.0 City offices

name 192.168.2.80 VPN_End

name 192.168.2.70 VPN_Start

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address **. ***. 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa841 - k8.bin

passive FTP mode

network of the NCHCO object

Subnet 192.168.2.0 255.255.255.0

network object obj - 192.168.1.0

subnet 192.168.1.0 255.255.255.0

network object obj - 192.168.2.64

subnet 192.168.2.64 255.255.255.224

network object obj - 0.0.0.0

subnet 0.0.0.0 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the Web server object network

the FINX object network

Home 192.168.2.11

rdp service object

source between 1-65535 destination eq 3389 tcp service

Rdp description

outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0

inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224

outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

LAN_Access list standard access allowed 192.168.2.0 255.255.255.0

LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0

AnyConnect_Client_Local_Print deny ip extended access list a whole

AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

outside_access_in list extended access permit tcp any object FINX eq 3389

outside_access_in_1 list extended access allowed object rdp any object FINX

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 649.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0

NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64

NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

the FINX object network

NAT (inside, outside) interface static service tcp 3389 3389

Access-group outside_access_in_1 in interface outside

Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

network-acl outside_nat0_outbound

WebVPN

SVC request to enable default svc

Enable http server

http 192.168.1.0 255.255.255.0 inside

http *. **. ***. 255.255.255.255 outside

http *. **. ***. 255.255.255.255 outside

http NCHCO 255.255.255.0 inside

http 96.11.251.186 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform

IKEv1 crypto ipsec transform-set l2tp-transformation mode transit

Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyn-map 10 set pfs Group1

crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1

dynamic-map encryption dyn-map 10 value reverse-road

Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

Crypto-map dynamic outside_dyn_map 20 the value reverse-road

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

peer set card crypto outside_map 1 74.219.208.50

card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside crypto map inside_map interface

card crypto vpn-map 1 match address outside_1_cryptomap_1

card crypto vpn-card 1 set pfs Group1

set vpn-card crypto map peer 1 74.219.208.50

card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map

dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

crypto isakmp identity address

Crypto ikev1 allow inside

Crypto ikev1 allow outside

IKEv1 crypto ipsec-over-tcp port 10000

IKEv1 crypto policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

IKEv1 crypto policy 15

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 35

preshared authentication

3des encryption

sha hash

Group 2

life 86400

enable client-implementation to date

Telnet 192.168.1.0 255.255.255.0 inside

Telnet NCHCO 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH NCHCO 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd address 192.168.2.150 - 192.168.2.225 inside

dhcpd dns 216.68.4.10 216.68.5.10 interface inside

lease interface 64000 dhcpd inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server DNS 192.168.2.1

L2TP ipsec VPN-tunnel-Protocol ikev1

nchco.local value by default-field

attributes of Group Policy DfltGrpPolicy

value of server DNS 192.168.2.1

L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

allow password-storage

enable IPSec-udp

enable dhcp Intercept 255.255.255.0

the address value VPN_Pool pools

internal NCHCO group policy

NCHCO group policy attributes

value of 192.168.2.1 DNS Server 8.8.8.8

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1

value by default-field NCHCO.local

admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

username NCHvpn99 password dhn. JzttvRmMbHsP encrypted

attributes global-tunnel-group DefaultRAGroup

address (inside) VPN_Pool pool

address pool VPN_Pool

authentication-server-group (inside) LOCAL

authentication-server-group (outside LOCAL)

LOCAL authority-server-group

authorization-server-group (inside) LOCAL

authorization-server-group (outside LOCAL)

Group Policy - by default-DefaultRAGroup

band-Kingdom

band-band

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

NOCHECK Peer-id-validate

tunnel-group DefaultRAGroup ppp-attributes

No chap authentication

no authentication ms-chap-v1

ms-chap-v2 authentication

tunnel-group DefaultWEBVPNGroup ppp-attributes

PAP Authentication

ms-chap-v2 authentication

tunnel-group 74.219.208.50 type ipsec-l2l

IPSec-attributes tunnel-group 74.219.208.50

IKEv1 pre-shared-key *.

type tunnel-group NCHCO remote access

attributes global-tunnel-group NCHCO

address pool VPN_Pool

Group Policy - by default-NCHCO

IPSec-attributes tunnel-group NCHCO

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

: end

ASDM image disk0: / asdm - 649.bin

ASDM VPN_Start 255.255.255.255 inside location

ASDM VPN_End 255.255.255.255 inside location

don't allow no asdm history

---------------------------------------------------------------------------------------------------------------

And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:

---------------------------------------------------------------------------------------------------------------

Cisco Systems VPN Client Version 5.0.07.0440

Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

Customer type: Windows, Windows NT

Running: 6.1.7601 Service Pack 1

Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\

1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026

Try to find a certificate using hash Serial.

2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027

Found a certificate using hash Serial.

3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011

RELOADED successfully certificates in all certificate stores.

4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002

Start the login process

5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004

Establish a secure connection

6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "*." **. ***. *** »

7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B

Try to establish a connection with *. **. ***. ***.

8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001

From IKE Phase 1 negotiation

9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001

Peer is a compatible peer Cisco-Unity

13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports XAUTH

14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports the DPD

15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports NAT - T

16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports fragmentation IKE payloads

17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001

IOS Vendor ID successful construction

18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083

IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4

20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072

Automatic NAT detection status:

Remote endpoint is NOT behind a NAT device

This effect is NOT behind a NAT device

21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015

Launch application xAuth

25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012

Attributes of the authentication request is 6: 00.

26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017

xAuth application returned

27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008

IPSec driver started successfully

29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E

Customer address a request from firewall to hub

35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F

SPLIT_NET #1

= 192.168.2.0 subnet

mask = 255.255.255.0

Protocol = 0

SRC port = 0

port dest = 0

45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local

46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710

47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11

49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019

Data in mode Config received

51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056

Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify has value of 86400 seconds

56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047

This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now

57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">

59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify is set to 28800 seconds

60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***

61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059

IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)

62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025

OUTGOING ESP SPI support: 0xAAAF4C1C

63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026

Charges INBOUND ESP SPI: 0x3EBEBFC5

64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001

Launch VAInst64 for controlling IPSec virtual card

66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034

The virtual card has been activated:

IP=192.168.2.70/255.255.255.0

DNS = 192.168.2.1, 8.8.8.8

WINS = 0.0.0.0 0.0.0.0

Domain = NCHCO.local

Split = DNS names

67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261

68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038

Were saved successfully road to file changes.

69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261

192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100

192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261

192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261

70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036

The routing table has been updated for the virtual card

71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A

A secure connection established

72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001

Did not find the smart card to watch for removal

75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

Creates a new key structure

77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

Adding key with SPI = 0x1c4cafaa in the list of keys

78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

Creates a new key structure

79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

Adding key with SPI = 0xc5bfbe3e in the list of keys

80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F

Assigned WILL interface private addr 192.168.2.70

81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037

Configure the public interface: 96.11.251.149. SG: **.**.***.***

82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046

Define indicator tunnel set up in the registry to 1.

83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205276

85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276

88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019

Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e

89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205277

91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277

94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205278

96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278

---------------------------------------------------------------------------------------------------------------

Any help would be appreciated, thanks!

try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.

ASA - 5505 / good S2S / RemoteAccess with slow AnyConnect

Hi all

I use two ASA 5505 to sites. VPN between two works fine and fast that allows our ISP (~ 10MBit up/down).

At home, I have normal ADSL (~ 600kbit up / down 6 Mbit)

Downloading files from home on the internal server is fast, but when I connect through AnyConnect it is horrible slow.

Both with the same zipfile on http server:

The download speed with AnyConnect: 90 - 120 KB/s

Download without AnyConnect speed: 660 KB/s

Download the same file on the client to the other site of the Site 2 Site VPN server works quickly with 945 KB/s.

I thought that maybe it's a ServicePolicyRule with QoS, but there are only the default rule where the QoS tab is not available and only ProtocolInspections are selectable.

ASA 9.1.2

ASDM 7.1.3

AnyConnect Client 3.1.04063

Any idea or suggestion?

Well cordially

Chris

Hi Chris,

Try lowering the value of mtu anyconnect 'anyconnect mtu 1300' in the group policy, and then test the question.

You experience slowness for the internet traffic or for accessinng servers behind the ASA?

Using fractionation on SAA tunnel?

Kind regards

NGO

Error of customer Cisco VPN connection ASA 5505

I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.

CISCO VPN CLIENT LOG

Cisco Systems VPN Client Version 5.0.06.0160

Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.

Customer type: Windows, Windows NT

Running: 6.1.7600

Config files directory: C:\Program Cisco Systems Client\

1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002

Start the login process

2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004

Establish a secure connection

3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "71.xx.xx.253".

4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B

Attempts to establish a connection with 71.xx.xx.253.

5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001

From IKE Phase 1 negotiation

6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253

7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer is a compatible peer Cisco-Unity

10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports XAUTH

11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports the DPD

12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports NAT - T

13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports fragmentation IKE payloads

14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001

IOS Vendor ID successful construction

15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253

16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055

Sent a keepalive on the IPSec Security Association

17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083

IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194

18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072

Automatic NAT detection status:

Remote endpoint is NOT behind a NAT device

This effect is behind a NAT device

19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E

Customer address a request from firewall to hub

22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253

23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1

26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0

27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250

28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251

29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000

30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA

31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45

33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019

Data in mode Config received

36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056

Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0

37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253

38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify has value of 86400 seconds

41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047

This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now

42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253

45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049

IPsec security association negotiation made scrapped, MsgID = 89EE7032

46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017

Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058

Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8

49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B

IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012

ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025

Initializing CVPNDrv

53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046

Set indicator established tunnel to register to 0.

54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001

Signal received IKE to complete the VPN connection

----------------------------------------------------------------------------------------

ASA 5505 CONFIG

: Saved

:

ASA Version 8.2 (1)

!

ciscoasa hostname

domain masociete.com

activate tdkuTUSh53d2MT6B encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 172.26.0.252 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

IP address 71.xx.xx.253 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

DNS server-group DefaultDNS

domain masociete.com

access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA

Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0

outside_access_in list extended access permit icmp any one

outside_access_in list extended access udp allowed any any eq 4500

outside_access_in list extended access udp allowed any any eq isakmp

outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp

outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389

inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240

inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask

ICMP unreachable rate-limit 1 burst-size 1

enable ASDM history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0

static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255

static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

Enable http server

http 172.26.0.0 255.255.0.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

no basic threat threat detection

no statistical access list - a threat detection

no statistical threat detection tcp-interception

WebVPN

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server WINS 172.26.0.250 172.26.0.251

value of 172.26.0.250 DNS server 172.26.0.251

Protocol-tunnel-VPN IPSec l2tp ipsec svc

value by default-field TLCUSA

internal LIMUVPNPOL1 group policy

LIMUVPNPOL1 group policy attributes

value of 172.26.0.250 DNS server 172.26.0.251

VPN-idle-timeout 30

Protocol-tunnel-VPN IPSec l2tp ipsec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list LIMU_Split_Tunnel_List

the address value VPN_POOL pools

internal TLCVPNGROUP group policy

TLCVPNGROUP group policy attributes

value of 172.26.0.250 DNS server 172.26.0.251

Protocol-tunnel-VPN IPSec l2tp ipsec svc

Re-xauth disable

enable IPSec-udp

value by default-field TLCUSA

barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0

username barry.julien attributes

VPN-group-policy TLCVPNGROUP

Protocol-tunnel-VPN IPSec l2tp ipsec

bjulien bhKBinDUWhYqGbP4 encrypted password username

username bjulien attributes

VPN-group-policy TLCVPNGROUP

attributes global-tunnel-group DefaultRAGroup

address VPN_POOL pool

Group Policy - by default-DefaultRAGroup

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key *.

tunnel-group DefaultRAGroup ppp-attributes

no authentication ms-chap-v1

ms-chap-v2 authentication

type tunnel-group TLCVPNGROUP remote access

attributes global-tunnel-group TLCVPNGROUP

address VPN_POOL pool

Group Policy - by default-TLCVPNGROUP

IPSec-attributes tunnel-group TLCVPNGROUP

pre-shared-key *.

ISAKMP ikev1-user authentication no

tunnel-group TLCVPNGROUP ppp-attributes

PAP Authentication

ms-chap-v2 authentication

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:b94898c163c59cee6c143943ba87e8a4

: end

enable ASDM history

can you try to change the transformation of dynamic value ESP-3DES-SHA map.

for example

remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5

and replace with

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

ASA 5505 - remote access VPN to access various internal networks

Hi all

A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x.

Here is the config:

:

ASA Version 8.2 (5)

!

ciscoasa hostname

enable encrypted password xxx

XXX encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 200.190.1.15 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address 255.255.255.0 xxxxxxx

!

exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

passive FTP mode

access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any

outside_access_in list extended access permit icmp any external interface

access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0

Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0

MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool

IP verify reverse path to the outside interface

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 200.190.1.0 255.255.255.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1

Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1

Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1

Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

http server enable 10443

http server idle-timeout 5

Server of http session-timeout 30

HTTP 200.190.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

(omitted)

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 3600

Telnet timeout 5

SSH 200.190.1.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

Console timeout 5

dhcpd outside auto_config

!

a basic threat threat detection

scanning-threat shun threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

internal MD_SSL_Gp_Pol group strategy

attributes of Group Policy MD_SSL_Gp_Pol

VPN-tunnel-Protocol webvpn

WebVPN

list of URLS no

disable the port forward

hidden actions no

disable file entry

exploration of the disable files

disable the input URL

internal MD_IPSEC_Tun_Gp group strategy

attributes of Group Policy MD_IPSEC_Tun_Gp

value of banner welcome to remote VPN

VPN - connections 1

VPN-idle-timeout 5

Protocol-tunnel-VPN IPSec webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl

the address value Remote_IPSEC_VPN_Pool pools

WebVPN

value of the RDP URL-list

attributes of username (omitted)

VPN-group-policy MD_IPSEC_Tun_Gp

type of remote access service

type tunnel-group MD_SSL_Profile remote access

attributes global-tunnel-group MD_SSL_Profile

Group Policy - by default-MD_SSL_Gp_Pol

type tunnel-group MD_IPSEC_Tun_Gp remote access

attributes global-tunnel-group MD_IPSEC_Tun_Gp

address pool Remote_IPSEC_VPN_Pool

Group Policy - by default-MD_IPSEC_Tun_Gp

IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp

pre-shared key *.

!

!

context of prompt hostname

: end

The following ACL and NAT exemption ACL split tunnel is incorrect:

MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

It should have been:

Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0

access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

Then 'clear xlate' and reconnect with the VPN Client.

Hope that helps.

ASA 5505 Flash files

Similar Questions

Maybe you are looking for