ASA - 5505 / good S2S / RemoteAccess with slow AnyConnect

Hi all

I use two ASA 5505 to sites. VPN between two works fine and fast that allows our ISP (~ 10MBit up/down).

At home, I have normal ADSL (~ 600kbit up / down 6 Mbit)

Downloading files from home on the internal server is fast, but when I connect through AnyConnect it is horrible slow.

Both with the same zipfile on http server:

The download speed with AnyConnect: 90 - 120 KB/s

Download without AnyConnect speed: 660 KB/s

Download the same file on the client to the other site of the Site 2 Site VPN server works quickly with 945 KB/s.

I thought that maybe it's a ServicePolicyRule with QoS, but there are only the default rule where the QoS tab is not available and only ProtocolInspections are selectable.

ASA 9.1.2

ASDM 7.1.3

AnyConnect Client 3.1.04063

Any idea or suggestion?

Well cordially

Chris

Hi Chris,

Try lowering the value of mtu anyconnect 'anyconnect mtu 1300' in the group policy, and then test the question.

You experience slowness for the internet traffic or for accessinng servers behind the ASA?

Using fractionation on SAA tunnel?

Kind regards

NGO

Tags: Cisco Security

Similar Questions

L2l between an ASA 5505 and WatchGuard XTM330 with dynamic IP

Hi guys,.

I looked for a solution on this one but can't find inappropriate, most of the discussions were old and with dead links to the solution.

We have an ASA 5505 with static IP address on the outside and a customer who have a WatchGuard XTM330 with dynamic IP address to the outside.

Is it possible to have an L2L VPN between our ASA and the WatchGuard when he has a dynamic IP?

I have no experience on the series of WatchGuard,

so, I am very grateful for any answer!

Thanks in advance and have a nice day

BR

Robin

Hi Robin,

Here are the links you can make reference when configuring static to the dynamic VPN tunnel: -.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/112075-dynamic-IPSec-ASA-router-CCP.html

This one is with Pix on the remote side, but the configuration will remain the same on the local side: -.
http://www.WatchGuard.com/docs/4-6-Firebox-CiscoPix.PDF

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Cisco Asa 5505 and level 3 with remote access VPN switch

Today I had a new CISCO LAYER 3 switch... So here's my scenrio

Cisco Asa 5505

I have

Outside of the == 155.155.155.x

Inside = 192.168.7.1

Address POOL VPN = 10.10.10.1 - 10.10.10.20

3 layer switch configuration

VLAN 2

ip address of the interface = 192.168.1.1

VLAN 2

ip address of the interface = 192.168.2.1

VLAN 2

ip address of 192.168.3.1 = interface

VLAN 2

ip address of the interface = 192.168.4.1

VLAN 2

ip address of the interface = 192.168.5.1

IP Routing

So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip

Thanks to you all

Al ready has responded

Sent by Cisco Support technique iPad App

ASA 5505 Anyconnect traversal nat error

Good afternoon gents,

I installed an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, then my LAN can access my laptop. In the newspapers, I see the following error message:

Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 refused because of the failure of path opposite of that of NAT.

I can't seem to figure this point and nothing I read to try worked. Here's the relevant config, any help would be GREATLY appreciated.

interface Vlan1
nameif inside
security-level 100
IP 10.201.180.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 67.200.133.107 255.255.255.248
!

access extensive list ip 10.139.50.0 inside_nat0_outbound allow 255.255.255.0 10.201.180.0 255.255.255.0
access extensive list ip 10.201.180.0 inside_nat0_outbound allow 255.255.255.0 10.139.50.0 255.255.255.0

mask 10.139.50.1 - 10.139.50.50 255.255.255.0 IP local pool SSLClientPool

Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound list of outdoor access
NAT (inside) 1 0.0.0.0 0.0.0.0

Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication

Try the nat statement 0 without the keyword on the outside.

NAT (inside) 0-list of access inside_nat0_outbound

In addition,

sh run sysopt and stick out.

Manish

EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

Hi friends,

I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

Please find below the exit of 881 router Cisco:

YF2_Tbilisi_router #.
* 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
* 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

* 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
* 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
* 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
* 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
* 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

* 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
* 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

* 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
* 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
* 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
* 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
* 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
* 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
* 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
* 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
* 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
* 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
* 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
* 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
* 09:31:47.805 4 August: ISAKMP (0): payload ID
next payload: 13
type: 11
Group ID: Youth_Facility_2
Protocol: 17
Port: 0
Length: 24
* 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
* 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
* 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

* 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
* 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
* 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

* 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
* 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
* 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
* 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
* 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

* 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
* 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

* 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
* 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
* 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
* 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
* 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
* 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
* 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
* 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
* 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
* 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
* 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
* 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
* 09:32:48.913 4 August: ISAKMP (0): payload ID
next payload: 13
type: 11
Group ID: Youth_Facility_2
Protocol: 17
Port: 0
Length: 24
* 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
* 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
* 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

* 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
* 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?

VPN site-to-site between ASA 5505 and 2911

Hi all

I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.

2911 config:

version 15.2

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

host name 2911

boot-start-marker

Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin

boot-end-marker

Min-length 10 Security passwords

logging buffered 51200 warnings

No aaa new-model

min-threshold queue spd IPv6 62

Max-threshold queue spd IPv6 63

No ipv6 cef

the 5 IP auth-proxy max-login-attempts

max-login-attempts of the IP 5 admission

DHCP excluded-address IP 192.168.10.1 192.168.10.99

DHCP excluded-address IP 192.168.22.1 192.168.22.99

DHCP excluded-address IP 192.168.33.1 192.168.33.99

DHCP excluded-address IP 192.168.44.1 192.168.44.99

DHCP excluded-address IP 192.168.55.1 192.168.55.99

192.168.10.240 IP dhcp excluded-address 192.168.10.254

DHCP excluded-address IP 192.168.22.240 192.168.22.254

DHCP excluded-address IP 192.168.33.240 192.168.33.254

DHCP excluded-address IP 192.168.44.240 192.168.44.254

DHCP excluded-address IP 192.168.55.240 192.168.55.254

desktop IP dhcp pool

import all

network 192.168.33.0 255.255.255.0

router by default - 192.168.33.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

wi - fi IP dhcp pool

import all

network 192.168.44.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.44.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

DMZ IP dhcp pool

import all

network 192.168.55.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.55.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.22.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP domain name of domain

name-server IP 192.168.10.10

IP cef

connection-for block 180 tent 3-180

Timeout 10

VLAN ifdescr detail

Authenticated MultiLink bundle-name Panel

Crypto pki token removal timeout default 0

Crypto pki trustpoint TP-self-signed-3956567439

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3956567439

revocation checking no

rsakeypair TP-self-signed-3956567439

TP-self-signed-3956567439 crypto pki certificate chain

certificate self-signed 01 nvram:IOS - Self-Sig #1.cer

license udi pid sn CISCO2911/K9

the FULL_NET object-group network

full range of the network Description

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

object-group network limited

description without servers and router network

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

VTP version 2

password username admin privilege 0 password 7

redundancy

no passive ftp ip

crypto ISAKMP policy 10

BA aes 256

sha512 hash

preshared authentication

ISAKMP crypto key admin address b.b.b.b

invalid-spi-recovery crypto ISAKMP

Crypto ipsec transform-set esp - aes esp-sha-hmac SET

10 map ipsec-isakmp crypto map

the value of b.b.b.b peer

Set transform-set

match address 160

Interface Port - Channel 1

no ip address

waiting-150 to

Interface Port - channel1.1

encapsulation dot1Q 1 native

IP 192.168.11.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.10

encapsulation dot1Q 10

IP address 192.168.10.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.22

encapsulation dot1Q 22

IP 192.168.22.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.33

encapsulation dot1Q 33

IP 192.168.33.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.44

encapsulation dot1Q 44

IP 192.168.44.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.55

encapsulation dot1Q 55

IP 192.168.55.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

interface GigabitEthernet0/0

Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

no ip address

Shutdown

automatic duplex

automatic speed

interface GigabitEthernet0/1

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/2

Description $ES_LAN$

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/0/0

IP address a.a.a.a 255.255.255.224

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

crypto map

IP forward-Protocol ND

no ip address of the http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0

IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static

IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

NAT_INTERNET extended IP access list

refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255

refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255

permit ip FULL_NET object-group everything

access-list 1 permit 192.168.44.100

access-list 23 allow 192.168.10.7

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

control plan

Line con 0

password password 7

opening of session

line to 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

access-class 23 in

privilege level 15

local connection

entry ssh transport

line vty 5 15

access-class 23 in

privilege level 15

local connection

entry ssh transport

Scheduler allocate 20000 1000

end

The ASA config:

: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1   no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable

ASA:

# show crypto ipsec his

There is no ipsec security associations

# show crypto isakmp his

There are no SAs IKEv1

There are no SAs IKEv2

2911:

#show crypto ipsec his

Interface: GigabitEthernet0/0/0

Tag crypto map: map, addr a.a.a.a local

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)

current_peer b.b.b.b port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors of #send 4, #recv errors 0

local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b

Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

-Other - arrival ah sas:

-More-

-More - CFP sas on arrival:

-More-

-More - outgoing esp sas:

-More-

-More - out ah sas:

-More-

-More - out CFP sas:

Thanks for your time,

Nick

Please add

map Office 2 set transform-set OFFICE ikev1 crypto

If it is not helpful, please enable debug crypto ipsec 255 and paste here.

HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.

ASA 5505 Security Plus license question

Hi all!

I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):

The activation key running is not valid, using the default

......

This platform includes a basic license.

......

Unable to retrieve the activation key permanent flash

I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?

Thank you!!!

-ken

ciscoasa # sh - activation key

Serial number: JMXXXXXXHU

Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

The activation key running is not valid, using the default settings:

The devices allowed for this platform:

The maximum physical Interfaces: 8 perpetual

VLAN: 3 restricted DMZ

Double ISP: Disabled perpetual

Junction VIRTUAL LAN ports: perpetual 0

The hosts on the inside: 10 perpetual

Failover: Disabled perpetual

VPN - A: enabled perpetual

VPN-3DES-AES: disabled perpetual

AnyConnect Premium peers: 2 perpetual

AnyConnect Essentials: Disabled perpetual

Counterparts in other VPNS: 10 perpetual

Total VPN counterparts: 25 perpetual

Shared license: disabled perpetual

AnyConnect for Mobile: disabled perpetual

AnyConnect Cisco VPN phone: disabled perpetual

Assessment of Advanced endpoint: disabled perpetual

Proxy UC phone sessions: 2 perpetual

Proxy total UC sessions: 2 perpetual

Botnet traffic filter: disabled perpetual

Intercompany Media Engine: Disabled perpetual

This platform includes a basic license.

Unable to retrieve the activation key permanent flash.

The permanent activation key flash is the SAME as the key permanent running.

Hi Ken,

If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.

If you have lost the key, you'll want to open a support case to get it retrieved.

Hope that helps.

-Mike

Unable to connect to ASA 5505 with AnyConnect after upgrade to 8.2

I just bought a license of VPN AnyConnect Essentials for my ASA 5505. I had to spend to 8.2 ASA.

Now that I updated and installed the license, the AnyConnect client will connect is no longer. It gives the following error: "failed to process the response.

You can provide any help would be appreciated. I am pleased to provide you with the configuration information that might be useful if you can provide the CLI commands, you want that I run.

Looks like he doesn't like THEM too, you can change the encryption algorithm to 'not' include in your strategy:

3des-sha1-aes128-sha1 sha1 aes256 encryption SSL

In general is not very safe anyway, and the choice of encryption above will provide you with the best encryption strategy.

Hope that helps.

Internet VERY slow connection on SD2008 connected to ASA 5505

I recently bought a SD2008 (2008/11/28) to replace an older Linksys 10/100 switch for my home network. This switch connects to an ASA 5505 to go to the internet. I have improved since most of my pc have 10/100/1000 and the new NAS I purchased also connects to 1000 so I wanted to speed internally.

The cries of network domestic now

BUT...

Get out to the internet has now slowed to crawl of a lily "slowski". I used to get 16-18Mbps using the 10/100 switch. Now, I'm lucky to get 1 MB/s dl speed.

Any suggestions would be greatly appreciated.

Too bad. I found the answer on a completely different thread that actually worked. I've linked the SD2008 to the ASA 5505 with a crossover cable, set the port speed/duplex AUTO/AUTO, restarted the ASA, and everything was back to normal.

So much for the detection of cut MDI/MDI-X auto...

Hope this helps someone else.

ASA 5505 AnyConnect 8.2 connect other subnets from site to site

Hello

I'm somehwat new Cisco and routing. I have an installation of two ASA 5505 that are configured for the site to site vpn and AnyConnect. The AnyConnect subnet can connect to inside VLANs to the SiteA but I can't for the remote to Site B subnet when you use AnyConnect. Any ideas? I have to add the subnet of 10.0.7.0/24 to the site to site policy? Do I need to set up several NAT rules? Details below.

Site A: ASA 5505 8.2

Outside: 173.X.X.X/30

Inside: 10.0.5.0/24

AnyConnect: 10.0.7.0/24

Site b: ASA 5505 8.2

Outsdie: 173.X.X.X/30

Inside: 10.0.6.0/24

The AnyConnect subnet cannot access the network of 10.0.6.0/24.

Any help would be greatly appreciated! Thank you!

Hello Kevin,

You must go back to identity (outdoors, outdoor) identity NAT (essentially for two subnets (Anyconnect and Remote_IPSec).

And of course to include traffic in the ACL for IPSec crypto and (if used) split with the Anyconnect tunnel.

Note all useful posts!

Kind regards

Jcarvaja

Follow me on http://laguiadelnetworking.com

ASA 5505 AnyConnect

Hello world

I packed 2 VLAN (VLAN, VLAN B) on ASA 5505, in addition I VLAN 1. When I'm in the VLAN 1 I have access to all devices in VLAN A and B of VLAN (ping, ssh, etc.).

also I set up a VPN using Anyconnect as described below:

http://www.TechRepublic.com/blog/smbit/quick-guide-AnyConnect-client-VPN-on-Cisco-ASA-5505/387

everything works, I can connect, the tunnel is set up, but I have access to the devices in VLAN 1

could someone help me and tell me what I did wrong?

Thank you

Robert

Hello Robert,.

Given that your post is not clear on the question, when you wrote "everything works", I'll assume you have problems to access the VLAN A and B you customer annyconnect. It could be a problem with your NAT WITHOUT rules (sheep behavior depends on your Software ASA)

Please tell us which version of the software you're would be useful as well to help you correctly using and post with your config.

Jirka

Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505

Hi Experts,

We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?

Here's the warning we get then tried to configure the easy VPN Client.

NOCMEFW1 (config) # vpnclient enable

* Delete "nat (inside) 0 S2S - VPN"

* Detach crypto card attached to the outside interface

* Remove the tunnel groups defined by the user

* Remove the manual configuration of ISA policies

CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success

you

operation was detected and listed above. Please solve the

above a configuration and re - activate.

Thanks and greetings

ANUP sisi

"Dynamic crypto map must be installed on the server device.

Yes, dynamic crypto is configured on the EasyVPN server.

Thank you

VLANS with Cisco ASA 5505 and non-Cisco switch

I have an ASA5505 and a switch Netgear GSM7224 L2 that I try to use together. I can't grasp how VLANs (or at least how they should be put in place). When configuring my VLAN on the ASA5505 it seems simple enough, but then on my switch, I thought I'd create just the same VLAN numbers that I used on the SAA and then add the ports that I wanted to use for each VLAN.

Currently on my ASA, I have the following VLAN configured...

outside - vlan11 - Port 0/0

inside - vlan1 - Port 0/1

dmz_ftp - vlan21 - Port 0/2

Port of Corp - vlan31 - 0/3

I need to do the same thing on my switch as well... On my way, I'm a little confused as to how I need to configure the VLAN. Below is the screenshot of web GUI...

Note: Normally you can now change the VLAN ID (red), but in this case the default vlan (vlan id 1) may not be changed or deleted, you can does not change its settings.

Tagged (green), Untagged (purple) and Autodetect (yellow) you must select at least 1. I'm not sure how to in one place to tell my inner vlan (vlan1).

I want VLAN1 ports 1-8 on my Netgear switch used alone to talk to interface/0/1 on the ASA5505 port. I don't want to NOT port 9-24 able to talk to ports 1-8 on the Netgear switch ports OR 0/0, 0/2 - 0 / 7 on the Cisco ASA 5505.

So, how can I configure my inner Vlan1 on ports 1-8 on the switch? Do mark, UNTAG, autodetect them? What about tours? I've been a bit the impression that I would set up my VLAN on both devices, then trunk port 1 and dedicate this port on both devices to nothing other than the sheath and the security of vlan would then take the packages where they need to go. Is this the wrong logic?

Hi Arvo,

If the port of the ASA is just part of a single VLAN (i.e. e0/0 single door 11 VLAN), this is called an access port. If the port of the ASA had to carry several VLANs, it would constitute a Trunk port.

To access ports (VLAN unique), you must set the switch corresponding to be unidentified for port this VLAN individual. If you decide to configure a trunk port, then the port of the switch must be set for labelling for each of VLAN who win the trunk.

For example, ASA I have:
```
interface Ethernet0/1
switchport access vlan 20
!
interface Vlan20
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
```
With the above configuration, the configuration of the switch would look like this (assuming the e0/1 port of the SAA is connected to 0/1 on the switch):
```
VLAN 20 - 0/1 = untagged
```
If instead you use a trunk port, the config would look like this:
```
interface Ethernet0/0
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface Vlan10
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan20
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
```
Assuming that the ASA e0/0 port is connected to 0/1 on the switch):
```
VLAN 10 - 0/1 = tagged
VLAN 20 - 0/1 = tagged
```
Hope that helps.

-Mike

ASA 5505 Firewall Transparent with a Server Web Question

I need to replace my Sonicwall firewall and I got an ASA 5505. However, I need to have a transparent firewall, no Natting and Server Web will have a public IP with relevant ports remains open.

The simple illustration is the Internet---> firewall Transparent - Web Server (With public IP Address)

1. There should be no natting

2. the web server must have a public IP address and be accessible from the internet.

3 ports can be blocked or re-opened.

Please let me know if its possible to conclude this agreement.

If so, can I get a command line sequence that allows this work.

My version is

Cisco Adaptive Security Appliance Software Version 4,0000 5

Version 6.4 Device Manager (9)

Thanks in advance

Post edited by: Don Charles

It is a minimum configuration for your needs (runs on ASA 5520).

!
transparent firewall
!
interface GigabitEthernet0
Description - the Internet-
nameif outside
Bridge-Group 1
security-level 0
!
!
interface GigabitEthernet3
Description - connected to the LAN-
nameif inside
Bridge-Group 1
security-level 100
!
!

interface BVI1

Description - for management only-
IP 10.1.10.1 255.255.255.0
!

!
network of the WWW-SERVER-OBJ object
Description - webserver-
host 123.123.123.123

!
!
WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group
Description - Serices published on the WEB server-
port-object eq www
EQ object of the https port
!
!
OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
!
Access-group OUTSIDE-IN-ACL in interface outside
!

Samuel Petrescu

Failover on Cisco ASA 5505 with EasyVPN

Hello

I've implemented a customer EasyVPN with a Cisco ASA 5505 and I am trying to configure the failover but I get this message:

"Failover cannot be configured as Cisco Easy VPN remote is activated."

However, I have seen in the link below, this dynamic rollover is compatible with the easy standard (and not with improved but I don't think I use easyVPN improved).

http://www.Cisco.com/c/en/us/products/collateral/security/iOS-easy-VPN/e...

The configuration I did through ASDM is very simple:

vpnclient server * * *.
vpnclient-mode client mode
vpngroup vpnclient * password *.
vpnclient username * password *.
vpnclient enable

My question is how can I implement failover with a client on a Cisco ASA 5505 EasyVPN?

Thanks in advance

You cannot configure the failover of a device that acts as a client

ASA - 5505 / good S2S / RemoteAccess with slow AnyConnect

Similar Questions

Maybe you are looking for