ASA 5505 - order Internet access for users

Hi all

I have a Cisco ASA 5505 connect my LAN over the internet using NAT/PAT. I want to restrict access to the internet on ports 80 and 443 on a per user basis.

That is to say access to management staff while limiting the general staff.

I understand how this on a per device level by creating an access list to block certain IP addresses to the internet, but I would limit some users.

I guess they will have to authenticate to the ASA some how.

Pointers?

TIA.

You need to set up the Cup via proxy in ASA.

Here is the configuration that we add on ASA:-

access-list WEBAUTH permit tcp any any eq 80

access-list WEBAUTH permit tcp any any eq 443

AAA authentication WEBAUTH indoor soccer match

AAA authentication secure-http-client

AAA authentication listener http inside port www redirect

Redirect the AAA authentication listener https within the https port

http://www.Cisco.com/en/us/docs/security/ASA/asa72/configuration/guide/fwaaa.html#wp1043431

http://www.Cisco.com/en/us/docs/security/ASA/asa72/command/reference/a1_72.html#wp1437427

Kind regards

~ JG

Note the useful messages

Tags: Cisco Security

Similar Questions

ASA 5505 VPN cannot access inside the host

I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.

framework for configuration below

interface Vlan1

nameif inside

security-level 100

10.1.1.1 IP address 255.255.255.0

IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic outside_dyn_map 20 set pfs

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

PFS set 40 crypto dynamic-map outside_dyn_map

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

Crypto-map dynamic inside_dyn_map 20 set pfs

Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map

inside crypto map inside_map interface

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

global service-policy global_policy

XXXXXXX strategy of Group internal

attributes of the strategy group xxxxxxx

banner value xxxxx Site Recovery

WINS server no

24.xxx.xxx.xx value of DNS server

VPN-access-hour no

VPN - connections 3

VPN-idle-timeout 30

VPN-session-timeout no

VPN-filter no

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelall

by default no

disable secure authentication unit

disable authentication of the user

user-authentication-idle-timeout no

disable the IP-phone-bypass

disable the leap-bypass

disable the NEM

disable the NAC

NAC-sq-period 300

NAC-reval-period 36000

NAC-by default-acl no

the address value xxxxxx pools

enable Smartcard-Removal-disconnect

the firewall client no

WebVPN

url-entry functions

Free VPN of CNA no

No vpn-addr-assign aaa

No dhcp vpn-addr-assign

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general attributes

xxxx address pool

Group Policy - by default-xxxx

blountdr group of tunnel ipsec-attributes

pre-shared-key *.

Missing nat exemption for vpn clients. Add the following and you should be good to go.

inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

NAT (inside) 0-list of access inside_nat0_outbound

How to block internet access to users on the local computer. The machine is sub domain control.

How to block internet access to users on the local computer and the machine is in sub domain control.

Hello

Thanks for posting your query in Microsoft Community.

Your question is beyond the scope of what is generally answered in this forum of consumer and would be better suited for the IT Pro TechNet public.

Please post your question in the TechNet Forums.

How to give a limitation of internet access to users via gpedit.msc?

How to give a limitation of internet access to users via gpedit.msc

Hello

Follow the below mentioned article:

How to use the Group Policy Editor to manage the Local computer policy in Windows XP: http://support.microsoft.com/kb/307882

No Internet connectivity with ASA 5505 VPN remote access

Hello

I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?

Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.

Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?

I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.

Thank you very much for you help.

Concerning

Salman

Salman

What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.

You have at least 2 options:

-You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.

-You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command

permit same-security-traffic intra-interface

HTH

Rick

Separation of monitor only and Admin for Cisco ASDM (ASA) access for users authenticated via LDAP

Hello

We have two groups of ads on network Admins, one for the system administrators group. The network Admins will get Priv lvl 15 the other Priv lvl 3.

This is the setup I use:

TestASA # sh run ldap-attribute-map of test4
Comment by card privileged-level name
map-value comment fw - ro 5
map-value comment fw - rw 15
memberOf IETF Radius-Service-Type card name
map-value memberOf "cn = s-FW-Admin, OR = security groups, DC = 802101, DC = local" 6
map-value memberOf "cn = s-fw-ro, OR = security groups, DC = 802101, DC = local" 5

The user in both groups can connect ssh and asdm but all users get the same rights priv lvl 15.

Someone at - it an idea?

You must visit the listed link below to configure ASA to only read access and access admin. not sure, if you have already been there.

https://supportforums.Cisco.com/docs/doc-33843

~ BR
Jatin kone

* Does the rate of useful messages *.

VPN on ASA 5506 without internet access, help with NAT?

Hello

I have upgraded to a Cisco ASA 5505 to a 5506 X and as such have climbed to ASA 9.5

For this reason, I'm a bit stuck on how to implement the VPN. I followed the wizard and I can now establish inbound connections, but when connected (all traffic is tunnel) there is no internet connectivity.

Our offices internal (inside) network is 192.168.2.0/24

Our VPN pool is 192.168.4.0/24

I guess that I'm missing a NAT rule, but in all honesty, I'm a user ASDM and as everything is changed, I am struggling to recreate it?

Here is my config:

Result of the command: "sh run"

: Saved

:
: Serial Number: JAD194306H5
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1)
!
hostname ciscoasanew
domain-name work.internal
enable password ... encrypted
names
ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.3.4 255.255.255.0
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.2.197 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 192.168.2.199
 domain-name work.internal
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 173.0.82.0
 host 173.0.82.0
object network 173.0.82.1
 subnet 66.211.0.0 255.255.255.0
object network 216.113.0.0
 subnet 216.113.0.0 255.255.255.0
object network 64.4.0.0
 subnet 64.4.0.0 255.255.255.0
object network 66.135.0.0
 subnet 66.135.0.0 255.255.255.0
object network a
 host 192.168.7.7
object network devweb
 host 192.168.2.205
object network DevwebSSH
 host 192.168.2.205
object network DEV-WEB-SSH
 host 192.168.2.205
object network DEVWEB-SSH
 host 192.168.2.205
object network vpn-network
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.4.0_24
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object-group network EC2ExternalIPs
 network-object host 52.18.73.220
 network-object host 54.154.134.173
 network-object host 54.194.224.47
 network-object host 54.194.224.48
 network-object host 54.76.189.66
 network-object host 54.76.5.79
object-group network PayPal
 network-object object 173.0.82.0
 network-object object 173.0.82.1
 network-object object 216.113.0.0
 network-object object 64.4.0.0
 network-object object 66.135.0.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp6
 service-object icmp alternate-address
 service-object icmp conversion-error
 service-object icmp echo
 service-object icmp information-reply
 service-object icmp information-request
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh
access-list outside_access_in remark AWS Servers
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in remark Ping reply
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside
access-list outside_access_in remark Alarm
access-list outside_access_in extended permit tcp any interface outside eq 10001
access-list outside_access_in remark CCTV
access-list outside_access_in extended permit tcp any interface outside eq 7443
access-list outside_access_in extended deny ip any any
access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254
access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 16000
logging asdm-buffer-size 512
logging asdm warnings
logging flash-bufferwrap
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 7200
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network DEVWEB-SSH
 nat (inside,outside) static interface service tcp ssh ssh
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.2.197,CN=ciscoasanew
 keypair ASDM_LAUNCHER
 crl configure

snip

dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client
group-policy workVPN2016 internal
group-policy workVPN2016 attributes
 dns-server value 192.168.2.199
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 default-domain value work.internal
 split-dns value work.internal
 split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:
: end

Hi Ben-

What you are trying to accomplish is called VPN crossed. Depending on your initial configuration, you have 2 NAT problems. The first has to do with the NAT you place your order. In the code later that we are dealing with two NAT ASA 8.3 times and who are ranked 2 sections going on before and after the device NAT. object

My general rule for control of NAT is like this:

Twice NAT (front) - use this section for exemptions from NAT or unusual configurations that have to go first
Purpose of NAT - Use this section to the static NAT instructions for servers
Twice NAT (after) - use this section to your global declarations of NAT, basically a catch-all

Then, never use 'all' as an interface for all training of NAT. This may seem like a good idea, but it will bite you. Remember, it is more the notion of control NAT, then 'all' interface is bit VPN configurations and similar DMZ. Always be specific about your interface for NAT pairs.

To this end, here is what I suggest that your NAT configuration should resemble:

nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup!object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh !nat (inside,outside) after-auto source dynamic any interfacenat (outside,outside) after-auto source dynamic any interface

The key is that you need a NAT device explicitly reflecting the VPN traffic. PSC

Problem with ASA 5505 VPN remote access

After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?

Here is the cfg running of the ASA

----------------------------------------------------------------------------------------

: Saved

:

ASA Version 8.4 (1)

!

hostname NCHCO

enable encrypted password xxxxxxxxxxxxxxx

xxxxxxxxxxx encrypted passwd

names of

description of NCHCO name 192.168.2.0 City offices

name 192.168.2.80 VPN_End

name 192.168.2.70 VPN_Start

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address **. ***. 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa841 - k8.bin

passive FTP mode

network of the NCHCO object

Subnet 192.168.2.0 255.255.255.0

network object obj - 192.168.1.0

subnet 192.168.1.0 255.255.255.0

network object obj - 192.168.2.64

subnet 192.168.2.64 255.255.255.224

network object obj - 0.0.0.0

subnet 0.0.0.0 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the Web server object network

the FINX object network

Home 192.168.2.11

rdp service object

source between 1-65535 destination eq 3389 tcp service

Rdp description

outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0

inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224

outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

LAN_Access list standard access allowed 192.168.2.0 255.255.255.0

LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0

AnyConnect_Client_Local_Print deny ip extended access list a whole

AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

outside_access_in list extended access permit tcp any object FINX eq 3389

outside_access_in_1 list extended access allowed object rdp any object FINX

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 649.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0

NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64

NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

the FINX object network

NAT (inside, outside) interface static service tcp 3389 3389

Access-group outside_access_in_1 in interface outside

Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

network-acl outside_nat0_outbound

WebVPN

SVC request to enable default svc

Enable http server

http 192.168.1.0 255.255.255.0 inside

http *. **. ***. 255.255.255.255 outside

http *. **. ***. 255.255.255.255 outside

http NCHCO 255.255.255.0 inside

http 96.11.251.186 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform

IKEv1 crypto ipsec transform-set l2tp-transformation mode transit

Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyn-map 10 set pfs Group1

crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1

dynamic-map encryption dyn-map 10 value reverse-road

Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

Crypto-map dynamic outside_dyn_map 20 the value reverse-road

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

peer set card crypto outside_map 1 74.219.208.50

card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside crypto map inside_map interface

card crypto vpn-map 1 match address outside_1_cryptomap_1

card crypto vpn-card 1 set pfs Group1

set vpn-card crypto map peer 1 74.219.208.50

card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map

dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

crypto isakmp identity address

Crypto ikev1 allow inside

Crypto ikev1 allow outside

IKEv1 crypto ipsec-over-tcp port 10000

IKEv1 crypto policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

IKEv1 crypto policy 15

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 35

preshared authentication

3des encryption

sha hash

Group 2

life 86400

enable client-implementation to date

Telnet 192.168.1.0 255.255.255.0 inside

Telnet NCHCO 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH NCHCO 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd address 192.168.2.150 - 192.168.2.225 inside

dhcpd dns 216.68.4.10 216.68.5.10 interface inside

lease interface 64000 dhcpd inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server DNS 192.168.2.1

L2TP ipsec VPN-tunnel-Protocol ikev1

nchco.local value by default-field

attributes of Group Policy DfltGrpPolicy

value of server DNS 192.168.2.1

L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

allow password-storage

enable IPSec-udp

enable dhcp Intercept 255.255.255.0

the address value VPN_Pool pools

internal NCHCO group policy

NCHCO group policy attributes

value of 192.168.2.1 DNS Server 8.8.8.8

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1

value by default-field NCHCO.local

admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

username NCHvpn99 password dhn. JzttvRmMbHsP encrypted

attributes global-tunnel-group DefaultRAGroup

address (inside) VPN_Pool pool

address pool VPN_Pool

authentication-server-group (inside) LOCAL

authentication-server-group (outside LOCAL)

LOCAL authority-server-group

authorization-server-group (inside) LOCAL

authorization-server-group (outside LOCAL)

Group Policy - by default-DefaultRAGroup

band-Kingdom

band-band

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

NOCHECK Peer-id-validate

tunnel-group DefaultRAGroup ppp-attributes

No chap authentication

no authentication ms-chap-v1

ms-chap-v2 authentication

tunnel-group DefaultWEBVPNGroup ppp-attributes

PAP Authentication

ms-chap-v2 authentication

tunnel-group 74.219.208.50 type ipsec-l2l

IPSec-attributes tunnel-group 74.219.208.50

IKEv1 pre-shared-key *.

type tunnel-group NCHCO remote access

attributes global-tunnel-group NCHCO

address pool VPN_Pool

Group Policy - by default-NCHCO

IPSec-attributes tunnel-group NCHCO

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

: end

ASDM image disk0: / asdm - 649.bin

ASDM VPN_Start 255.255.255.255 inside location

ASDM VPN_End 255.255.255.255 inside location

don't allow no asdm history

---------------------------------------------------------------------------------------------------------------

And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:

---------------------------------------------------------------------------------------------------------------

Cisco Systems VPN Client Version 5.0.07.0440

Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

Customer type: Windows, Windows NT

Running: 6.1.7601 Service Pack 1

Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\

1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026

Try to find a certificate using hash Serial.

2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027

Found a certificate using hash Serial.

3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011

RELOADED successfully certificates in all certificate stores.

4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002

Start the login process

5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004

Establish a secure connection

6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "*." **. ***. *** »

7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B

Try to establish a connection with *. **. ***. ***.

8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001

From IKE Phase 1 negotiation

9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001

Peer is a compatible peer Cisco-Unity

13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports XAUTH

14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports the DPD

15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports NAT - T

16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports fragmentation IKE payloads

17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001

IOS Vendor ID successful construction

18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083

IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4

20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072

Automatic NAT detection status:

Remote endpoint is NOT behind a NAT device

This effect is NOT behind a NAT device

21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015

Launch application xAuth

25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012

Attributes of the authentication request is 6: 00.

26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017

xAuth application returned

27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008

IPSec driver started successfully

29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E

Customer address a request from firewall to hub

35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F

SPLIT_NET #1

= 192.168.2.0 subnet

mask = 255.255.255.0

Protocol = 0

SRC port = 0

port dest = 0

45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local

46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710

47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11

49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019

Data in mode Config received

51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056

Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify has value of 86400 seconds

56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047

This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now

57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">

59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify is set to 28800 seconds

60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***

61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059

IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)

62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025

OUTGOING ESP SPI support: 0xAAAF4C1C

63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026

Charges INBOUND ESP SPI: 0x3EBEBFC5

64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001

Launch VAInst64 for controlling IPSec virtual card

66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034

The virtual card has been activated:

IP=192.168.2.70/255.255.255.0

DNS = 192.168.2.1, 8.8.8.8

WINS = 0.0.0.0 0.0.0.0

Domain = NCHCO.local

Split = DNS names

67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261

68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038

Were saved successfully road to file changes.

69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261

192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100

192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261

192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261

70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036

The routing table has been updated for the virtual card

71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A

A secure connection established

72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001

Did not find the smart card to watch for removal

75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

Creates a new key structure

77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

Adding key with SPI = 0x1c4cafaa in the list of keys

78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

Creates a new key structure

79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

Adding key with SPI = 0xc5bfbe3e in the list of keys

80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F

Assigned WILL interface private addr 192.168.2.70

81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037

Configure the public interface: 96.11.251.149. SG: **.**.***.***

82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046

Define indicator tunnel set up in the registry to 1.

83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205276

85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276

88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019

Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e

89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205277

91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277

94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205278

96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278

---------------------------------------------------------------------------------------------------------------

Any help would be appreciated, thanks!

try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.

ASA 5505 as internet gateway (must reverse NAT)

Hi all the Cisco guru

I have this diet:

Office-> Cisco 877-> Internet-> ASA 5505-> remote network

Office network: 192.168.10.0/24

Cisco 877 IP internal: 192.168.10.200

Cisco 877 external IP: a.a.a.a

ASA 5505 external IP: b.b.b.b

ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3

Remote network: 192.168.17.0/24 and 192.168.1.0/24

VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.

But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:

305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT

Ping of OLD-private interface to google result:

110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

Result of traceroute

How can I fix reverse NAT and make ASA as internet gateway?

There is my full config

!
ASA Version 8.2 (2)
!
hostname ASA2
domain default.domain.invalid
activate the encrypted password password
encrypted passwd password
names of
!
interface Vlan1
Description INTERNET
1234.5678.0002 Mac address
nameif WAN
security-level 100
IP address b.b.b.b 255.255.248.0
OSPF cost 10
!
interface Vlan2
OLD-PRIVATE description
1234.5678.0202 Mac address
nameif OLD-private
security-level 0
IP 192.168.17.3 255.255.255.0
OSPF cost 10
!
interface Vlan6
Description MANAGEMENT
1234.5678.0206 Mac address
nameif management
security-level 0
192.168.1.3 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
Shutdown
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2.6
switchport mode trunk
!
interface Ethernet0/7
Shutdown
!
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd * W A R N I N G *.
Banner motd unauthorised access prohibited. All access is
Banner motd monitored and trespassers will be prosecuted
Banner motd to the extent of the law.
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS domain-lookup WAN
DNS server-group DefaultDNS
Server name dns.dns.dns.dns
domain default.domain.invalid
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
RDP description
EQ port 3389 object
Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
WAN_access_in list of allowed ip extended access all any debug log
WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
MANAGEMENT_access_in list of allowed ip extended access all any debug log
access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
Capin list extended access permit ip host 192.18.17.155 192.168.10.7
Capin list extended access permit ip host 192.168.10.7 192.168.17.155
LAN_access_in list of allowed ip extended access all any debug log
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
Enable logging
recording of debug trap
logging of debug asdm
Debugging trace record
Debug class auth record trap
MTU 1500 WAN
MTU 1500 OLD-private
MTU 1500 management
mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP permitted host a.a.a.a WAN
ICMP deny any WAN
ICMP permitted host 192.168.10.7 WAN
ICMP permitted host b.b.b.b WAN
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (OLD-private) 1 interface
Global interface (management) 1
NAT (WAN) 1 0.0.0.0 0.0.0.0

inside_nat0_outbound (WAN) NAT 0 access list
WAN_access_in access to the WAN interface group
Access-group interface private-OLD OLD-PRIVATE_access_in
Access-group MANAGEMENT_access_in in the management interface
Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
card crypto WAN_map 1 set peer a.a.a.a
WAN_map 1 transform-set ESP-DES-SHA crypto card game
card crypto WAN_map WAN interface
ISAKMP crypto enable WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 1
life 86400
Telnet timeout 5
SSH a.a.a.a 255.255.255.255 WAN
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd auto_config management
!

a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 129.6.15.28 source WAN prefer
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal admin group strategy
group admin policy attributes
DNS.DNS.DNS.DNS value of DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LAN_IP
privilege of encrypted password password username administrator 15
type tunnel-group admin remote access
tunnel-group admin general attributes
address pool VPN_Admin_IP
strategy-group-by default admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
strategy-group-by default admin
a.a.a.a group of tunnel ipsec-attributes
pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!

Thank you for your time and help

Why you use this NAT type?

Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
NAT (OLD-private) 0-list of access WAN_nat0_outbound

You are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.

If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:

NAT (OLD-private) 1 0.0.0.0 0.0.0.0

Global (WAN) 1 interface

On ASA 5505 VPN cannot access remote (LAN)

I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.

Tyler

Just remove the line of nat (outside) and ACL outside_nat0_outbound.

And talk about these statements:

IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).

2, crypto isakmp nat traversal 10 or 20

3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.

4, create the other ACL (ST) with different name and source and destination like no nat ACL.

5, then type nat (inside) 0 access-list sheep

6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).

Concerning

Cisco ASA 5505 remote VPN access to the local network

I have installed two ASA 5505 VPN site to site that works perfectly. Now, I also need to have 1 customer site to remote access VPN with Cisco VPN dialer. I can get the VPN dialer to connect the VPN and get a VPN IP address, but I do not have access to the remote network. can someone take a look and see what I'm missing? I have attached the ASA running config.

Apologize for the misunderstanding.

To access the remote vpn client 10.10.100.x subnet, the vpn-filter ACL is the opposite.

Please please share the following ACL:

FROM: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

outside_cryptomapVPN list of allowed ip extended access any 10.10.20.0 255.255.255.224

TO:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

outside_cryptomapVPN to access extended list ip 10.10.20.0 allow 255.255.255.224 all

Hope that helps.

ISE Corp. Internet access static user authentication

Hello gentlemen,

I have a small question on the type of authentication that I can use for the CORP users who want to access Internet & some in-house applications on their Android devices and they should not be re - authenticate when they move between sites to connect to the same SSID when they film in different sites.

The configuration looks like below: -.

USER (needs static auth to move between sites)--> SSID--> WLC--> ISE (common to all sites)

Please can you suggest the best way for users to type Android with name of user and password similar authentication when they move in different sites.

Thank you

D

Hello

you have 2 choices:

-users log on SSID using their Active Directory/LDAP credentials. Once they connect, credentials are stored on their devices, and they will be able to reconnect without repeating the authentication.

-make BYOD, this means you force, was the first connection, users to enroll a certificate. More secure solution. In reality, they authenticate the 1st time with their powers AD/LDAP and before obtaining access, they will be popup to a web portal to register their devices.

the 1st solution requires only basic licenses and 2nd requires MORE licenses. Basic license, have to buy you them once that's all. As well, it is the licence renewal (1y, 3y and I think more than 5 years).

on deployments, than I do today, companies prefer the use of certificates from the user/password and the server certificate is ISE. In this case, you are not related to the systems guys, and if something is compromised, you can manage the revocation of certificate directly to the LSE instead of ask a person to system to disable the user account on AD.

hope this is clear.

Thank you

PS: Please do not forget to rate and score as good response if this solves your problem

No internet access for the connection with the router.

I bought a router D-Link DSL-2750U and when I connect to the internet it says no internet access even I've updated the MAC address of my router with my ISP, but still no use I use don't win 7. any help on this?

Hi Chavigny,

In case you have contacted the ISP provider and verify that the network settings are correct, then try the following steps:

Method 1:

I suggest to run the network troubleshooter, and check to see if it lists all the errors and helps you solve them.
http://Windows.Microsoft.com/en-us/Windows7/using-the-network-troubleshooter-in-Windows-7

Method 2: Update the network driver.

Steps to update of network driver:

(a) click the Start button.

(b) in the search box type devmgmt.msc, and then press ENTER.

(c) select the network card device and right click on it

(d) now select Properties.

(e) in the Properties window, on the driver tab, click Update driver.
After installing the updates, restart the computer.

For more information visit: http://windows.microsoft.com/en-us/windows7/Update-a-driver-for-hardware-that-isn ' t-work properly

Please refer to:

Why can't I connect to the Internet?

Previous post: the State of the question.

Site to Site and together on ASA 5505 VPN remote access

Hello

I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.

After you add the new configuration lines, I received the following message when I debug:

04 Nov 07:06:06 [IKEv1]: group = , IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0).

04 Nov 07:04:36 [IKEv1]: group = , IP = , peer of drop table Correlator has failed, no match!

Someone knows what's the problem? And what to change in the config?

Thanks in advance,

Ruben

Hello

If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"

Federico.

Cisco ASA 5505 unable to access the remote network

Hello

I have a Cisco ASA 5505, with 50 basic license, which is connected directly to the Modem cable with a public IP address. I have configured and active VPN on the outside interface. When connect us, we connect well without error, but we are not able to access all the resources on the remote network.

ASA IOS version 8.2 (5)

Remote IP network: 10.0.0.0/24

VPN IP Pool: 192.168.102.10 - 25

I have attached the config: llc.txt

Please let me know if you have any questions.

Thank you!

Hello

Try adding NAT 0 because inside subnet--> subnet distance

NAT (inside) 0 access-list TEST

TEST access ip 10.0.0.0 scope list allow 255.255.255.0 192.168.102.10 255.255.255.224

HTH

MS

ASA 5505 - order Internet access for users

Similar Questions

Maybe you are looking for