ASA 5505 transparent mode dosnt pass traffic

Hi all

need help

ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?

ciscoasa # sh ver

Cisco Adaptive Security Appliance Version 8.2 software (5)

Version 6.4 Device Manager (5)

Updated Saturday, May 20, 11 16:00 by manufacturers

System image file is "disk0: / asa825 - k8.bin.

The configuration file to the startup was "startup-config '.

ciscoasa until 55 minutes 31 seconds

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11

1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255

2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255

3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255

4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255

5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255

6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255

7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255

8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255

9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

10: Int: not used: irq 255

11: Int: not used: irq 255

The devices allowed for this platform:

The maximum physical Interfaces: 8

VLAN: 3, restricted DMZ

Internal guests: 10

Failover: disabled

VPN - A: enabled

VPN-3DES-AES: enabled

SSL VPN peers: 2

The VPN peers total: 10

Double ISP: disabled

Junction ports VLAN: 0

Sharing license: disabled

AnyConnect for Mobile: disabled

AnyConnect Cisco VPN phone: disabled

AnyConnect Essentials: disabled

Assessment of Advanced endpoint: disabled

Proxy sessions for the UC phone: 2

Total number of Sessions of Proxy UC: 2

Botnet traffic filter: disabled

This platform includes a basic license.

Registry configuration is 0x1

Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012

ciscoasa #.

ciscoasa #.

ciscoasa # sh run

: Saved

:

ASA Version 8.2 (5)

!

transparent firewall

ciscoasa hostname

activate 8eeGnt0NEFObbH6U encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

I haventerface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

Shutdown

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

Shutdown

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

passive FTP mode

outs_in of access allowed any ip an extended list

outs_in list extended access permit icmp any one

pager lines 24

Within 1500 MTU

Outside 1500 MTU

no ip address

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

outs_in access to the interface inside group

Access-group outs_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

: end

ciscoasa #.

ciscoasa #.

ciscoasa #.

ciscoasa # sh - access list

access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied

alert interval 300

outs_in list of access; 2 elements; hash name: 0xd6c65ba5

permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842

allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5

ciscoasa #.

Hello

Exactly... Good to know it works now.

Do you know why he needs the IP address (such as a transparent firewall)?

The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.

We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.

Please check the question as answered, so future users can pull of this

Julio Carvajal

Costa Rica

Tags: Cisco Security

Similar Questions

  • ASA in transparent mode with LAN base active failover / standby?

    Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?

    Thanks in advance

    Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.

    I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.

    I have listed the configs on both the firewall for your reference

    Main firewall

    ============

    interface GigabitEthernet0/0

    nameif outside

    security-level 0

    No tap

    !

    interface GigabitEthernet0/1

    nameif inside

    security-level 100

    No tap

    !

    interface GigabitEthernet0/2

    Shutdown

    No nameif

    no level of security

    !

    interface GigabitEthernet0/3

    Failover LAN Interface Description

    !

    192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7

    failover

    primary failover lan unit

    local failover FAILINT GigabitEthernet0/3 network interface

    failover abcdef keys

    failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

    The secondary firewall

    =================

    failover

    secondary failover lan unit

    local failover FAILINT GigabitEthernet0/3 network interface

    failover abcdef keys

    failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

    int GigabitEthernet0/3

    No tap

    Hope the above helps.

  • Why ASA in transparent mode require same subnet ip to that of the connected network

    ASA transparent mode, why it is necessary to keep the management ip on the same subnet to the connected network?

    What happens if I keep managing ip in a different subnet as the network connected?

    If I only did traffic to move through to the asa and why?

    thanxs.

    Hello Vijay,

    As you say you can use another, that is right, but the thing is that the IP address of management is not only used to draw management.

    Who was you are missing the point.

    That the IP address assigned to the ASA as a whole also will be used for ARP requests when the ASA does not know where the destination hosts lies and is not on the same subnet as the ASA.

    It will serve as a source for packages destined to a syslog server, server AAA, Netflow server, SNMP server, and any package that ASA will have to create so in that spirit the routing of the network will have to be modified to work with that.

    If you come to realize that the routing of the network works with a different management on the transparent address IP address then you can do it. I can assure you that I have seen this scenario before working with no problems at all BUD.

    Just to remember to Note all useful posts like this

    Looking for a Networking Assistance?
    Contact me directly to [email protected] / * /

    I will fix your problem as soon as POSSIBLE.

    See you soon,.

    Julio Segura Carvajal
    http://laguiadelnetworking.com

  • Client VPN und Cisco asa 5505 tunnel work but no traffic

    Hi all

    I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

    I have the following problem:

    I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

    To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

    Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

    After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

    I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

    What I did wrong. Could someone let me know what I have to do today.

    With hope for your help Dimitri.

    ASA configuration after reset and basic configuration: works to the Internet from within the course.

    : Saved

    : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

    !

    ASA Version 8.2 (2)

    !

    ciscoasa hostname

    activate 2KFQnbNIdI.2KYOU encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    PPPoE client vpdn group home

    IP address pppoe setroute

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    boot system Disk0: / asa822 - k8.bin

    passive FTP mode

    clock timezone THATS 1

    clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

    DNS domain-lookup outside

    DNS server-group DefaultDNS

    Server name 194.25.0.60

    Server name 194.25.0.68

    DM_INLINE_TCP_1 tcp service object-group

    port-object eq www

    EQ object of the https port

    inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

    inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

    inside_access_in list extended access deny ip any any debug log

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

    permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

    homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-625 - 53.bin

    ASDM location 192.168.0.0 255.255.0.0 inside

    ASDM location 192.168.10.0 255.255.255.0 inside

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    inside_access_in access to the interface inside group

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    VPDN group home request dialout pppoe

    VPDN group House localname 04152886790

    VPDN group House ppp authentication PAP

    VPDN username 04152886790 password 1

    dhcpd outside auto_config

    !

    dhcpd address 192.168.1.5 - 192.168.1.36 inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    TFTP server 192.168.1.5 inside c:/tftp-root

    WebVPN

    Group Policy inner residential group

    attributes of the strategy of group home group

    value of 192.168.1.1 DNS server

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list homegroup_splitTunnelAcl

    username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

    user01 username attributes

    VPN-strategy group home group

    tunnel-group home group type remote access

    attributes global-tunnel-group home group

    address homepool pool

    Group Policy - by default-homegroup

    tunnel-group group residential ipsec-attributes

    pre-shared-key ciscotest

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

    : end

    Hello

    Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

    If you connect via VPN, check the following:

    1. the tunnel is established:

    HS cry isa his

    Must say QM_IDLE or MM_ACTIVE

    2 traffic is flowing (encrypted/decrypted):

    HS cry ips its

    3. Enter the command:

    management-access inside

    And check if you can PING the inside ASA VPN client IP.

    4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

    Federico.

  • Cisco ASA 55XX Transparent mode through a VLAN

    Hello team Cisco Forum!

    In a scenario where the Cisco ASA is in Transparent mode, it is possible to route the traffic of L2 other VLAN different that the VLAN native IP for the firewall management lies?

    Switches on the outside and the inside of the interfaces of the SAA are in trunk mode, and I'm moving ttraffic VLAN L2 from inside to outside and vice versa by using filters on switches (switchport trunk allowed vlan).

    Thank you in advanced for your support and comments!

    Yes it is possible, but you will be limited to 8 VLAN, or more precisely, 8 interfaces BVI so it's not a scalable solution.  The problem is that you will need to have different VLANS to the same subnet at both ends of the SAA.

    To clarify this point, lets say, you use the interface Gig0/1 and Gig0/2.  Gig0/1, you would set up subinterfaces with VLAN 2, 3 and 4.  Now, if you try to configure the same VLAN on Gig0/2, you will get an error saying something like this VLAN is already configured on another interface. I don't remember the exact error.

    So to get this working, you need to configure Gig0/2 with subinterfaces for VLAN... lets say... 5, 6 and 7.  you would then associate VLAN 2 and 5 with BVI 1, VLAN 3 and 6 with 2 Virgin Islands British and VLAN 4 and 7 with 3 British Virgin Islands.  Each interface BVI would have its own IP address for the subnet on which is to be filled in all of the ASA.

    --

    Please do not forget to select a correct answer and rate useful posts

  • transparent mode with AIP-SSM-20

    I currently have an ASA5510 routed with AIP-SSM-20 mode.

    It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE.  This section should present no problems.

    However, this will remove the IPS device, and I always want to use IPS.

    So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network.  The ASA transparent would be strictly works in the form of an IPS appliance.

    The installation program should look like this:

    Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN

    The AIP - SSM can always perform with the ASA in transparent mode IPS?

    Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?

    I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.

    Kind regards.

    AFAIR, it is no installation AIP in a transparent firewall problem.

    "The SAA in transparent mode can execute an agreement in principle.  In the event that the AIP fails,

    the IPS will fail-open and the ASA will continue to pass traffic.
    
However, if an interface or cable fails, then traffic will stop.  You
    
would need a failover pair to account for this failure event, which
    
means another ASA and matching AIP."

    And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744

    What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.

    http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

    HTH,

    Marcin

  • VPN in transparent mode

    Hello

    Is it possible to run IPSEC and SSL VPN (without customer or anycoonet) while ASA in Transparent mode remotely? All NAT/PAT is the router before the ASA.

    If so, any example config would be appreciated.

    Reg,

    Sushil

    No, is VPN IPSEC or SSL are not supported when the ASA is in transparent mode.

    Here is the URL for your reference:

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/fwmode.html#wp1222826

  • Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)

    Hello

    I'll put up a tunnel vpn site-to-site between two locations.  Both have cisco ASA 5505 running a different version, I'll explain in more detail below.  so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic.  Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand.  I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.

    An IP address of 0.0.0.0 = site
    Site B IP = 1.1.1.1

    A Version of the site = 8.3.1
    Version of the site B = 9.2.3

    __________________________

    _________

    A RACE OF THE SITE CONFIGURATION

    Output of the command: "sh run".

    : Saved
    :
    ASA Version 8.3 (1)
    !
    hostname SDMCLNASA01
    SDMCLNASA01 domain name. LOCAL
    Select 5E8js/Fs7qxjxWdp of encrypted password
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    the IP 192.168.0.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    the IP 0.0.0.0 255.255.255.252
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone CST - 6
    clock to summer time recurring CDT
    DNS lookup field inside
    DNS domain-lookup outside
    DNS server-group DefaultDNS
    SDMCLNASA01 domain name. LOCAL
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    network of the NETWORK_OBJ_192.168.0.0_24 object
    192.168.0.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    network lan_internal object
    192.168.0.0 subnet 255.255.255.0
    purpose of the smtp network
    Home 192.168.0.245
    Network http object
    Home 192.168.0.245
    rdp network object
    Home 192.168.0.245
    network ssl object
    Home 192.168.0.245
    network camera_1 object
    host 192.168.0.13
    network camerahttp object
    host 192.168.0.13
    service object 8081
    source eq 8081 destination eq 8081 tcp service
    Dvr description
    network camera-http object
    host 192.168.0.13
    network dvr-http object
    host 192.168.0.13
    network dvr-mediaport object
    host 192.168.0.13
    object-group Protocol DM_INLINE_PROTOCOL_1
    object-protocol udp
    object-tcp protocol
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    DM_INLINE_TCP_1 tcp service object-group
    EQ port 3389 object
    port-object eq www
    EQ object of the https port
    EQ smtp port object
    DM_INLINE_TCP_2 tcp service object-group
    port-object eq 34567
    port-object eq 34599
    EQ port 8081 object
    permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
    outside_access_in list extended access permit tcp any any eq smtp
    outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
    outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ICMP allow all outside
    don't allow no asdm history
    ARP timeout 14400
    NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
    NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
    !


    network lan_internal object
    NAT dynamic interface (indoor, outdoor)
    purpose of the smtp network
    NAT (all, outside) interface static tcp smtp smtp service
    Network http object
    NAT (all, outside) interface static tcp www www service
    rdp network object
    NAT (all, outside) interface static service tcp 3389 3389
    network ssl object
    NAT (all, outside) interface static tcp https https service
    network dvr-http object
    NAT (all, outside) interface static 8081 8081 tcp service
    network dvr-mediaport object
    NAT (all, outside) interface static 34567 34567 tcp service
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    http server enable 8080
    http 192.168.0.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 outside
    http 71.40.221.136 255.255.255.252 inside
    http 71.40.221.136 255.255.255.252 outside
    http 192.168.0.0 255.255.255.0 outside
    http 97.79.197.42 255.255.255.255 inside
    http 97.79.197.42 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set peer 1.1.1.1
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    outside_map interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 65535
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    dhcpd address 192.168.0.50 - 192.168.0.150 inside
    dhcpd dns 192.168.0.245 209.18.47.62 interface inside
    dhcpd SDMCLNASA01 field. LOCAL inside interface
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec l2tp ipsec
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    !
    context of prompt hostname
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:462428c25e9748896e98863f2d8aeee7
    : end

    ________________________________

    SITE B RUNNING CONFIG

    Output of the command: "sh run".

    : Saved
    :
    : Serial number: JMX1635Z1BV
    : Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
    :
    ASA Version 9.2 (3)
    !
    ciscoasa hostname
    activate qddbwnZVxqYXToV9 encrypted password
    volatile xlate deny tcp any4 any4
    volatile xlate deny tcp any4 any6
    volatile xlate deny tcp any6 any4
    volatile xlate deny tcp any6 any6
    volatile xlate deny udp any4 any4 eq field
    volatile xlate deny udp any4 any6 eq field
    volatile xlate deny udp any6 any4 eq field
    volatile xlate deny udp any6 any6 eq field
    names of
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 1.1.1.1 255.255.255.252
    !
    passive FTP mode
    clock timezone CST - 6
    clock to summer time recurring CDT
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    network camera_http object
    host 192.168.1.13
    network camera_media object
    host 192.168.1.13
    network of the NETWORK_OBJ_192.168.0.0_24 object
    192.168.0.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    outside_access_in list extended access permit tcp any any eq 9000
    outside_access_in list extended access permit tcp any any eq www
    outside_access_in list extended access permit icmp any one
    outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ICMP allow all outside
    ASDM image disk0: / asdm - 732.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
    NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
    !
    network camera_http object
    NAT (all, outside) interface static tcp www www service
    network camera_media object
    NAT (all, outside) interface static 9000 9000 tcp service
    !
    NAT source auto after (indoor, outdoor) dynamic one interface
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 peer set 0.0.0.0
    card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev1 allow outside
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0

    dhcpd address 192.168.1.50 - 192.168.1.150 inside
    dhcpd dns 192.168.0.245 209.18.47.61 interface inside
    dhcpd SDPHARR field. LOCAL inside interface
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    attributes of Group Policy DfltGrpPolicy
    Ikev1 VPN-tunnel-Protocol
    internal GroupPolicy_0.0.0.0 group strategy
    attributes of Group Policy GroupPolicy_0.0.0.0
    VPN-tunnel-Protocol ikev1, ikev2
    tunnel-group 0.0.0.0 type ipsec-l2l
    tunnel-group 0.0.0.0 ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    !
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
    : end

    Sorry my mistake.

    Delete this if it's still there

    card crypto external_map 1 the value reverse-road

    Add this to both sides

    card crypto outside_map 1 the value reverse-road

    Sorry about that.

    Mike

  • Block the specific IP traffic in ASA 5505

    Hi, we have an ASA 5505 in transparent mode and run a web service online. However, we notice a number of attempts to intrution from China and Korea and we need to block these IP traffic can anyone help please?

    config script is

    transparent firewall

    hostname xxyyASA

    Select msi14F/SlH4ZLjHH of encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    Description - the Internet-

    switchport access vlan 2

    !

    interface Ethernet0/1

    Description - connected to the LAN-

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    Shutdown

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    Bridge-Group 1

    security-level 100

    !

    interface Vlan2

    nameif outside

    Bridge-Group 1

    security-level 0

    !

    interface BVI1

    Description - for management only-

    IP address xxx.yyy.zzz.uuu 255.255.xxx.yyy

    !

    passive FTP mode

    network of the WWW-SERVER-OBJ object

    Home xxx.yyy.zzz.jjj

    Description - webserver-

    WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group

    Description - Services published on the WEB server-

    WWW-SERVER-SERVICES-UDP-OBJ udp service object-group

    Description - Services published on the WEB server - UDP

    Beach of port-object 221 225

    1719-1740 object-port Beach

    OUTSIDE-IN-ACL scope tcp access list deny any any eq 3306

    OUTSIDE-IN-ACL scope tcp access list deny any any eq telnet

    OUTSIDE-IN-ACL scopes allowed icmp an entire access list

    OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

    access list OUTSIDE-IN-ACL scopes permit tcp host xxx.yyy.zzz.uuu object WWW-SERVER-OBJ eq 3306

    OUTSIDE-IN-ACL scopes permitted udp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

    We need to block access of host say 64.15.152.208

    Just need the best step to follow and block access, without affecting the service or other host

    Thank you

    Insert a line like:

    OUTSIDE-IN-ACL scope access list deny host ip 64.15.152.208 all

    in front of your 3rd line "... to enable icmp a whole."

    If you have many of them, maybe do:

    object-group network blacklist

    host of the object-Network 64.15.152.208

    network-host another.bad.ip.here object

    object-network entire.dubious.subnet.here 255.255.255.0

    ...

    OUTSIDE-IN-ACL scope object-group BLACKLIST ip deny access list all

    If you want to take in scores of reputation on the outside, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.

    Note that fleeing bad hosts help with targeted attacks, but not with denial of service; only, he moves to point decline since the application for the firewall server, without much effect on the net on your uplink bandwidth consumption.

    -Jim Leinweber, WI State Lab of hygiene

  • Secondary ASA with IP transparent mode on the router

    Hello

    I have

    Router - ASA (Transparent) - switch

    and wonder if it is possible to configure the secondary IP on the interface of the router that is connected to the ASA

    So there is plenty of room in terms of range of LAN IP addresses.

    Or do I have to implement this, change ASA in context mode and to change the configuration on the SAA?

    hope I don't have to change anything on the SAA.

    Thank you

    ASA mode transparant works as L2 device

    so, what ever u ips use dosent matter

    u don't need to change anything in the ASA where the mod transperant

    But beware of what is allowed to be passed through the firewall

    It can be controlled by ACL

    the router and switch you will be OPERAT in L3 as your connected directly or nothing between them of three routing and layer perspective

    so they must be in the same subnet VLANS, and so on

    good lcuk

    Please, if useful rates

  • ASA 5505 Split Tunneling configured but still all traffic Tunneling

    Hello

    I installed an ASA 5505 running 8.3.2 and Cisco AnyConnect Client 2.5.2017.

    There are the DefaultRAGroup and a newly configured Group called SplitTunnelNets.

    I have 1 internal subnet (192.168.223.0/24) which has a matching ACL/AS configured on the DefaultRAGroup and the custom group policy called SSLClientPolicy.

    When I start the VPN with the ASA, I can indeed reach internal resources, but when I look at the routing table, I see a new default gateway route 0.0.0.0 / 0-> 192.168.25.2 (that is in the IP pool) with a metric of 2.  The default route before the start of the session AnyConnect now has a higher metric, so the 192.168.25.2 next hop is a priority.

    I don't see the routes in the routing table for 192.168.223.0/24 as I expect to see.  In the diagnosis of AnyConnect, I see that 0.0.0.0/0 is the policy applied to the client.

    Here's my setup.  Please tell me if you see something that I'm missing.

    ASA 8.3 Version (2)
    !
    host name asa

    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.223.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP x.x.x.x 255.255.255.240
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    boot system Disk0: / asa832 - k8.bin
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS lookup field inside
    DNS server-group DefaultDNS
    Server name 192.168.223.41
    domain Labs.com
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    vpn-client-net network object
    255.255.255.0 subnet 192.168.25.0
    network of the internal net object
    192.168.223.0 subnet 255.255.255.0
    the DM_INLINE_NETWORK_1 object-group network
    internal-net network object
    network-vpn-client-net object
    the DM_INLINE_NETWORK_2 object-group network
    internal-net network object
    network-vpn-client-net object
    SplitTunnelNets to access extensive ip list allow any 192.168.223.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    mask 192.168.25.1 - 192.168.25.50 255.255.255.0 IP local pool SSLClientPool
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ASDM image disk0: / asdm - 635.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT (inside, all) static source internal-net net internal static destination vpn client vpn client-Net
    !
    network obj_any object
    NAT dynamic interface (indoor, outdoor)
    Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Labs-AAA protocol ldap LDAP-server
    AAA-server Lab-LDAP (inside) host 192.168.223.41
    Server-port 636
    LDAP-base-dn dc = labs, dc = com
    LDAP-scope subtree
    LDAP-naming-attribute sAMAccountName
    LDAP-login-password *.
    LDAP-connection-dn [email protected] / * /
    enable LDAP over ssl
    microsoft server type
    Enable http server
    http 192.168.223.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto ca trustpoint ASDM_TrustPoint0
    registration auto

    sslvpnkeypair key pair
    Configure CRL
    Crypto ca trustpoint ASDM_TrustPoint1
    ASDM_TrustPoint1 key pair
    Configure CRL
    string encryption ca ASDM_TrustPoint0 certificates

    Telnet 192.168.223.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 192.168.223.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    dhcpd outside auto_config
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP 192.5.41.41 Server
    NTP 192.5.41.40 Server
    SSL-trust outside ASDM_TrustPoint1 point
    WebVPN
    allow outside
    No anyconnect essentials
    SVC disk0:/anyconnect-win-2.5.2017-k9.pkg 1 image
    SVC disk0:/anyconnect-macosx-i386-3.0.0629-k9.pkg 2 image
    Picture disk0:/anyconnect-linux-3.0.0629-k9.pkg 3 SVC
    enable SVC
    tunnel-group-list activate
    internal SSLClientPolicy group strategy
    attributes of Group Policy SSLClientPolicy
    value of server DNS 192.168.223.41
    VPN-tunnel-Protocol svc
    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list SplitTunnelNets

    field default value Labs
    split dns value Labs.com
    the address value SSLClientPool pools
    WebVPN
    SVC Dungeon-Installer installed
    attributes of Group Policy DfltGrpPolicy
    value of server DNS 192.168.223.41
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list SplitTunnelNets
    coyotelabs.com value by default-field
    type of remote access service
    type tunnel-group SSLClientProfile remote access
    attributes global-tunnel-group SSLClientProfile
    CoyoteLabs-LDAP authentication-server-group
    Group Policy - by default-SSLClientPolicy
    tunnel-group SSLClientProfile webvpn-attributes
    allow group-alias CoyoteLabs
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:95b7ff58b54e02948a14b225eec1a990
    : end

    The split tunnel access list must be standard access-list, not extended access list.

    You must change the following:
    FROM: SplitTunnelNets access-list extended ip to allow all 192.168.223.0 255.255.255.0
    To: SplitTunnelNets standard access list allows 192.168.223.0 255.255.255.0

    You should be able to reconnect again and will be able to access the Internet after you set up the standard access-list split tunnel.

    Hope that helps.

  • ASA 5505 in router Mode can implement the MAC ACL

    Hi all:

    My client request can the Cisco ASA 5505 implement MAC ACL in Cisco ASA 5505, who is now running in router Mode.

    Can anyone help answer this?

    I tried to search the document and also tried the ASDM in the Cisco ASA 5505 but couldn't see a way to do the ACL by MAC address.

    At the same time can also help me find the command line using the ASA 5505 able to run MAC ACL in router mode?

    Thank you very much!

    Warm greetings,

    TangSuan Tan

    MAC ACL is not supported in Routed mode, only in Transparent mode.

    Here is the command for your reference:

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/A1.html#wp1598101

    And here is the ethertype supported:

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_rules.html#wp1083699

  • ASA 5505 Firewall Transparent with a Server Web Question

    I need to replace my Sonicwall firewall and I got an ASA 5505. However, I need to have a transparent firewall, no Natting and Server Web will have a public IP with relevant ports remains open.

    The simple illustration is the Internet---> firewall Transparent - Web Server (With public IP Address)

    1. There should be no natting

    2. the web server must have a public IP address and be accessible from the internet.

    3 ports can be blocked or re-opened.

    Please let me know if its possible to conclude this agreement.

    If so, can I get a command line sequence that allows this work.

    My version is

    Cisco Adaptive Security Appliance Software Version 4,0000 5

    Version 6.4 Device Manager (9)

    Thanks in advance

    Post edited by: Don Charles

    It is a minimum configuration for your needs (runs on ASA 5520).

    !
    transparent firewall
    !
    interface GigabitEthernet0
    Description - the Internet-
    nameif outside
    Bridge-Group 1
    security-level 0
    !
    !
    interface GigabitEthernet3
    Description - connected to the LAN-
    nameif inside
    Bridge-Group 1
    security-level 100
    !
    !

    interface BVI1

    Description - for management only-
    IP 10.1.10.1 255.255.255.0
    !

    !
    network of the WWW-SERVER-OBJ object
    Description - webserver-
    host 123.123.123.123

    !
    !
    WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group
    Description - Serices published on the WEB server-
    port-object eq www
    EQ object of the https port
    !
    !
    OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
    !
    !
    Access-group OUTSIDE-IN-ACL in interface outside
    !

    Samuel Petrescu

  • EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

    Hi friends,

    I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

    Please find below the exit of 881 router Cisco:

    YF2_Tbilisi_router #.
    * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
    * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
    * 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
    * 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
    * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
    * 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
    * 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

    * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
    * 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
    * 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
    * 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
    * 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
    * 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
    * 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
    * 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
    * 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
    * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
    * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
    * 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
    * 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
    * 09:31:47.805 4 August: ISAKMP (0): payload ID
    next payload: 13
    type: 11
    Group ID: Youth_Facility_2
    Protocol: 17
    Port: 0
    Length: 24
    * 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
    * 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
    * 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

    * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
    * 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
    * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
    * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
    * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
    * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
    * 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
    * 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
    * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
    * 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
    * 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
    * 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

    * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
    * 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

    * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
    * 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
    * 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
    * 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
    * 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
    * 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
    * 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
    * 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
    * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
    * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
    * 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
    * 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
    * 09:32:48.913 4 August: ISAKMP (0): payload ID
    next payload: 13
    type: 11
    Group ID: Youth_Facility_2
    Protocol: 17
    Port: 0
    Length: 24
    * 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
    * 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
    * 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

    * 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
    * 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
    * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
    * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
    * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
    * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
    * 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
    * 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
    * 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

    There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

    The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

Maybe you are looking for