ASA 5510 with double tis
Hello.. It is possible for cisco asa 5510 hitting the load balancing between double tis? and what will the configurations? Thanks... :D
Hello
ACB is used normally for balancing the load on network devices. Another one of my posts on this forum and I quote:
The ASA/PIX does not ACB support to date. I told her on the road map.
As a work around, you can run multiple contexts, if its possible to break your lan into two subnets.
And also allocate the Internet interfaces appropriate to each context (with the default gateway pointing to the respective service providers).
This link will help you get started:
Please NOTE: dynamic routing and virtual private networks are not supported in Multiple context mode.
Another alternative, if WAN links end on a router (and not the firewall), you could use this router to the ACB.
Concerning
Farrukh
Tags: Cisco Security
Similar Questions
-
I'm new to network administration and our company has an ASA 5510 with and map AIP SSM-10. On the interface ASA when I try to load Intrusion detection, he said the following:
"For IPS 5.1 (1) S205.0, use the link below to access the IPS Device Manager." (If the SSM management IP address or the port is translated, replace them accordingly in the below URL). IPS 6.0.1 or above will be fully interated ASDM. »
Unfortunately, no URL is displayed below this message and there is no documentation in the company that owns this configuration. Is there a way to reset the AIP without resetting the ASA? How can I find the IP address to be able to configure it?
The ASA CLI, you will be able to check the IP address of the AIP module:
view the details of the module
It will show you the ip address of mgmt of the module, and you can https to the IP address of your PC.
-
Redundancy with double tis on cisco ASA VPN Site to Site
Dear supporters,
Could you help me to provide a configuration for the network as an attachment diagram.
I am suitable with your help.
Thank you
Best regards
Hi Sothengse,
You can visit the below link and configure ASA @ head and Canes accordingly to your condition.
You must change the configuration of the similar example with ends... Double TIS @ ends in your scenario...
http://networkology.NET/2013/03/08/site-to-site-VPN-with-dual-ISP-for-BA...
I hope this helps.
Concerning
Knockaert
-
Cisco ASA5505 with double tis + IPSEC
Hello guys,.
I have problem with double ISP + IPSEC on my cisco ASA5505 dry more license.
Routing works OK (to connect to the Internet from siteA is work trought
1 also second ISP) but IPSEC works trought just the first
INTERNET SERVICE PROVIDER! There seemt that phase 1 and 2 of the Protocol IPSEC is correct but the packages
Encrypt just but no not decryption. You have an idea what is the problem?
I try to ping from the (PC - 10.4.1.66) siteA siteB (PC - 10.3.128.50)
Thank you
config site A:
##########################################################################
ASA5505 Version 8.2 (1)
interface Vlan1
nameif inside
security-level 100
IP 10.4.1.65 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.2 255.255.255.0
!
interface Vlan3
internet nameif
security-level 0
IP address 212.89.235.yy 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
outside_cryptomap list extended access allow icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.3.0.0 255.255.0.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.16.0.0 255.255.0.0
access inside extended ip permit list an entire
extended permitted inside a whole icmp access list
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
Internet MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (internet) 1
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.4.1.64 255.255.255.248
Access-group internet_in in interface outside
internet_in group to access the Web interface
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
Internet route 0.0.0.0 0.0.0.0 212.89.235.yy 254
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
interface type echo protocol ipIcmpEcho 212.89.229.xx outdoor
NUM-package of 3
frequency 10
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map0 1 match address outside_cryptomap
card crypto outside_map0 1 set 212.89.229.xx counterpart
outside_map0 card crypto 1jeu transform-set ESP-AES-256-SHA
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_1
outside_map0 interface card crypto outside
outside_map0 card crypto internet interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP enable internet
crypto ISAKMP policy 3
preshared authentication
aes-256 encryption
sha hash
Group 2
life 300
!
track 1 rtr 123 accessibility
Telnet 10.4.1.64 255.255.255.248 inside
Telnet timeout 1440
SSH 10.4.1.64 255.255.255.248 inside
SSH 212.89.229.xx 255.255.255.255 outside
SSH timeout 60
SSH version 2
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 194.160.23.2 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
username xx
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
siteA # sh crypto isakmp his d
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 212.89.229.xx
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 91
# sh crypto ipsec siteA his
Interface: internet
Tag crypto map: outside_map0, seq num: 1, local addr: 212.89.235.yy
outside_cryptomap list of access allowed icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
local ident (addr, mask, prot, port): (10.4.1.64/255.255.255.248/1/0)
Remote ident (addr, mask, prot, port): (10.3.128.0/255.255.255.0/1/0)
current_peer: 212.89.229.xx
program #pkts: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 7, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.235.115, remote Start crypto. : 212.89.229.2
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: 2A9B550B
SAS of the esp on arrival:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4374000/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4373999/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
# sh logging asdm siteA | I have 10.3.128.50
6. 19 sep 2011 10:27:37 | 302020: built outgoing ICMP connection for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
6. 19 sep 2011 10:27:39 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
config site B:
##########################################################################
ASA 5510 Version 8.0 (4)
interface Ethernet0/0
nameif outside
security-level 0
IP address 212.89.229.xx 255.255.255.240
OSPF cost 10
interface Ethernet0/1.10
VLAN 10
nameif users
security-level 50
IP 10.3.128.0 255.255.255.0
10.3.128.0 IP Access-list extended siteA 255.255.255.0 allow 10.4.1.64 255.255.255.248
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
outside_map crypto card 9 matches the address SiteA
card crypto outside_map 9 peers set 212.89.229.xx
card crypto outside_map 9 game of transformation-ESP-AES-256-SHA
life card crypto outside_map 9 set security-association seconds 28800
card crypto outside_map 9 set security-association life kilobytes 4608000
outside_map crypto 10 card matches the address SiteA
card crypto outside_map 10 peers set 212.89.235.yy
outside_map crypto 10 card value transform-set ESP-AES-256-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
crypto ISAKMP policy 20
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 212.89.235.yy type ipsec-l2l
212.89.235.yy group of tunnel ipsec-attributes
pre-shared-key *.
SiteB # sh crypto isakmp his d
HIS active: 7
Generate a new key SA: 1 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 8
8 peer IKE: 212.89.235.115
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 245
# Sh crypto ipsec SiteB his | b 212.89.235.yy
current_peer: 212.89.235.yy
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
decaps #pkts: 12, #pkts decrypt: 12, #pkts check: 12
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.229.xx, remote Start crypto. : 212.89.235.yy
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: CF456F65
SAS of the esp on arrival:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914999/27310)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0 x 00000000 0x00001FFF
outgoing esp sas:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/27308)
Size IV: 16 bytes
support for replay detection: Y
# sh logging asdm siteB. I have 10.4.1.66
6. 19 sep 2011 10:29:49 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
6. 19 sep 2011 10:29:50 | 302020: built ICMP incoming connections for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
I'm glad that this answer to your question, feel free to mark the post as answered and the rate of useful messages
Good day.
-
VPN on ASA-5510 with Configure a dynamic encryption card
Hi all
My name is ping, I have ASA-5510 for site to site VPN configuration, but am not clear with a few conifguration on ASA-5510 series, not sure on poin than, when I install on other sets of cisco router I can use
ASA2 (config) #crypto card outside-card 10 ipsec-isakmp
% NOTE: this new map encryption will remain disabled until a peer
and a valid access list have been configured.
........
but, when I configure ASA 5510 it as below:
mtelcoASA2 (config) # crypto?
set up the mode commands/options:
CA Certification Authority
dynamic-map set up a dynamic encryption card
IPSec transform-set set, life of the IPSec Security Association and fragmentation
ISAKMP configure ISAKMP
main activities key long-term
card to configure an encryption card
ASA2 (config) # map outside-map 10 ipsec-isakmp crypto ?
set up the mode commands/options:
Entry dynamic is a dynamic map
"Set up a dynamic crypto map" which uses for and why I can't use only "map outside-map 10 ipsec-isakmp crypto" and if not can't, can I skip this command or tell me the other way with explanation with nicely,
Thank you very much
hot topic,
Ping,
Just use crypto card outside-map 10 match/set without ipsec-isakmp key word and it will be fine.
-
Unable to connect to server vpn behind ASA 5510 with windows clients
Hi all
I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.
This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.
Within the ASDM:
(1) Server Public created for Protocol 1723
(2) Public created for the GRE protocol Server
3) created two public servers have the same public and private addresses
(4) the foregoing has created config Public Private static route in the section NAT firewall
(5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE
When you try to connect, I get the following entry in the debug log.
6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)
but nothing else.
The server shows not attempting a connection so I think I'm missing something on the firewall now.
Also inside interface there is a temporary rule:
Source: no
Destination: any
Service: IP
Action: enabled
This should allow all outbound traffic only as far as I know...
Any help would be greatly appreciated.
Chris
Hi Chris,
ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.
1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.
is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.
Ufuk Güler
-
Is a CSC module must use Smartfilter with an ASA 5510?
We use a PIX 515E and an external Smartfilter server for URL filtering for many years. Works well, but we want to add the IDS feature. The road ahead for this seems to be to get an ASA 5510 with AIP module. Can anyone confirm if we continue to use the order of FILTER of URL (with Smartfilter specified as a salesman and pointed to the IP address of the server Smarfilter) as we do on the PIX? Sales of Cisco tells me that I need a module of CCS for it which means I can't have a module AIP, but the way I read it which seems to be only if you use URL of the CSC (user account subscription) database to perform the filtering. We do not want. We left 3 years on our contract of Smartfilter. I just talked to someone who has an ASA 5510 without a CSC module and it was successfully entered a FILTER of URL command in his ASA, as you would on a PIX. Why wouldn't work?
for the URL filtering, NO, you need not any type of license, this isn't a feature defined licensed, its rather a feature of configuration
-
ASA 5510 Anyconnect licenses with Cisco Anyconnect VPN IP phone
Hi, hoping someone can shed some light on what I'm just more confused over trying to get by. Not sure if this goes in the section IP Telehpony or here...
We have an ASA 5510 with the base license. We need to install IP phones to home teleworkers, and I understand there are Cisco IP phones that have built-in VPN clients to enable a tunnel to the central private network. IT seems that you can't use Anyconnect VPN to do this, and I am trying to establish what upgrade licenses, we must apply to the ASA, as both Anyconnect licenses that you get for free on the SAA is not enough.
This is the phone that we seek;
I want to know is the Anyconnect Essentials license will work with these IP phones?
When I do a version of the show,
The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 50
Internal hosts: unlimited
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 0
GTP/GPRS: disabled
SSL VPN peers: 2
The VPN peers total: 250
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect for Linksys phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled
This platform includes a basic license.
It shows "AnyConnect for Linksys phone: Disabled", it is the same for the Cisco IP phones? It is the kind of specific license, should I seek for Anyconnect on IP phones or will Essentials?
Hi Leo,
you will need 2 licenses: an Anyconnect Premium license and a permit «Anyconnect of Cisco VPN phone»
ASA 8.2 and earlier license "for Cisco VPN Phone" has been named "for phone Linksys' it's the same.
CFR. http://www.Cisco.com/en/us/docs/security/ASA/asa84/license/license_management/license.html#wp1487574
HTH
Herbert
-
How to test ASA 5510 hardware before you buy?
Im looking to buy a refurbished warranty on ASA 5510 with security license. What tests should all I leads with one independent and the device network to ensure that the material is good?
Hi, I usually ask a full boot and see the output of the version every time I buy referb or eBay. Sometimes you do not get these output unless the vendor is notified.
-
Hello
How would we go about setting up the speed of 1000 Mbps in an ASA 5510 with the license "security more?
That's what I want to say on any interface:
FW(Config-if) # speed?
options/commands in interface mode:
10 operation force 10 Mbps
Operation of the force 100 Mbps 100
automatic configuration of the speed to activate AUTO
Thank you.
Gabi
I thhink you should upgrede to 8.0 (3)
I have asa 5510 with security license.
Cisco Adaptive Security Appliance Version 7.2 software (3)
ASA5510(Config-if) #.
ASA5510 # conf t
ASA5510 (config) # int e0/0
ASA5510(Config-if) # spe
ASA5510(Config-if) # speed?
options/commands in interface mode:
10 operation force 10 Mbps
Operation of the force 100 Mbps 100
Operation of force 1000 Mbit/s 1000
automatic configuration of the speed to activate AUTO
-
Cisco Anyconnect/WebVPN license for ASA 5510
Hello
Someone could please check the licenses for ASA 5510 attachment and let me know. We currently have ASA 5510 with basic license. According to the table attached under VPN sessions, he mentions that "250 combined SESSIONS IPSec and WebVPN" and to "Max box of WebVPN Session" it is mentioned that 2nd meeting, exceeding that we must buy license optional webvpn. While we the 250 combined license for IPSec and webVPN. We must purchase additional anyconnect license to set up remote access for users who want to use the internal resources from outside the network. OrElse, we don't have to purchase license and can configure webvpn/anyconnect of existing combined license existing users basic ASA license? Waiting for your response. Thank you.
You are welcome.
1 Yes
2 AnyConnect requires no Java, but it can he use when connecting to one AnyConnect SSL VPN client and launch the Web browser option start Java-based. There was a bug with the AnyConnect old versions had later who should have addresses. You also have the option to launch via IE and using ActiveX or simply throw AnyConnect directly - neither of these two methods require Java.
Here is a document TAC on the Java questions if you want more details.
Please take a moment to note the useful messages and mark your answers questions.
-
ASA 5510 - possible to fill the 2 interfaces in routed mode
Cisco ASA 5510 with security more license, version 9.1 (5) running in routed mode.
I want to fill two interfaces for example: eth0/2 and 3/eth0 and configure an IP address / network while leaving the ASA 5510 in routed mode. I know that this is possible in transparent mode, but I need to keep this in routed mode. I know I could configure a single interface and connect a switch but my client does not want to do.
Otherwise, my only thought would be to configure each interface eth0/2 and eth0/3 as a network traffic and the route of subnet separate between the two.
Any help would be appreciated!
Thank you
Andrew
Andrew
That would help us answer you better if we understood more about what your client and you want to accomplish. But to answer the specific question you asked, I don't think it is possible in an ASA5510 in routed mode configuration Eth2 and Eth3 to share a single IP address.
Linking to Eth2 and linking to Eth3 Are they really the same subnet?
HTH
Rick
-
The ASA 5510 DMZ configuration
I currently have an ASA 5510 with which I am configuring a HTTP/FTP host on a demilitarized zone. Currently the DMZ host is accessible outside but the hosts on the internal network can not access. I have a dedicated IP address for the host (1.1.1.228) DMZ and another IP for the PAT interface for internal clients (1.1.1.238). I know I'm missing a piece, either a statement nat() or a static(), please advise.
interface Ethernet0/0
Description Interface Outside
nameif outside
security-level 0
IP 1.1.1.238 255.255.255.240
!
interface Ethernet0/1
Inside the Interface Description
nameif inside
security-level 100
the IP 10.0.0.1 255.255.0.0
!
interface Ethernet0/2
DMZ Interface Description
nameif dmz
security-level 50
the IP 192.168.0.1 255.255.255.0
-partial outside the inbound ACL.
outside_access_in list extended access permit tcp any host 1.1.1.228 eq www
outside_access_in list extended access permit tcp any host 1.1.1.228 eq https
-ACL DMZ-
DMZ list extended access permit icmp any one
access-list extended DMZ permit tcp host 192.168.0.11 eq www everything
access-list extended DMZ permit tcp host 192.168.0.11 eq https all
access-list extended DMZ permit tcp host 192.168.0.11 eq ftp - data all
DMZ list extended access permit tcp host 192.168.0.11 eq ftp everything
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0
public static 1.1.1.231 (Interior, exterior) 10.0.0.85 netmask 255.255.255.255
static (dmz, outside) 1.1.1.228 192.168.0.11 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Access-group interface dmz DMZ
Add:
static (inside, dmz) 10.0.0.0 mask 10.0.0.0 subnet 255.255.0.0
The statement above will allow the host to access DMZ hosts inside using DMZ devices own IPs and vice versa.
And, if necessary, use the ACL to restrict access to inside the DMZ, or DMZ inside.
See you soon!
AK
-
Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!
Hello
I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.
Config
ciscoasa # sh run
: Saved
:
ASA Version 8.0 (3)
!
ciscoasa hostname
activate the 5QB4svsHoIHxXpF password / encrypted
names of
xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name
xxx.xxx.xxx.xxx ISA_Server_second_external_IP name
xxx.xxx.xxx.xxx name Mail_Server
xxx.xxx.xxx.xxx IncomingIP name
xxx.xxx.xxx.xxx SAP name
xxx.xxx.xxx.xxx Web server name
xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name
isa_server_outside name 192.168.2.2
!
interface Ethernet0/0
nameif outside
security-level 0
address IP IncomingIP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.253 255.255.255.0
management only
!
passwd 123
passive FTP mode
clock timezone IS 2
clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00
TCP_8081 tcp service object-group
EQ port 8081 object
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq ftp
port-object eq www
EQ object of the https port
EQ smtp port object
EQ Port pop3 object
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
EQ port 50000 object
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
EQ port 587 object
port-object eq 993
port-object eq 8000
EQ port 8443 object
port-object eq telnet
port-object eq 3901
purpose of group TCP_8081
EQ port 1433 object
port-object eq 3391
port-object eq 3399
EQ object of port 8080
EQ port 3128 object
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
Equalizer object port 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
EQ port 8181 object
object-port 7778 eq
port-object eq 8180
port-object 22222 eq
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP - tcp
EQ port 3389 object
3901 tcp service object-group
3901 description
port-object eq 3901
object-group service tcp 50000
50000 description
EQ port 50000 object
Enable_Transparent_Tunneling_UDP udp service object-group
port-object eq 4500
access-list connection to SAP Note inside_access_in
inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in note outgoing VPN - PPTP
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in note outgoing VPN - GRE
inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any
Comment from inside_access_in-list of access VPN - GRE
inside_access_in list extended access will permit a full
access-list inside_access_in note outgoing VPN - Client IKE
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq
Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access udp allowed any any eq field
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access permit tcp any any eq field
Note to inside_access_in to access list carried forward Ports
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
outside_access_in list extended access allowed grateful if any host Mail_Server
outside_access_in list extended access permit tcp any host Mail_Server eq pptp
outside_access_in list extended access allow esp a whole
outside_access_in ah allowed extended access list a whole
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group
list of access allowed standard VPN 192.168.2.0 255.255.255.0
corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 603.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 2 Mail_Server netmask 255.0.0.0
Global 1 interface (outside)
Global interface (2 inside)
NAT (inside) 0-list of access corp_vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside
public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet
static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server
static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside
static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp
static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside
public static 192.168.2.0 (inside, outside) - corp_vpn access list
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac transet
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet
cryptomap 10 card crypto ipsec-isakmp dynamic dynmap
cryptomap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.2.0 255.255.255.0 inside
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain.local domain inside interface
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
Management Server TFTP 192.168.1.123.
internal group mypolicy strategy
mypolicy group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN
Pseudo vpdn password 123
vpdn username attributes
VPN-group-policy mypolicy
type of remote access service
type mypolicy tunnel-group remote access
tunnel-group mypolicy General attributes
address-pool
strategy-group-by default mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.
Hello
You probably need
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp error
Your Tunnel of Split and NAT0 configurations seem to.
-Jouni
-
ASA 5510 w / license more lost security contexts
I have an ASA 5510 with license more than security and when I looked the devices a few days ago, I had 2 contexts, however after you have configured the port of Mgm as a regular port contexts show 0, why? I can't find anywhere on the internet where this problem occurred: this is the result of show worm:
Cisco Adaptive Security Appliance Software Version 7.0 (8)
Updated Sunday, 31 May 08 23:48 by manufacturers
System image file is "disk0: / asa708 - k8.bin.
The configuration file to the startup was "startup-config '.
SHIELDASA01 up to 21 hours 16 minutes
Material: ASA5510, 256 MB of RAM, processor Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256 MB
BIOS Flash M50FW080 @ 0xffe00000, 1024 KB
Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
Start firmware: CNlite-MC-Boot-Cisco - 1.2
SSL/IKE firmware: CNlite-MC-IPSEC-Admin - 3.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05
0: Ext: Ethernet0/0: the address is 0021.a025.2d3c, irq 9
1: Ext: Ethernet0/1: the address is 0021.a025.2d3d, irq 9
2: Ext: Ethernet0/2: the address is 0021.a025.2d3e, irq 9
3: Ext: Ethernet0/3: the address is 0021.a025.2d3f, irq 9
4: Ext: Management0/0: the address is 0021.a025.2d3b, irq 11
5: Int: not used: irq 11
6: Int: not used: irq 5
The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 25
Internal hosts: unlimited
Failover: Active / standby
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 0
GTP/GPRS: disabled
VPN peers: 150
This platform includes an ASA 5510 Security Plus license.
I'm not showing the serial number and keys licese for obivious reasons. Any help? Thanks in advance.
You might want to try upgrading your IOS on the SAA, see if it can help, can you check the firewall mode (single or multiple) you're currently on? is your asa transparant or routed?
Maybe you are looking for
-
Satellite Pro M70: Noise with laptop OFF If power connected
Hello I have the following problem with my new Satellite Pro M70.A strange volume low hissing sound that happens when the power is connected to the laptop.This noise occurs even with the laptop TURNED off when the power is connected. This sound can b
-
I have a problem with the download of my Musicmatch pieces I bought years ago for my iTunes. I got a new PC for Christmas (10 Windows) and have all my songs from Musicmatch on my external hard drive. It gives me an error code of (1001). Can anyone he
-
Video card double slot.
Hello, so I have a hp p7 1226 s and I wanted to install a ti gtx 650 or a radeon 7770. The poroblem is that they are both cards double slot. When I was last upgrade of the gpu in this Office I noticed that the second location may not reach easy to re
-
Problem of liquid E700 Acer when the music is playing in the car
Whenever I connect my acer e700 to my car to listen to music in the car, the music seems to stop, then I manually play it again, then it stops again. So I went back to the phone and got a replacement and hope that the problem would be resolved, but t
-
Can I remove random photos in the system volume information?
I understand very well this file. I rarely restore, but sometimes I do. The problem is that some files, aka viruses that have been removed, take place that I prefer to use for something else, aka my plans f #. Can I delete random files in this fol