ASA 5510 with double tis

Hello.. It is possible for cisco asa 5510 hitting the load balancing between double tis? and what will the configurations? Thanks... :D

Hello

ACB is used normally for balancing the load on network devices. Another one of my posts on this forum and I quote:

The ASA/PIX does not ACB support to date. I told her on the road map.

As a work around, you can run multiple contexts, if its possible to break your lan into two subnets.

And also allocate the Internet interfaces appropriate to each context (with the default gateway pointing to the respective service providers).

This link will help you get started:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

Please NOTE: dynamic routing and virtual private networks are not supported in Multiple context mode.

Another alternative, if WAN links end on a router (and not the firewall), you could use this router to the ACB.

Concerning

Farrukh

Tags: Cisco Security

Similar Questions

ASA 5510 with AIP SSM-10

I'm new to network administration and our company has an ASA 5510 with and map AIP SSM-10. On the interface ASA when I try to load Intrusion detection, he said the following:

"For IPS 5.1 (1) S205.0, use the link below to access the IPS Device Manager." (If the SSM management IP address or the port is translated, replace them accordingly in the below URL). IPS 6.0.1 or above will be fully interated ASDM. »

Unfortunately, no URL is displayed below this message and there is no documentation in the company that owns this configuration. Is there a way to reset the AIP without resetting the ASA? How can I find the IP address to be able to configure it?

The ASA CLI, you will be able to check the IP address of the AIP module:

view the details of the module

It will show you the ip address of mgmt of the module, and you can https to the IP address of your PC.

Redundancy with double tis on cisco ASA VPN Site to Site

Dear supporters,

Could you help me to provide a configuration for the network as an attachment diagram.

I am suitable with your help.

Thank you

Best regards

Hi Sothengse,

You can visit the below link and configure ASA @ head and Canes accordingly to your condition.

You must change the configuration of the similar example with ends... Double TIS @ ends in your scenario...

http://networkology.NET/2013/03/08/site-to-site-VPN-with-dual-ISP-for-BA...

I hope this helps.

Concerning

Knockaert

Cisco ASA5505 with double tis + IPSEC

Hello guys,.

I have problem with double ISP + IPSEC on my cisco ASA5505 dry more license.

Routing works OK (to connect to the Internet from siteA is work trought

1 also second ISP) but IPSEC works trought just the first

INTERNET SERVICE PROVIDER! There seemt that phase 1 and 2 of the Protocol IPSEC is correct but the packages

Encrypt just but no not decryption. You have an idea what is the problem?

I try to ping from the (PC - 10.4.1.66) siteA siteB (PC - 10.3.128.50)

Thank you

config site A:

##########################################################################

ASA5505 Version 8.2 (1)

interface Vlan1

nameif inside

security-level 100

IP 10.4.1.65 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

IP 192.168.1.2 255.255.255.0

!

interface Vlan3

internet nameif

security-level 0

IP address 212.89.235.yy 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

outside_cryptomap list extended access allow icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.3.0.0 255.255.0.0

10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.16.0.0 255.255.0.0

access inside extended ip permit list an entire

extended permitted inside a whole icmp access list

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

Internet MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

Global interface (internet) 1

NAT (inside) 0 access-list sheep

NAT (inside) 1 10.4.1.64 255.255.255.248

Access-group internet_in in interface outside

internet_in group to access the Web interface

Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1

Internet route 0.0.0.0 0.0.0.0 212.89.235.yy 254

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 123

interface type echo protocol ipIcmpEcho 212.89.229.xx outdoor

NUM-package of 3

frequency 10

Annex ALS life monitor 123 to always start-time now

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

3600 seconds, duration of life crypto ipsec security association

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map0 1 match address outside_cryptomap

card crypto outside_map0 1 set 212.89.229.xx counterpart

outside_map0 card crypto 1jeu transform-set ESP-AES-256-SHA

outside_map0 map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map0 1 set security-association life kilobytes 4608000

card crypto game 2 outside_map0 address outside_cryptomap_1

outside_map0 interface card crypto outside

outside_map0 card crypto internet interface

ISAKMP crypto identity hostname

crypto ISAKMP allow outside

crypto ISAKMP enable internet

crypto ISAKMP policy 3

preshared authentication

aes-256 encryption

sha hash

Group 2

life 300

!

track 1 rtr 123 accessibility

Telnet 10.4.1.64 255.255.255.248 inside

Telnet timeout 1440

SSH 10.4.1.64 255.255.255.248 inside

SSH 212.89.229.xx 255.255.255.255 outside

SSH timeout 60

SSH version 2

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 194.160.23.2 source outdoors

WebVPN

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec l2tp ipsec

username xx

tunnel-group 212.89.229.xx type ipsec-l2l

212.89.229.XX group of tunnel ipsec-attributes

pre-shared-key *.

siteA # sh crypto isakmp his d

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: 212.89.229.xx

Type: L2L role: initiator

Generate a new key: no State: MM_ACTIVE

Encryption: aes - 256 Hash: SHA

AUTH: preshared to life: 300

Remaining life: 91

# sh crypto ipsec siteA his

Interface: internet

Tag crypto map: outside_map0, seq num: 1, local addr: 212.89.235.yy

outside_cryptomap list of access allowed icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

local ident (addr, mask, prot, port): (10.4.1.64/255.255.255.248/1/0)

Remote ident (addr, mask, prot, port): (10.3.128.0/255.255.255.0/1/0)

current_peer: 212.89.229.xx

program #pkts: 7, #pkts encrypt: 7, #pkts digest: 7

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 7, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 212.89.235.115, remote Start crypto. : 212.89.229.2

Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

current outbound SPI: 2A9B550B

SAS of the esp on arrival:

SPI: 0xCF456F65 (3477434213)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 32768, crypto-card: outside_map0

calendar of his: service life remaining (KB/s) key: (4374000/28629)

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

outgoing esp sas:

SPI: 0x2A9B550B (714822923)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 32768, crypto-card: outside_map0

calendar of his: service life remaining (KB/s) key: (4373999/28629)

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

# sh logging asdm siteA | I have 10.3.128.50

6. 19 sep 2011 10:27:37 | 302020: built outgoing ICMP connection for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0

6. 19 sep 2011 10:27:39 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0

config site B:

##########################################################################

ASA 5510 Version 8.0 (4)

interface Ethernet0/0

nameif outside

security-level 0

IP address 212.89.229.xx 255.255.255.240

OSPF cost 10

interface Ethernet0/1.10

VLAN 10

nameif users

security-level 50

IP 10.3.128.0 255.255.255.0

10.3.128.0 IP Access-list extended siteA 255.255.255.0 allow 10.4.1.64 255.255.255.248

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

3600 seconds, duration of life crypto ipsec security association

Crypto ipsec kilobytes of life - safety 4608000 association

outside_map crypto card 9 matches the address SiteA

card crypto outside_map 9 peers set 212.89.229.xx

card crypto outside_map 9 game of transformation-ESP-AES-256-SHA

life card crypto outside_map 9 set security-association seconds 28800

card crypto outside_map 9 set security-association life kilobytes 4608000

outside_map crypto 10 card matches the address SiteA

card crypto outside_map 10 peers set 212.89.235.yy

outside_map crypto 10 card value transform-set ESP-AES-256-SHA

life safety association set card crypto outside_map 10 28800 seconds

card crypto outside_map 10 set security-association life kilobytes 4608000

crypto ISAKMP policy 20

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

tunnel-group 212.89.229.xx type ipsec-l2l

212.89.229.XX group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group 212.89.235.yy type ipsec-l2l

212.89.235.yy group of tunnel ipsec-attributes

pre-shared-key *.

SiteB # sh crypto isakmp his d

HIS active: 7

Generate a new key SA: 1 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 8

8 peer IKE: 212.89.235.115

Type: L2L role: initiator

Generate a new key: no State: MM_ACTIVE

Encryption: aes - 256 Hash: SHA

AUTH: preshared to life: 300

Remaining life: 245

# Sh crypto ipsec SiteB his | b 212.89.235.yy

current_peer: 212.89.235.yy

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

decaps #pkts: 12, #pkts decrypt: 12, #pkts check: 12

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 212.89.229.xx, remote Start crypto. : 212.89.235.yy

Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

current outbound SPI: CF456F65

SAS of the esp on arrival:

SPI: 0x2A9B550B (714822923)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 4378624, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3914999/27310)

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0 x 00000000 0x00001FFF

outgoing esp sas:

SPI: 0xCF456F65 (3477434213)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 4378624, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3915000/27308)

Size IV: 16 bytes

support for replay detection: Y

# sh logging asdm siteB. I have 10.4.1.66

6. 19 sep 2011 10:29:49 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024

6. 19 sep 2011 10:29:50 | 302020: built ICMP incoming connections for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024

I'm glad that this answer to your question, feel free to mark the post as answered and the rate of useful messages

Good day.

VPN on ASA-5510 with Configure a dynamic encryption card

Hi all

My name is ping, I have ASA-5510 for site to site VPN configuration, but am not clear with a few conifguration on ASA-5510 series, not sure on poin than, when I install on other sets of cisco router I can use

ASA2 (config) #crypto card outside-card 10 ipsec-isakmp

% NOTE: this new map encryption will remain disabled until a peer

and a valid access list have been configured.

........

but, when I configure ASA 5510 it as below:

mtelcoASA2 (config) # crypto?

set up the mode commands/options:

CA Certification Authority

dynamic-map set up a dynamic encryption card

IPSec transform-set set, life of the IPSec Security Association and fragmentation

ISAKMP configure ISAKMP

main activities key long-term

card to configure an encryption card

ASA2 (config) # map outside-map 10 ipsec-isakmp crypto ?

set up the mode commands/options:

Entry dynamic is a dynamic map

"Set up a dynamic crypto map" which uses for and why I can't use only "map outside-map 10 ipsec-isakmp crypto" and if not can't, can I skip this command or tell me the other way with explanation with nicely,

Thank you very much

hot topic,

Ping,

Just use crypto card outside-map 10 match/set without ipsec-isakmp key word and it will be fine.

Unable to connect to server vpn behind ASA 5510 with windows clients

Hi all

I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.

This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.

Within the ASDM:

(1) Server Public created for Protocol 1723

(2) Public created for the GRE protocol Server

3) created two public servers have the same public and private addresses

(4) the foregoing has created config Public Private static route in the section NAT firewall

(5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE

When you try to connect, I get the following entry in the debug log.

6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)

but nothing else.

The server shows not attempting a connection so I think I'm missing something on the firewall now.

Also inside interface there is a temporary rule:

Source: no

Destination: any

Service: IP

Action: enabled

This should allow all outbound traffic only as far as I know...

Any help would be greatly appreciated.

Chris

Hi Chris,

ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.

1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.

is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.

Ufuk Güler

Is a CSC module must use Smartfilter with an ASA 5510?

We use a PIX 515E and an external Smartfilter server for URL filtering for many years. Works well, but we want to add the IDS feature. The road ahead for this seems to be to get an ASA 5510 with AIP module. Can anyone confirm if we continue to use the order of FILTER of URL (with Smartfilter specified as a salesman and pointed to the IP address of the server Smarfilter) as we do on the PIX? Sales of Cisco tells me that I need a module of CCS for it which means I can't have a module AIP, but the way I read it which seems to be only if you use URL of the CSC (user account subscription) database to perform the filtering. We do not want. We left 3 years on our contract of Smartfilter. I just talked to someone who has an ASA 5510 without a CSC module and it was successfully entered a FILTER of URL command in his ASA, as you would on a PIX. Why wouldn't work?

for the URL filtering, NO, you need not any type of license, this isn't a feature defined licensed, its rather a feature of configuration

ASA 5510 Anyconnect licenses with Cisco Anyconnect VPN IP phone

Hi, hoping someone can shed some light on what I'm just more confused over trying to get by. Not sure if this goes in the section IP Telehpony or here...

We have an ASA 5510 with the base license. We need to install IP phones to home teleworkers, and I understand there are Cisco IP phones that have built-in VPN clients to enable a tunnel to the central private network. IT seems that you can't use Anyconnect VPN to do this, and I am trying to establish what upgrade licenses, we must apply to the ASA, as both Anyconnect licenses that you get for free on the SAA is not enough.

This is the phone that we seek;

http://www.Cisco.com/en/us/prod/collateral/voicesw/ps6788/phones/ps10499/ps11005/data_sheet_c78-603725.html

I want to know is the Anyconnect Essentials license will work with these IP phones?

When I do a version of the show,

The devices allowed for this platform:

The maximum physical Interfaces: unlimited

VLAN maximum: 50

Internal hosts: unlimited

Failover: disabled

VPN - A: enabled

VPN-3DES-AES: enabled

Security contexts: 0

GTP/GPRS: disabled

SSL VPN peers: 2

The VPN peers total: 250

Sharing license: disabled

AnyConnect for Mobile: disabled

AnyConnect for Linksys phone: disabled

AnyConnect Essentials: disabled

Assessment of Advanced endpoint: disabled

Proxy sessions for the UC phone: 2

Total number of Sessions of Proxy UC: 2

Botnet traffic filter: disabled

This platform includes a basic license.

It shows "AnyConnect for Linksys phone: Disabled", it is the same for the Cisco IP phones? It is the kind of specific license, should I seek for Anyconnect on IP phones or will Essentials?

Hi Leo,

you will need 2 licenses: an Anyconnect Premium license and a permit «Anyconnect of Cisco VPN phone»

ASA 8.2 and earlier license "for Cisco VPN Phone" has been named "for phone Linksys' it's the same.

CFR. http://www.Cisco.com/en/us/docs/security/ASA/asa84/license/license_management/license.html#wp1487574

HTH

Herbert

How to test ASA 5510 hardware before you buy?

Im looking to buy a refurbished warranty on ASA 5510 with security license. What tests should all I leads with one independent and the device network to ensure that the material is good?

Hi, I usually ask a full boot and see the output of the version every time I buy referb or eBay. Sometimes you do not get these output unless the vendor is notified.

Gigabit on ASA 5510

Hello

How would we go about setting up the speed of 1000 Mbps in an ASA 5510 with the license "security more?

That's what I want to say on any interface:

FW(Config-if) # speed?

options/commands in interface mode:

10 operation force 10 Mbps

Operation of the force 100 Mbps 100

automatic configuration of the speed to activate AUTO

Thank you.

Gabi

I thhink you should upgrede to 8.0 (3)

I have asa 5510 with security license.

Cisco Adaptive Security Appliance Version 7.2 software (3)

ASA5510(Config-if) #.

ASA5510 # conf t

ASA5510 (config) # int e0/0

ASA5510(Config-if) # spe

ASA5510(Config-if) # speed?

options/commands in interface mode:

10 operation force 10 Mbps

Operation of the force 100 Mbps 100

Operation of force 1000 Mbit/s 1000

automatic configuration of the speed to activate AUTO

Cisco Anyconnect/WebVPN license for ASA 5510

Hello

Someone could please check the licenses for ASA 5510 attachment and let me know. We currently have ASA 5510 with basic license. According to the table attached under VPN sessions, he mentions that "250 combined SESSIONS IPSec and WebVPN" and to "Max box of WebVPN Session" it is mentioned that 2nd meeting, exceeding that we must buy license optional webvpn. While we the 250 combined license for IPSec and webVPN. We must purchase additional anyconnect license to set up remote access for users who want to use the internal resources from outside the network. OrElse, we don't have to purchase license and can configure webvpn/anyconnect of existing combined license existing users basic ASA license? Waiting for your response. Thank you.

You are welcome.

1 Yes

2 AnyConnect requires no Java, but it can he use when connecting to one AnyConnect SSL VPN client and launch the Web browser option start Java-based. There was a bug with the AnyConnect old versions had later who should have addresses. You also have the option to launch via IE and using ActiveX or simply throw AnyConnect directly - neither of these two methods require Java.

Here is a document TAC on the Java questions if you want more details.

Please take a moment to note the useful messages and mark your answers questions.

ASA 5510 - possible to fill the 2 interfaces in routed mode

Cisco ASA 5510 with security more license, version 9.1 (5) running in routed mode.

I want to fill two interfaces for example: eth0/2 and 3/eth0 and configure an IP address / network while leaving the ASA 5510 in routed mode. I know that this is possible in transparent mode, but I need to keep this in routed mode. I know I could configure a single interface and connect a switch but my client does not want to do.

Otherwise, my only thought would be to configure each interface eth0/2 and eth0/3 as a network traffic and the route of subnet separate between the two.

Any help would be appreciated!

Thank you

Andrew

Andrew

That would help us answer you better if we understood more about what your client and you want to accomplish. But to answer the specific question you asked, I don't think it is possible in an ASA5510 in routed mode configuration Eth2 and Eth3 to share a single IP address.

Linking to Eth2 and linking to Eth3 Are they really the same subnet?

HTH

Rick

The ASA 5510 DMZ configuration

I currently have an ASA 5510 with which I am configuring a HTTP/FTP host on a demilitarized zone. Currently the DMZ host is accessible outside but the hosts on the internal network can not access. I have a dedicated IP address for the host (1.1.1.228) DMZ and another IP for the PAT interface for internal clients (1.1.1.238). I know I'm missing a piece, either a statement nat() or a static(), please advise.

interface Ethernet0/0

Description Interface Outside

nameif outside

security-level 0

IP 1.1.1.238 255.255.255.240

!

interface Ethernet0/1

Inside the Interface Description

nameif inside

security-level 100

the IP 10.0.0.1 255.255.0.0

!

interface Ethernet0/2

DMZ Interface Description

nameif dmz

security-level 50

the IP 192.168.0.1 255.255.255.0

-partial outside the inbound ACL.

outside_access_in list extended access permit tcp any host 1.1.1.228 eq www

outside_access_in list extended access permit tcp any host 1.1.1.228 eq https

-ACL DMZ-

DMZ list extended access permit icmp any one

access-list extended DMZ permit tcp host 192.168.0.11 eq www everything

access-list extended DMZ permit tcp host 192.168.0.11 eq https all

access-list extended DMZ permit tcp host 192.168.0.11 eq ftp - data all

DMZ list extended access permit tcp host 192.168.0.11 eq ftp everything

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0

public static 1.1.1.231 (Interior, exterior) 10.0.0.85 netmask 255.255.255.255

static (dmz, outside) 1.1.1.228 192.168.0.11 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Access-group interface dmz DMZ

Add:

static (inside, dmz) 10.0.0.0 mask 10.0.0.0 subnet 255.255.0.0

The statement above will allow the host to access DMZ hosts inside using DMZ devices own IPs and vice versa.

And, if necessary, use the ACL to restrict access to inside the DMZ, or DMZ inside.

See you soon!

AK

Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

Hello

I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

Config

ciscoasa # sh run

: Saved

:

ASA Version 8.0 (3)

!

ciscoasa hostname

activate the 5QB4svsHoIHxXpF password / encrypted

names of

xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

xxx.xxx.xxx.xxx name Mail_Server

xxx.xxx.xxx.xxx IncomingIP name

xxx.xxx.xxx.xxx SAP name

xxx.xxx.xxx.xxx Web server name

xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

isa_server_outside name 192.168.2.2

!

interface Ethernet0/0

nameif outside

security-level 0

address IP IncomingIP 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.253 255.255.255.0

management only

!

passwd 123

passive FTP mode

clock timezone IS 2

clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

TCP_8081 tcp service object-group

EQ port 8081 object

DM_INLINE_TCP_1 tcp service object-group

EQ port 3389 object

port-object eq ftp

port-object eq www

EQ object of the https port

EQ smtp port object

EQ Port pop3 object

port-object eq 3200

port-object eq 3300

port-object eq 3600

port-object eq 3299

port-object eq 3390

EQ port 50000 object

port-object eq 3396

port-object eq 3397

port-object eq 3398

port-object eq imap4

EQ port 587 object

port-object eq 993

port-object eq 8000

EQ port 8443 object

port-object eq telnet

port-object eq 3901

purpose of group TCP_8081

EQ port 1433 object

port-object eq 3391

port-object eq 3399

EQ object of port 8080

EQ port 3128 object

port-object eq 3900

port-object eq 3902

port-object eq 7777

port-object eq 3392

port-object eq 3393

port-object eq 3394

Equalizer object port 3395

port-object eq 92

port-object eq 91

port-object eq 3206

port-object eq 8001

EQ port 8181 object

object-port 7778 eq

port-object eq 8180

port-object 22222 eq

port-object eq 11001

port-object eq 11002

port-object eq 1555

port-object eq 2223

port-object eq 2224

object-group service RDP - tcp

EQ port 3389 object

3901 tcp service object-group

3901 description

port-object eq 3901

object-group service tcp 50000

50000 description

EQ port 50000 object

Enable_Transparent_Tunneling_UDP udp service object-group

port-object eq 4500

access-list connection to SAP Note inside_access_in

inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

access-list inside_access_in note outgoing VPN - PPTP

inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

access-list inside_access_in note outgoing VPN - GRE

inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

Comment from inside_access_in-list of access VPN - GRE

inside_access_in list extended access will permit a full

access-list inside_access_in note outgoing VPN - Client IKE

inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

Note to inside_access_in of outgoing DNS list access

inside_access_in list extended access udp allowed any any eq field

Note to inside_access_in of outgoing DNS list access

inside_access_in list extended access permit tcp any any eq field

Note to inside_access_in to access list carried forward Ports

inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

outside_access_in of access allowed any ip an extended list

outside_access_in list extended access permit tcp any any eq pptp

outside_access_in list extended access will permit a full

outside_access_in list extended access allowed grateful if any host Mail_Server

outside_access_in list extended access permit tcp any host Mail_Server eq pptp

outside_access_in list extended access allow esp a whole

outside_access_in ah allowed extended access list a whole

outside_access_in list extended access udp allowed any any eq isakmp

outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

list of access allowed standard VPN 192.168.2.0 255.255.255.0

corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 603.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global (outside) 2 Mail_Server netmask 255.0.0.0

Global 1 interface (outside)

Global interface (2 inside)

NAT (inside) 0-list of access corp_vpn

NAT (inside) 1 0.0.0.0 0.0.0.0

static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

public static 192.168.2.0 (inside, outside) - corp_vpn access list

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.2.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp - esp-md5-hmac transet

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 set pfs

Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

cryptomap interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 2

life 86400

No encryption isakmp nat-traversal

Telnet 192.168.2.0 255.255.255.0 inside

Telnet 192.168.1.0 255.255.255.0 management

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

dhcpd domain.local domain inside interface

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

Management Server TFTP 192.168.1.123.

internal group mypolicy strategy

mypolicy group policy attributes

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value VPN

Pseudo vpdn password 123

vpdn username attributes

VPN-group-policy mypolicy

type of remote access service

type mypolicy tunnel-group remote access

tunnel-group mypolicy General attributes

address-pool

strategy-group-by default mypolicy

tunnel-group mypolicy ipsec-attributes

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

: end

Thank you very much.

Hello

You probably need

Policy-map global_policy

class inspection_default

inspect the icmp

inspect the icmp error

Your Tunnel of Split and NAT0 configurations seem to.

-Jouni

ASA 5510 w / license more lost security contexts

I have an ASA 5510 with license more than security and when I looked the devices a few days ago, I had 2 contexts, however after you have configured the port of Mgm as a regular port contexts show 0, why? I can't find anywhere on the internet where this problem occurred: this is the result of show worm:

Cisco Adaptive Security Appliance Software Version 7.0 (8)

Updated Sunday, 31 May 08 23:48 by manufacturers

System image file is "disk0: / asa708 - k8.bin.

The configuration file to the startup was "startup-config '.

SHIELDASA01 up to 21 hours 16 minutes

Material: ASA5510, 256 MB of RAM, processor Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256 MB

BIOS Flash M50FW080 @ 0xffe00000, 1024 KB

Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)

Start firmware: CNlite-MC-Boot-Cisco - 1.2

SSL/IKE firmware: CNlite-MC-IPSEC-Admin - 3.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Ext: Ethernet0/0: the address is 0021.a025.2d3c, irq 9

1: Ext: Ethernet0/1: the address is 0021.a025.2d3d, irq 9

2: Ext: Ethernet0/2: the address is 0021.a025.2d3e, irq 9

3: Ext: Ethernet0/3: the address is 0021.a025.2d3f, irq 9

4: Ext: Management0/0: the address is 0021.a025.2d3b, irq 11

5: Int: not used: irq 11

6: Int: not used: irq 5

The devices allowed for this platform:

The maximum physical Interfaces: unlimited

VLAN maximum: 25

Internal hosts: unlimited

Failover: Active / standby

VPN - A: enabled

VPN-3DES-AES: enabled

Security contexts: 0

GTP/GPRS: disabled

VPN peers: 150

This platform includes an ASA 5510 Security Plus license.

I'm not showing the serial number and keys licese for obivious reasons. Any help? Thanks in advance.

You might want to try upgrading your IOS on the SAA, see if it can help, can you check the firewall mode (single or multiple) you're currently on? is your asa transparant or routed?

ASA 5510 with double tis

Similar Questions

Maybe you are looking for