ASA 5510 worm. 8.2 (5) access through VPN without client management?
Hi all
I am completely new to networking Cisco and virtual private networks, I'm working on to the ASA 5510 8.2 (5) 46. Currently, the unit is set up very very little. Access to the administration are accessible from my home network to 192.168.2.1. I'm trying to enable management access remotely by VPN. I created a clientless SSL VPN, which, during the wizard process, access to the specified administration was the/admin adding to the VPN https url. Add the/admin in the url for VPN is not me the VPN connection, and by using the/admin url from the portal returns a message "not available". Also, from the portal I can't access the ASDM using inside IP network management, it also returns the message as "unavailable". Again, I'm new to this, any help would be greatly appreciated. Here is my config. and thank you!
: Saved : ASA Version 8.2(5)46 ! hostname ALP5510 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 99.66.203.148 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-46-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 68.94.156.1 name-server 68.94.157.1 same-security-traffic permit inter-interface pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn 192.168.2.10 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 101 0.0.0.0 0.0.0.0 nat (management) 101 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.203.150 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http server session-timeout 20 http 192.168.1.0 255.255.255.0 management http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.2.3-192.168.2.10 inside dhcpd dns 68.94.156.1 68.94.157.1 interface inside dhcpd enable inside ! dhcpd address 192.168.1.3-192.168.1.10 management dhcpd dns 68.94.156.1 68.94.157.1 interface management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside enable inside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn webvpn svc ask enable group-policy eng internal group-policy eng attributes vpn-tunnel-protocol webvpn webvpn url-list value EngineerBookmarks username user1 password mbO2jYs13AXlIAGa encrypted privilege 15 username user1 attributes vpn-group-policy eng webvpn url-list value EngineerBookmarks tunnel-group test type remote-access tunnel-group test general-attributes address-pool vpn tunnel-group Engineering type remote-access tunnel-group Engineering general-attributes default-group-policy eng ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:05f3afe3383542c8f62b1873421a7484 : end asdm image disk0:/asdm-714.bin asdm location 99.66.203.150 255.255.255.255 inside no asdm history enable
I'm TAC if you give me a number I can help you, I think we will extend that if we continue on the support forum
Tags: Cisco Security
Similar Questions
Cisco VPN Client anything cannot access through VPN on an ASA5505 8.4
Hello
Completely new to Cisco ASA and the need to get this working ASAP.
8.4 (1) ASA 5505 is the secondary FW and I need to authorize all out and block everything coming, but for the VPN clients. Since a jerk of Cisco, I used the ASDM and it's sorcerers to make this work, which may explain my situation.
192.168.101.0/24 is the local network
192.168.101.5 is the IP of ASA
192.168.101.2 is the primary FW (and the default gateway for servers, I have to access through the VPN)
10.10.101.0/24 is the VPN IP range (this can be what you want, I'm not married to it somehow)
My Cisco VPN Client connects to the ASA and receives 10.10.101.1 IP address, but I get no connectivity to the ASA or any other 192.168.101.x or service server (tried RDP, telnet, ping, etc.)
Configuration file is attached.
Help pretty please!
Thank you.
Did you add a route for the VPN Pool on the main firewall to the ASA?
Best regards
Peer
Sent by Cisco Support technique iPad App
No internet access through VPN router
Hi all
I configure a Cisco 851 router do a VPN site-to site at ASA5510. The VPN works great. I can get to any host behind ASA5510. But the host behind Cisco 851 cannot go to the internet. I have only set up traffic to the subnet behind ASA5510 through the VPN tunnel. The rest of the traffic through 851 internet connection. The part of configuration is listed below. Except the nat by Fa4 VPN traffic. I miss something here?
Any help is appreciated.
interface FastEthernet4
IP address 24.xx.xx.xx 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP tcp adjust-mss 1400
automatic duplex
automatic speed
crypto SITE map
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 24.xx.xx.1
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source overload map route interface FastEthernet4 sheep
Ganymede IP source interface Vlan1
!
IP extended SITE access list
permit ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
sheep extended IP access list
deny ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
allow an ip 10.5.x.0 0.0.0.255Lou
Based on the subset of configuration, it looks correct, you should be able to browse the Internet with the NAT configuration.
Do you have any ACL applied to your inside interface which may be blocking access? If you perform a traceroute, where the traffic stops?
No internet access through VPN
Hi, I have the router Cisco 881 (MPC8300) with c880data-universalk9 - mz.153 - 3.M4.bin when users establish a VPN connection to the corporate network, had access to all the resources but no internet access, please help me what else I need to configure to achieve my goal. I don't want to split the tunnel, internet via VPN, users must have. In my opinion, I have put an additional configuration for NAT, but my router not recognize u-Turn and NAT commands on the object on the network.
My config:
Building configuration...
Current configuration: 13562 bytes
!
! Last configuration change at 09:52:38 PCTime Saturday, May 16, 2015, by admin
version 15.3
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
XXX host name
!
boot-start-marker
start the flash system: c880data-universalk9 - mz.153 - 3.M4.bin
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authentication login ciscocp_vpn_xauth_ml_2 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
AAA authorization ciscocp_vpn_group_ml_2 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone PCTime 1 0
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
!
Crypto pki trustpoint TP-self-signed-1751279470
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1751279470
revocation checking no
rsakeypair TP-self-signed-1751279470
!
!
TP-self-signed-1751279470 crypto pki certificate chain
certificate self-signed 01
XXXX
!
!
Protocol-IP port-map user - 2 tcp 8443 port
user-Protocol IP port-map - 1 tcp 3389 port
!!
!
!
IP domain name dmn.local
8.8.8.8 IP name-server
IP-server names 8.8.4.4
IP cef
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ174992C8
!
!
username privilege 15 secret 5 xxxx xxxx
username secret VPNUSER 5 xxxx
!
!
!
!
!
!
type of class-card inspect sdm-nat-user-protocol--2-1 correspondence
game group-access 105
corresponds to the user-Protocol - 2
type of class-card inspect entire game SDM_AH
match the name of group-access SDM_AH
type of class-card inspect entire game PAC-skinny-inspect
Skinny Protocol game
type of class-card inspect entire game SDM_IP
match the name of group-access SDM_IP
type of class-card inspect entire game PAC-h323nxg-inspect
match Protocol h323-nxg
type of class-card inspect entire game PAC-cls-icmp-access
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect entire game PAC-h225ras-inspect
match Protocol h225ras
type of class-card inspect entire game SDM_ESP
match the name of group-access SDM_ESP
type of class-card inspect entire game PAC-h323annexe-inspect
match Protocol h323-annex
type of class-card inspect entire game PAC-cls-insp-traffic
match Protocol pptp
dns protocol game
ftp protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
type of class-card inspect the correspondence SDM_GRE
match the name of group-access SDM_GRE
type of class-card inspect entire game PAC-h323-inspect
h323 Protocol game
type of class-card inspect correspondence ccp-invalid-src
game group-access 103
type of class-card inspect entire game PAC-sip-inspect
sip protocol game
type of class-card inspect correspondence sdm-nat-https-1
game group-access 104
https protocol game
type of class-card inspect all match mysql
match the mysql Protocol
type of class-card inspect correspondence ccp-Protocol-http
http protocol game
type of class-card inspect entire game CCP_PPTP
corresponds to the SDM_GRE class-map
inspect the class-map match PAC-insp-traffic type
corresponds to the class-map PAC-cls-insp-traffic
type of class-card inspect entire game SDM_EASY_VPN_SERVER_TRAFFIC
match Protocol isakmp
match Protocol ipsec-msft
corresponds to the SDM_AH class-map
corresponds to the SDM_ESP class-map
type of class-card inspect correspondence ccp-icmp-access
corresponds to the class-ccp-cls-icmp-access card
type of class-card inspect the correspondence SDM_EASY_VPN_SERVER_PT
corresponds to the SDM_EASY_VPN_SERVER_TRAFFIC class-map
!
type of policy-map inspect PCB - inspect
class type inspect PCB-invalid-src
Drop newspaper
class type inspect mysql
inspect
class type inspect PCB-Protocol-http
inspect
class type inspect PCB-insp-traffic
inspect
class type inspect PCB-sip-inspect
inspect
class type inspect PCB-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect PCB-skinny-inspect
inspect
class class by default
drop
type of policy-card inspect sdm-license-ip
class type inspect SDM_IP
Pass
class class by default
Drop newspaper
type of policy-card inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect CCP_PPTP
Pass
class class by default
Drop newspaper
type of policy-card inspect PCB-enabled
class type inspect SDM_EASY_VPN_SERVER_PT
Pass
class class by default
drop
type of policy-card inspect PCB-permits-icmpreply
class type inspect PCB-icmp-access
inspect
class class by default
Pass
!
safety zone-to-zone
security of the area outside the area
ezvpn-safe area of zone
zone-pair security PAC-zp-self-out source destination outside zone auto
type of service-strategy inspect PCB-permits-icmpreply
zone-pair security PAC-zp-in-out source in the area of destination outside the area
type of service-strategy inspect PCB - inspect
source of PAC-zp-out-auto security area outside zone destination auto pair
type of service-strategy inspect PCB-enabled
sdm-zp-NATOutsideToInside-1 zone-pair security source outside the area of destination in the area
type of service-strategy inspect sdm-pol-NATOutsideToInside-1
in the destination box source sdm-zp-in-ezvpn1 ezvpn-pairs area security
type of service-strategy inspect sdm-license-ip
source of sdm-zp-out-ezpn1 of security area outside zone ezvpn-zone time pair of destination
type of service-strategy inspect sdm-license-ip
safety zone-pair sdm-zp-ezvpn-out1-source ezvpn-zone of destination outside the area
type of service-strategy inspect sdm-license-ip
safety zone-pair source sdm-zp-ezvpn-in1 ezvpn-area destination in the area
type of service-strategy inspect sdm-license-ip
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
Configuration group customer crypto isakmp Domena
key XXXXXX
DNS 192.168.1.2
Dmn.local field
pool SDM_POOL_1
Save-password
Max-users 90
netmask 255.255.255.0
banner ^ Cwelcome ^ C
ISAKMP crypto ciscocp-ike-profile-1 profile
match of group identity Domena
client authentication list ciscocp_vpn_xauth_ml_2
ISAKMP authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac ESP_AES-256_SHA
tunnel mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP_AES-256_SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
IP 192.168.9.1 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
Description $ETH - WAN$ $FW_OUTSIDE$
IP x.x.x.x 255.255.255.248
NAT outside IP
IP virtual-reassembly in
outside the area of security of Member's area
automatic duplex
automatic speed
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ezvpn-safe area of Member's area
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Vlan1
Description $ETH_LAN$ $FW_INSIDE$
IP 192.168.1.1 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly in
Security members in the box area
IP tcp adjust-mss 1452
!
local IP SDM_POOL_1 192.168.10.10 pool 192.168.10.100
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
The dns server IP
IP nat inside source list 3 interface FastEthernet4 overload
IP nat inside source static tcp 192.168.1.3 interface FastEthernet4 443 443
IP nat inside source static tcp 192.168.1.2 8443 interface FastEthernet4 8443
IP route 0.0.0.0 0.0.0.0 X.x.x.x
!
SDM_AH extended IP access list
Note the category CCP_ACL = 1
allow a whole ahp
SDM_ESP extended IP access list
Note the category CCP_ACL = 1
allow an esp
SDM_GRE extended IP access list
Note the category CCP_ACL = 1
allow a gre
SDM_IP extended IP access list
Note the category CCP_ACL = 1
allow an ip
!
not run cdp
!
Note access-list 3 INSIDE_IF = Vlan1
Note CCP_ACL category in the list to access 3 = 2
access-list 3 Let 192.168.1.0 0.0.0.255
Note access-list 23 category CCP_ACL = 17
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 allow 10.10.10.0 0.0.0.7
Note access-list 100 Auto generated by SDM management access feature
Note access-list 100 category CCP_ACL = 1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 100 tcp refuse any host 192.168.1.1 eq telnet
access-list 100 tcp refuse any host 192.168.1.1 eq 22
access-list 100 tcp refuse any host 192.168.1.1 eq www
access-list 100 tcp refuse any host 192.168.1.1 eq 443
access-list 100 tcp refuse any host 192.168.1.1 eq cmd
access-list 100 deny udp any host 192.168.1.1 eq snmp
access ip-list 100 permit a whole
Note access-list 101 category CCP_ACL = 1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
Note access-list 103 CCP_ACL category = 128
access-list 103 allow the ip 255.255.255.255 host everything
access-list 103 allow ip 127.0.0.0 0.255.255.255 everything
access-list 103 allow ip 93.179.203.160 0.0.0.7 everything
Note 104 CCP_ACL category = 0 access-list
IP access-list 104 allow any host 192.168.1.3
Note access-list 105 CCP_ACL category = 0
IP access-list 105 allow any host 192.168.1.2
-----------------------------------------------------------------------
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 102 in
transport input telnet ssh
line vty 5 15
access class 101 in
transport input telnet ssh
!
!
endI'd be grateful for help
concerning
Hello
Enter the subnet pool VPN to access-list 3 for source NAT
You may need to check the firewall also rules to allow the connection based on areas you
HTH,
Averroès
ASA 5510 - SSL VPN without CLIENT - remote desktop
Is it possible to make a desktop connection remote clientless SSL VPN with a browser? I know that I can do with client anyconnect SSL but I can do without a customer?
Yes it is possible, you must first make sure that you have transferred to the ASA RDP plugin. When you are editing you bookmarks, you will see an option for RDP.
Chrombook L2TP/IPSec for ASA 5510
Hello
I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.
Run a debug crypto isakmp 5 I see the following logs (ip changed...)
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes
06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.
06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800)
, : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!
1.1.1.1 = address remote chromebook NAT
2.2.2.2 = ASA 5510 acting as distance termintaion access point
3.3.3.3 = Chromebook private address
I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address. Not sure if this is the cause or how to solve this problem, if it is.
Can someone advise please
Thank you
Ryan
7.2 is old code. You can re - test with 9.0.x or 9.1.x.
ASA 5510 routing issue.
Forgive me if this get confused.
I have a new ASA 5510, I set it up to use VPN. I can via IPSEC vpn and connect to 2 of my et.64 sous-reseaux.0 (we have 4 subnets in our range) I can ping, http, connect to the shares, SSH, etc. I use the ACL of our outgoing VPN module, so I have nothing here should be bad. The problem I have is learning to our network of laboratories located on the sous-reseau.128. I can't ping, connect, http anything.
Is there some special routing I need to do so that people that VPN in to see this subnet? (For test purposes the ASA is located behind the firewall and connected directly to the sous-reseau.0 so I know this isn't the firewall and everything else on that subnet can see our lab).
Thanks for helping on the new guy.
Shawn
Shawn-
Your sous-reseaux.0 &.64 is considered to be "interesting traffic" (by an ACL) and they are not NAT had sent through the VPN tunnel. You must add the sous-reseau.128 two the ACL that says no NAT and that specifies traffic interesting. If you encounter some snags, post a sanitized config and we will be able to give a more detailed response.
HTH
False claims RADIUS of customer VPN Cisco ASA 5510
Hello world
I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.
Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.
What is the source of such behavior?
The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.
Debugging of ASA:
-First application-
RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025
RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1
RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5
RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248
RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1
RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14
RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1
RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14
RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]
RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...
RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]
RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...
RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]
RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202
RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1
RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254
RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048
-The second request-
RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025
RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1
RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b
RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248
RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1
RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14
RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14
RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...
RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...
RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password
RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025
RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...
RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769
RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)
GBA debug:
-First application-
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 userAUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04-The second request-
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
The ASA config:
Crypto ikev1 allow outside
Crypto ikev1 allow inside
IKEv1 crypto ipsec-over-tcp port 10000
life 86400
IKEv1 crypto policy 65535
authentication rsa - sig
3des encryption
md5 hash
Group 2
life 86400!
internal Cert_auth group strategy
attributes of Group Policy Cert_auth
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list aclVPN2
the address value vpnpool pools
rule of access-client-none!
attributes global-tunnel-group DefaultRAGroup
address (inside) vpnpool pool
address vpnpool pool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
Group Policy - by default-Cert_auth!
RADIUS protocol AAA-server RADIUS01
AAA-server host 10.2.9.224 RADIUS01 (inside)
key *.
RADIUS-common-pw *.
AAA-server host 10.4.2.223 RADIUS01 (inside)
key *.Hello
It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.
If you remove this line:
authorization-server-group RADIUS01
you will see that it starts to work properly
In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.
This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.
Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).
HTH
Herbert
ASA 5510 limit Session 2 Error Message
In ASDM I am trying to set the maximum number of SSL Sessions. According to the documentation by my Cisco ASA 5510 Cisco should withstand 250 concurrent SSL VPN sessions. But if you check my screen shot you will see that my ASA does not allow more than 1 or 2! What is happening with this?
http://www-search.Cisco.com/en/us/docs/security/ASDM/6_1/user/guide/vpn_web.PDF
What Miss me? I'm under SMDA 6.2 and the image is 8.21.
Hello
All ASA models (including the 5510), is compatible with only 2 connections VPN SSL factory.
Indeed, the SAA can support up to 250 VPN SSL connections, but for that, you must purchase an additional license.
Check out more information on the data sheet:
Federico.
IKEv2 VPN without using licensed SSL? (ASA-5512)
Hi all
I enabled Cisco 'Anyconnect Premium peers' for customer less connections vpn ssl, the obvious snag is that for Anyconnect ikev2 sessions he wants to use the SSL license pool instead of the IPSEC pool (which I have a lot of connection for 'peers VPN Total: 250' licenses.
* Is it possible to configure Anyconnect to connect through IPSEC and use licensed IPSEC (while keeping Premium Anyconnect active peers)?
* Should I consider 3rd third-party vpn outside Anyconnect clients?
CyA
Craig
Remote access to sessions with IKEv2 will always consume a Premium license. Change for another customer will not help unless you change to a customer that uses the legacy technology with EasyVPN. But this should not be the solution.
If you enable AnyConnect Essentials, you can use AnyConnect with IPSec the platform limit, but you cannot use the features award (as a clientless) more at the same time.
In a situation like that where many AnyConnect-Sessions are necessary and only a couple of sessions without client, I installed AnyConnectEssentials on the ASA principal and deployed an another ASA only for VPN without client. Due to the high cost of premium VPN licenses, is much cheaper then buying the Premium licenses for all VPN users.
Sent by Cisco Support technique iPad App
URL for access without client on SAA
Hello
I have an ASA with anyconnect configured profiles.
In one of these profiles, I want to activate VPN without client.
When I go to https://[asa address] get the instalation Anyconnect page.
How to make in the portal for client access?
Based on the above information, you can't clientless SSL VPN that you have active AnyConnect Essentials.
I saw that you have a license 2 (AnyConnect Essentials and AnyConnect Premium (10)), however, you can only activate one or the other, not both at the same time.
based on your webvpn configuration:
WebVPN
allow outside
AnyConnect essentials
You anyconnect essentials enabled, so you cannot have the premium activated anyconnect.
If you want to test the premium for clientless ssl vpn license, you will need to temporarily disable the anyconnect essentials.
to disable:
WebVPN
No anyconnect essentials
Hope that clears up the confusion.
Allow specific access through the Interfaces ASA 5510
Hi all
In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.
I have an ASA 5510:
WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).
Connected to the port E0/0 is a 2811 router
Connected to the port E0/1 is the (external) Internet
Connected to the port E0/2 is a 2821
(I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.
I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.
I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.
How can I set the ASA to allow traffic to flow between the two routers and their VLANS?
Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.
I think it is best that I put the links to the files of text here.
Thank you!
You must remove the following statements on the two routers:
-# ip nat inside source... overload
-for each # ip nat inside/outside interface, if they have configured.Remove ads rip of the networks that are not directly connected:
-2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
-2811: 199.195.xxx.0
-ASA: 128.0.0.0No way should be added to the routers, since he is the one by default, put in scene to ASA.
Check the tables of routing on routers and the ASA.
On ASA:
-Remove:
object-group network # PAT - SOURCE
# nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source-create objects of the networks behind the LAN router and enable dynamic NAT:
network object #.
subnet
NAT (inside, outside) dynamic interface-review remains NAT rules.
-to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.
-Disable rip on the outside interface.
ASA 5510 VPN multiple tunnels through different interfaces
Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?
We have 2 public interfaces on our ASA connected to 2 different suppliers.
We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.
We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).
I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel. If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.
If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.
What Miss me?
Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)
permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0
NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice
card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map
card crypto PUBLIC_B_map 10 set counterpart x.x.x.x
card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1
PUBLIC_B_map PUBLIC_B crypto map interface
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1
If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.
What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP. There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.
Any ideas?
Hello
I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection
You could try adding add the following configuration
card crypto PUBLIC_B_map 10 the value reverse-road
This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.
If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.
The route to the remote VPN peer through the ISP B does not to my knowledge.
I would like to know if it works for you.
It may be useful
-Jouni
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteniIPS in ASA 5510 killing upload speed
I've recently updated by a circuit of ethernet metro 20 MB for a 100 Mb connection. My ASA 5510 severely limits the my download speed. I narrowed down it to the IPS module. If I stop to send traffic to the IPS, I get speeds of download between 50-85 Mbps. If I start sending through again, my download speeds are between 3-7 Mbps. In both cases, my speeds range between 70-92 MB/s, so it's really affecting only my upload speed. Is there anything I can do for my traffic IPS, so I can still use my modules and still take advantage of the speed upload huge we pay for?
Here is some info from my ASA:
I am matching all traffic:
allow traffic_for_ips to access extensive ip list a whole
Here is my policy and class parameters:
class-map inspection_default
match default-inspection-traffic
class-map-botnet-DNS
match eq field udp port
class-map ips_class_map
corresponds to the traffic_for_ips access list
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the ftp
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the preset_dns_map dns
class ips_class_map
IPS inline help
botnet-policy policy-map
botnet-DNS class
inspect the snoop-filter-dynamic dns
!
global service-policy global_policy
service-policy botnet-policy to the outside interfaceIf anyone has any ideas, I'd love to hear them. Thank you.
Created: May 13, 2011 18:49 created by: Chevrel, customer Aastha(AACHAUDH,265429) was experiencing slow download speeds (3-7 Mbps) on in ASA 5510 IPS module. Download the range of speeds between 70-92 MB/s
Used the workaround for the bug No. CSCsv69844 , i.e. to set the depth of Regex to 800000 (Please note that this workaround should not serve with the recommendation and approval of the ATC.)
Maybe you are looking for
Pavilion Notebook g130nr 17: WLAN Driver for Win7 Pro 64-bit
This laptop came w/Win10 installed, but downgraded for Win7 64 bit. Now can't find driver to run WLAN with the operating system. I tried driver updated, other ideas, nothing works. Seems that HP is no drivers for early OS programs run in their new PC
Need to access Code for an old hotmail account
Hi guys,. I have an old hotmail account which I had linked to my new. But recently its been hacked (sad, I know), but when I initially set up another email address, it's a friend - this account is now closed and cancelled, and now I can not on my acc
The crash dumped and lost the home screen.
Ideas: I'm working on a Vista Premium Pc. The client was downloading episodes of shows online tv and said what they crashdumped of PC and when they restarted the Office disappeared and is the only way they can move through the menu of the control pan
Display a dialog thread not event
I need to display a dialog of another point of entry (arrival of a push message). To do this, I need to create an instance of the Application on the other entry point and listen to push enter. The problem is when I express my application calls enterE
Appeal of scam of the person who claims to be from Microsoft
I just got a phone call from a foreign-sounding man, claiming he was from Microsoft and that if I did not comply with certain procedures on my keyboard, I drop windows 7 within a period of days. To start I found it very difficult to understand and se