ASA - that allows HTTP return traffic?

Similar Questions

• Site2Site VPN ASA 5505 - allow established traffic

  Hello

  I have an ikev1/Ipsec tunnel between two ASA.

  Network with local 10.31.0.0/16

  The other network with local 172.21.0.0/24

  But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

  (to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

  Best regards, Steffen.

  Hello

  If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

  The ASA has the following global configuration, which is the default if you don't the have not changed

  Sysopt connection permit VPN

  This show CUSTOMARY in CLI configuration given above is the default setting.

  You can check this with the command

  See the race all the sysopt

  This will list even the default setting

  Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

  What you could do is to insert the following configuration

  No vpn sysopt connection permit

  What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

  If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

  So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.

  • Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
  • Return for this connection of course traffic be would allow by the same ASA like all other traffic.
  • IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL

  Hope this made sense and helped

  Think about scoring the answer as the answer if it answered your question.

  Naturally ask more if necessary

  -Jouni

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• VPN site to site thanks to a pair of asa 5505 does not pass traffic

  the configurations are fairly simple. Ping between the two lan pc fails. "show isakmp crypto his" and "crypto ipsec to show his" got out, if.

  Please refer to the attached text and diagram files.

  I'm pre-configures the ASA, for external interfaces have ip addresses private for the moment.

  all entries are welcome.

  Thank you!

  Your look simple configurations.

  As the Phase 1 and Phase 2 SAs are coming, the VPN seems correct.

  We see program leaving ASA1 and decaps ASA2, but no return traffic seems to come in.

  I suspect a problem with the host 192.168.102.5. Can you capture the top packages and check that it receives traffic initiated from the host 192.168.101.5 (side ASA1) and he answers with the ASA2 as its default gateway?

• I want to load a javascript custom my machine to have a toolbar button in firefox that allows me to set class tags to target on a Web page.

  I want to be able to create a java script function that allows me to target some names of classes on specific Web sites. I want to do a custom button to initialize the function in the toolbar of Mozilla. Similar to Adblock but as a button to toggle so I can turn it on when I want to.

  Hello Kalevera, you could build a simple extension to achieve, but this will obviously go beyond the scope of this support forum.

  for some resources start you can refer to
  https://developer.Mozilla.org/en-us/add-ons/SDK
  https://developer.Mozilla.org/en-us/add-ons/SDK/low-Level_APIs/ui_button_toggle
  https://forums.Mozilla.org/viewforum.php?f=7

• HP PhotoSmart 3210 all-in-one: I NEED the icon on my desktop that allows me to do the scanning, cropping, the economy for this printer

  My computer crashed

  I got it running again (after taking it to the repair shop), but it must now install this icon that allows me to use all the features of the scanner.

  I have no idea where the disk is - I've looked everywhere, so I must assume he threw by accident (we had this printer for many years). It means that I try to find a way to do this without using the disk.

  I downloaded something on the HP site which allows me to use the scanner, but only allows me to reframe what I scan. This feature is extremely important for me because I use it for business and need to crop the photos all the time. For example, I tested it with a single photo 4 x 6 and it scanned all white spaces as well... which is usually not serious, but there is no feature of allowing me to reframe what part of the analysis, I wanted to save it.

  Please... oh please, please, please... let some knowledable, do-gooder see this post and help me with this...

  No, it wasn't she...  .. .but thank you very much for offering to help me

  BUT... After several attempts to search, we found what worked (oh, thank God!)

  http://support.HP.com/us-en/document/c03286146

  Click on the blue highlighted link in the first paragraph: HP print and Scan Doctor

• Is there a product that allows me to run my xbox kinect on cat5 cable, so that the xbox can be in a different place on television?

  My xbox and TV aren't in the same place. I have a cat5e cables in walls between av closet and tv, but have no cables usb2.0 for the kinect in the wall. Rather than hacking open the walls, I want the kinect on cat5e and convert it back to USB before plugging the xbox. I've seen online products that allow you to do this but they are not Microsoft products and they cost more expensive than the xbox! Can bring you a solution to this problem.

  Thank you

  Hello

  Check with your local computer store.

  Answers has no influence on the XBox or XBox Live If you need to contact them.

  XBox - Support
  http://support.Xbox.com/en-us/pages/default.aspx

  XBox - Contact us (support)
  http://support.Xbox.com/en-us/contact-us

  XBox - Support Forums - and my XBox (top-right)
  http://forums.Xbox.com/

  Xbox technical support phone number

  • Toll-free: (800) 4MY-XBOX or (800) 469-9269

  I hope this helps.

  Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle=""><- mark="" twain="" said="" it="">

• Multimedia player that allows some of my WAV files to be played in a more quick read but other WAV files are NOT allowed to read at a faster speed.

  original title WAV file: windows media player

  Multimedia player that allows some of my WAV files to be played in a more quick read but other WAV files are NOT allowed to read at a faster speed.  Any suggestions on how to fix?

  Thank you

  Hello
  1 did you change on your computer before this problem?
  2. what happens when you try to play?
  3. what operating system is running on your computer?

  What version of the operating system Windows am I running?
  http://Windows.Microsoft.com/en-us/Windows7/help/which-version-of-the-Windows-operating-system-am-i-running
  Follow the suggestions and see if it helps.

  Method 1

  You can run Windows Media Player settings convenience store.
  Open the troubleshooting Windows Media Player settings Troubleshooter
  http://Windows.Microsoft.com/en-us/Windows7/open-the-Windows-Media-Player-settings-Troubleshooter

  Method 2
  You can read the article and then check.
  Change playback speed in Windows Media Player
  http://Windows.Microsoft.com/en-us/Windows7/change-playback-speed-in-Windows-Media-Player

  See also:
  Play an audio or video file: frequently asked questions
  http://Windows.Microsoft.com/en-us/Windows7/play-an-audio-or-video-file-frequently-asked-questions
  Play an audio or video file
  http://Windows.Microsoft.com/en-us/Windows7/play-an-audio-or-video-file

   

• Rumors of new device for xbox 360 that allows players to play the Kinect in less space?

  Will there be a new device for xbox 360 that allows players to play the Kinect in less space?

  Hello

  You will need to check with the XBox Forums.

  XBox - Support Forums - and my XBox (top-right)
  http://forums.Xbox.com/

  XBox - Kinect
  http://www.Xbox.com/en-us/Kinect

  I hope this helps.

  Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="" -="" mark="" twain="" said="" it="">

• We will use a script that allows users to connect only once.

  We will use a script that allows users to connect only once. 
  However some users need a second possibility of connection.
  How is - this can be handled in a script?

  The users in question are members of the same group secuity.

  Where the use of Windows server 2003 with xp clients.

  Hello

  Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in Windows 7 IT Pro Technet Forums network.

  http://social.technet.Microsoft.com/forums/en/category/WindowsServer/

  I hope this helps.

• Download a new version of Disk Defragmenter that allows scheduled defragmentation?

  Download a new version of Disk Defragmenter that allows scheduled defragmentation? I use Windows XP. My laptop, using Windows 7 has a feature.

  original title: Disk Defragmenter

  Hi, Frank III,.

  The following link contains useful information on this topic: http://support.microsoft.com/kb/130539
  Basically, Diskeeper Corp. (now Condusiv Technologies) which has provided the tool found in the Windows Defragmenter also offers a product called Diskeeper that automatically removes and prevents fragmentation.
  I hope this helps!
  -Alex

• I am trying to create a VPN connection, but when I get to the step that allows me to create the VPN, the radial buttons are greyed out.

  I am trying to create a VPN connection, but when I get to the step that allows me to create the VPN, the radial buttons are grayed out, it is a Windows component is missing and does not allow me to create VPN. I am running Windows XP Home addition. I recently got a Malware attack and had the quarantine and fix trojen attempts. After the restoration, I found that my previous VPN connection was broken. When I tried to add a new connection, I'm stuck on the screen connection virtual network in the the radial button private network connection wizard is grayed out, he could not check.

  Hello

  Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Windows XP TechNet forum. You can follow the link to your question:

  http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

• Recently, I installed Wubi, an application that allowed me to try out Ubuntu while still maintaining my installation of Windows XP. Sience I've not unhooked the Ubuntu Microphone stopped recording

  Recently, I installed Wubi, an application that allowed me to try out Ubuntu while still maintaining my installation of Windows XP. Sience I've not unhooked the Ubuntu Microphone stopped recording

  I tried to watch http://support.microsoft.com/ph/1173 and have searched to my problem on this page, but I came up with results relating to Windows 95.

  I checked the "recording control" and other kinds of options in my 'Control Panel '. Yet I came empty, any suggestions in this area of the Panel control, or elesewhere would be greatly appreciated. Thank you

  Hello Purplehaze412,

  Thank you for your message.  What kind of microphone do you have?  It's USB or it plug into the microphone as the speakers or headphones port?
  If it uses the headphone:
  Click "Start" > click on "Control Panel" > double-click "sounds and Audio devices".
  Select the tab "Audio".
  Under "Sound recording" you can change the default device?
  If it is USB, try the following:
  Click 'Start' > right click on 'My computer' > select 'manage '.
  Select "Device Manager".
  Double-click "USB" - remove your device microphone, remove the microphone, then plug it back to recognize.
  We can't wait to hear back on your part.
  See you soon

  Engineer Jason Microsoft Support answers visit our Microsoft answers feedback Forum and let us know what you think.

• Where can I get the best version of Windows Movie Maker that allows me to publish movies in FULL HD? For WINDOWS 7 RC

  Where can I get the best version of Windows Movie Maker that allows me to publish movies in FULL HD? For windows 7 rc?

  Hello, sebianoti

  Please use the Forum for answers and help to test Windows 7!

  Windows Movie Maker is no longer included in Windows 7. Be sure to check the Windows Live Movie Maker beta available at http://download.live.com/moviemaker.

  Let us know if that helps.

  David
  Microsoft Answers Support Engineer
  Visit our Microsoft answers feedback Forum and let us know what you think.

• How devil my touchpad - done before, but if the work done on the laptop that allowed him. When I go into devices and mouse and pointer Manager I can't find touchpad

  How devil my touchpad - done before, but if the work done on the laptop that allowed him.  When I go to devices and mouse and pointer Manager

  Hello AndreauLuty,

  It will be different depending on the manufacturer of the computer that you have. Go to the control panel and go to the mouse option. On some computers, there is a tab for the Touchpad and you can turn it off from there.

  See the thread below the TechNet that describes how to disable the touchpad.
  http://social.technet.Microsoft.com/forums/en/w7itprogeneral/thread/a2c8b891-09a0-4F0A-9419-c21190fff642

  I hope this helps.

  Marilyn