ASA5505 NTP Config
Hello
We have hosts autonomous (not on a main domain controller) behind an ASA 5505 and we want to set their clocks to synchronize with an external NTP source. I wasn't sure if I could configure the ASA to use external sources of NTP and then point the hosts to synchronize clocks with clock of the SAA. What is a good implementation?
Thanks in advance.
Best, ~ zK
The ASA can act as an NTP client, not as a server.
He just point the hosts to an external NTP server and let them to synchronize. If you have an access list on your inside interface (restrict the outbound traffic from your LAN), then just add a statement of license to ntp (123/udp).
Tags: Cisco Security
Similar Questions
-
All,
I have a config NTP work but all my time on all my routers is off due to DST. I am on the side is. Is it possible to configure the ntp config to include daylight saving time?
Mario
I think that the answer you are looking for in the NTP config is not a command of the clock. Try this:
clock to summer time EDT recurring
I guess that your config probably includes:
clock timezone IS - 5
that establishes that you are in the Eastern time zone. Otherwise, the time must appear as UTC.
HTH
Rick
-
There is a lot of discussion about it in other communities, but I need to make sure I'm set up correctly for my environment.
I have no internal NTP servers, so I put the date and the correct time (my time zone) in the BIOS of my server. What about Setup NTP on ESXi I thought use pool.ntp.org. I've never used this before, but a lot of people here seem to use it.
My time zone is UTC/GMT + 2 hours (Sweden) and in looking at pool.ntp.org servers:
0.se.pool.ntp.org
1.se.pool.ntp.org
2.se.pool.ntp.org
3.se.pool.ntp.org
My simple question is should I enter all four in the NTP configuration, and I should also synchronize time from the BIOS of the server?
With regard to my VMs, I guess that I would like to use VMware Tools synchronize to the ESXi host and automatic time updates disable Windows, correct?
Thank you
Not much you can do. ILO takes that is the hallmark of the system clock or an ILO agent running on the host operating system. In this case, ESXi uses offsets from GMT and resets the clock of the host at the time GMT. Might be worth pointing out to HP for CIM providers could communicate from zone information to the ILO?
-
Reference Dell Force10 S50N time in the same newspaper
Hello
first of all, I hope that a good place to ask question re Force10 devices - if not please forgive & point me to the right place
I have following two stacked devices:
Type of system: S50N
Reference Dell Force10 operating system Version: 1.0
Reference Dell Force10 Application Software Version: 8.4.2.6Recently, I have configured a source of time using ntp. display the clock command returns good time & ntp config also seem ok.
I want to have the switch which had the correct timestamp of the date unit % hour however when logging to show browsing results shows this:
32w6d12h: STKUNIT1% m: % LACP CP...
32w6d12h: STKUNIT1% m: % LACP CP...
32w6d12h: % STKUNIT1-% M:CP CMEA...That I am, I lack to set up/set for the date & time stamped and posted in the event logs?
(I'm beginner in world Force10 and switch)
Appreciate any help
Hello
I found horodateurs service order before but I was so blind to enter config mode.
That worked very well.
Thank you very much
-
"no nat-traversal crypto isakmp" after restart
Hello
With the version of the Software ASA 8.0, we noticed that whenever restart us tha device, the configuration line:
No encryption isakmp nat-traversal
appears in the configuration.
It is very annoying, because this NAT - T obviously does not work.
Any of you noticed that too?
Ideas?
Thank you very much.
Marco Pizzi.
Hi Marco,.
This is a bug in the version of the ASA 8.x software and there are workarounds:
CSCsj52581 Details of bug
No inconsistent configuration of nat-traversal isakmp crypto after reboot
Symptom:
After a restart of the ASA at the global order "no isakmp encryption".
NAT-traversal.
appears in the running-config even it is not available in the
startup-config.
Conditions:
None
Steps to reproduce:
BSNs-ASA5505-1 (config) # nat-traversal crypto isakmp
BSNs-ASA5505-1 (config) # copy run start
BSNs-ASA5505-1 (config) # sh run all | NAT Inc
Crypto isakmp nat-traversal 20
BSNs-ASA5505-1 (config) # sh start | NAT Inc
BSNs-ASA5505-1 (config) #.
After reloading of the ASA:
BSNs-asa5505-1 # sh run all | NAT Inc
No encryption isakmp nat-traversal
BSNs-asa5505-1 # sh start | NAT Inc
asa5505-BSNs-1 #.
Workaround solution:
(1) use a default value, for example, "crypto isakmp nat-traversal 21.
(2) to activate the "crypto isakmp nat-traversal" after the restart of the ASA if you
You can use the default value. The default value is: crypto isakmp
NAT-traversal 20
Radim
-
I was looking at this example and did not have a clear explanation about the use of the
tunnel-group DefaultL2LGroup
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b3d511.shtml
Why is the pre-shared-key * different pre-shared key talks about cisco123 ? What is a wild card to accept any
identification key by spoke them? Can it be set or is set as it is? I don't see the advantage if it's 'accept all '.
Thank you
Pete
Pete,
"*" is how ASA will display a key, it is hidden when you list the running configuration.
bsns-asa5505-19# conf t
bsns-asa5505-19(config)# tunnel-group BERN ipsec-attributes
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 pre-shared-key 1234556778
bsns-asa5505-19(config-tunnel-ipsec)# sh run tunnel-group BERN ipsec-attri
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
ikev1 pre-shared-key *****
There is no 'accept all' in IKE given that this key will be used to protect and decode identities of IKE.
Also, take a look in the tunnel-group mapping.
At a glance by default, tunnel groups are used as a last ditch effort in the match. That is, they will receive most of the peers with IPs dynamic (or unspecified).
M.
-
Dynamic dns using for IPSec on PIX tunnel
We have a pair of PIX running 6.3 (5), and a separate company must be connected to us. Remote society has a dynamic IP address on the firewall, but it is registered with dyndns.com. As far as I know, the PIX does not have a DNS server, so this configuration will not work unless manually change us the entry of 'name' on our firewall. Is this correct? Thank you
Hello
Sorry for the delay.
The idea is that your dynamic peers land on dynamic crypto map (not you can always match within the dynamic crypto map)
bsns-asa5505-19(config)# crypto dynamic-map DYNMAP 10 match address ?
configure mode commands/options:
WORD Access-list nameHere's how you can make them land on different map entries.
With regard to the game by the peers. I did check the behavir in the laboratory and what you say is true, you can for example use DNS.
IOS is the keyword 'dynamic' for the router to do name resolution when initiaitng tunnel.
Improving on the side of the ASA has never been fulfilled:{{class=fontblue}}
Marcin
-
Automatic installation using KS.cfg
I created the KS.cfg file using the GUI installation. I want to be able to install this for about 20 ESX host. I am familiar where to modify the partition information and server name and IP address for each server. My question is to know how to add this to the installation on USB it will not because it's a server blade at the remote location. Installation will be done remotely through the ILO. I saw where someone suggested inserting this ISO file with magic ISO. How would this work for 20 servers since I assume that your will need a KS.cfg file for each server. Also, what people add to the post installation script? NTP Config, Virtual Switch configuration, configuration of firewall?
Thank you
Mike
msemon1 wrote:
So if I have 20 ESX host I have to inject 20 KS.cfg files into ISO and choose which on startup?
Indeed, all 20 must be injected into the ESX installation media. Mounting the isolinux.cfg lets just arrow down to them. Very easy installation.
-
Need help with Config VPN on ASA5505
Our client has a seller who needs to establish a VPN tunnel to their own router that sits behind our firewall.
Concentrator VPN (seller) ASA5505 customer (7.2) <------> <------->3750 Switch <------->VPN router (Vendor)
Here is the implementation of information:
ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA inside the Interface - 172.20.58.13/30
3750 switch Interface connected to ASA - DG - 172.20.58.13 and 172.20.58.14/30
3750 switch Interface connected to router VPN - 172.20.58.21
The Interface of the VPN router connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for that and the current configuration of execution of ASA and 3750. We have no access to the router VPN TNS.
Our responsibility is to everything just to make sure that the tunnel rises.
You kindly help me with this?
Here is what I intend to do:
(1) create a static NAT on the ASA Public Private IP Address of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will be the ASA automatically ARP for this address or do we I have to configure another interface on the ASA with this public IP address?
(2) what would the access on the ASA list?
(3) the customer gave us some config to copy the stuff on the SAA so that they can create the tunnel but I couldn't put these commands in the SAA. How this would apply and which interface?
Access to firewall: the information below is about access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN services must be
permit:
allow a host 208.224.x.x esp
allow a host 208.224.x.x gre
permit any isakmp udp host 208.224.x.x eq
permit any eq non500-isakmp udp host 208.224.x.x
allow a host 204.8.x.x esp
allow a host 204.8.x.x gre
permit any isakmp udp host 204.8.x.x eq
permit any eq non500-isakmp udp host 204.8.x.x
permit tcp 206.x.x.0 0.0.0.255 any eq 22
permit tcp 206.x.x.0 0.0.0.255 any eq telnet
allow a udp host 208.224.x.x
allow a udp host 208.224.x.x
Can someone help me with the commands I need to run it on the ASA? The 5505 running 7.2 code (4).
Thanks in advance.
HS
Your steps are correct, you need to configure static NAT and the list of access to allow access.
Static NAT would be as follows:
static (inside, outside) 208.64.1x.x5 172.20.58.21 netmask 255.255.255.255
You also need a road inside interface-oriented join 172.20.58.21:
Route inside 172.20.58.21 255.255.255.255 172.20.58.14
You have already access list on the external interface? If you have, then just add in the existing access list, if you don't have it, and then add the following:
access list outside-acl permit udp any host 208.64.1x.x5 eq 500
access list outside-acl permit udp any host 208.64.1x.x5 eq 4500
access list outside-acl allow esp any host 208.64.1x.x5
Access-group acl outside in external interface
If you also have an inside interface access list, you must also allow passing traffic by as follows:
access-list allow host 172.20.58.21 udp any eq 500
access-list allow host 172.20.58.21 udp any eq 4500
access-list allow host esp 172.20.58.21 all
If you have not had any access inside the interface list, then you don't need to configure it.
Hope that helps.
------->------->------> -
ESXi host does not synchronize with NTP - causes HA config failures?
Hello
We are currently implementing some Cisco UCS systems. We using blades Cisco UCS B200 M1 (x 5670, 48 GB of RAM)
Everything seems to work fine except these little things, which seems to be related.
1 NTP synchronization is not happenning, or happening very slowly.
2. a 10 cluster host, when it is configured for HA, has many guests who fail to be configured for HA (for example we had only 2 guests get properly configured for HA out of 10).
Initially, I thought REP 1 and 2 were not related, but then I remember reading somewhere that the ESXi host must have simultaneously for HA to work.
On question No. 1:
10 guests have a difference of 5-6 minutes between them. Curiously, the first hosts that are connected to a HA cluster, if their duration is similar, they wil work.
But others are more than 1 to 2 minutes off, they will fail. Our NTP is configured on 2 internal NTP servers, which syncs with the outside world - the 2
NTP servers are:
The default gateway of each ESXi
The network Core switch
We know that the NTP servers work correctly because our advertising is synchronized with them and we checked on our domain controller local time main external time source.
Debug information
Output of /etc/ntp.conf
~ # cat /etc/ntp.conf
restrict default kod nomodify notrap nopeer
restrict the 127.0.0.1
Server 10.*
Server 10.*
driftfile /etc/ntp.driftEverything has been configured through the GUI, I show the output of ntp.conf for confirmation.
We tried to restart the hosts (without success).
Everyone knows what we can do to solve this?
Thank you
Ionut
You tried to restart NTP.
-
I read somewhere that it is best to set your BIOS to UTC clock on your physical hosts and use NTP to synchronize... is this true?
In addition, when you use the public ntp servers, I can't tell if I have to use
pool. NTP.org
or
0.pool. NTP.org
1.pool. NTP.org
2.pool. NTP.org
ESXi uses UTC and if I remember will define the clock machine to stop. Each of the pool.ntp.org references are very good but it it is useful to use something more high in the chain. In North America using the 0.north - america.pool.ntp.org can get you less crowded but servers geographically close times more.
0.North - america.pool.ntp.org
1.North - america.pool.ntp.org
2.North - america.pool.ntp.org
-
Need help to access the internal network via VPN on ASA5505 8.4 (1)
Recently, I upgraded my ASA5055 from 8.02 to 8.4 and since I have updated to the new version I can access my home network is no longer through the VPN. I can connect to the VPN with no problems however I can no longer ping or you connect to my network of 10.0. Someone would be kind enough to look at my config and tell me what needs to be added to make it work? In my old config, I had a statement of NAT for VPN that is no longer here.
I also wanted to configure WebVPN to work as well, and this is something that I've never been able to understand. Is it also possible that I can be on my 20.0 network and connect to the VPN and access 10.0 as well? When it is connected to my network of 20.0 I'm not received credentials to connect to the VPN. I would be grateful if someone can help out me. The major part of this is the first part of this question.
My configuration:
ASA Version 8.4 (1)
!
ASA5505 hostname
domain xxxxxxxx.dyndns.org
enable encrypted password xxxxxxxxxxxx
xxxxxxxxxxxxxxx encrypted passwd
names of
nameserver 192.168.10.2
Office of name 192.168.10.3
name Canon 192.168.10.5
name 192.168.10.6 mvix
name 192.168.10.7 xbox
name 192.168.10.8 dvr
name 192.168.10.9 bluray
name 192.168.10.10 lcd
name 192.168.10.11 mp620
name 192.168.10.12 kayla
name 192.168.1.1 asa5505
name 192.168.1.2 ap1
name 192.168.10.4 mvix2
name 192.168.10.13 lcd2
name 192.168.10.14 dvr2
!
interface Vlan1
nameif management
security-level 100
IP address asa5505 255.255.255.248
management only
!
interface Vlan2
0050.8db6.8287 Mac address
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan10
nameif private
security-level 100
IP 192.168.10.1 255.255.255.224
!
interface Vlan20
nameif Public
security-level 100
IP 192.168.20.1 255.255.255.224
!
interface Ethernet0/0
Description pointing to WAN
switchport access vlan 2
!
interface Ethernet0/1
Uplink port Linksys 12 description
switchport access vlan 10
!
interface Ethernet0/2
Description Server 192.168.10.2/27
switchport access vlan 10
!
interface Ethernet0/3
Uplink Eth1 management description
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
switchport access vlan 30
!
interface Ethernet0/6
switchport access vlan 30
!
interface Ethernet0/7
Description of Cisco 1200 Access Point
switchport trunk allowed vlan 1,10,20
switchport trunk vlan 1 native
switchport mode trunk
!
Banner motd users only, all others must disconnect now!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain xxxxxxx.dyndns.org
network object obj - 192.168.50.0
192.168.50.0 subnet 255.255.255.0
Server network objects
host 192.168.10.2
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.224
network object obj - 192.168.20.0
subnet 192.168.20.0 255.255.255.224
network server-01 object
host 192.168.10.2
network server-02 object
host 192.168.10.2
xbox network object
Home 192.168.10.7
xbox-01 network object
Home 192.168.10.7
xbox-02 network object
Home 192.168.10.7
xbox-03 network object
Home 192.168.10.7
xbox-04 network object
Home 192.168.10.7
network server-03 object
host 192.168.10.2
network server-04 object
host 192.168.10.2
network server-05 object
host 192.168.10.2
Desktop Network object
host 192.168.10.3
kayla network object
Home 192.168.10.12
Home_VPN_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
outside_access_in list extended access permit tcp any any eq 3389
outside_access_in list extended access permit tcp any any eq 2325
outside_access_in list extended access permit tcp any eq ftp server object
outside_access_in list extended access permit tcp any any eq 5851
outside_access_in list extended access udp allowed any any eq 5850
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access udp allowed any any eq syslog
outside_access_in list extended access udp allowed any any eq 88
outside_access_in list extended access udp allowed any any eq 3074
outside_access_in list extended access permit tcp any any eq 3074
outside_access_in list extended access permit tcp any any eq field
outside_access_in list extended access udp allowed any any eq field
outside_access_in list extended access permitted tcp everything any https eq
outside_access_in list extended access permit tcp any eq ssh server object
outside_access_in list extended access permit tcp any any eq 2322
outside_access_in list extended access permit tcp any any eq 5900
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access permit icmp any any source-quench
outside_access_in list extended access allow all unreachable icmp
outside_access_in list extended access permit icmp any one time exceed
outside_access_in list extended access udp allowed any any eq 5852
KaileY_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 36000
logging warnings put in buffered memory
recording of debug trap
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
Management Server host forest
MTU 1500 management
Outside 1500 MTU
MTU 1500 private
MTU 1500 Public
local pool IPPOOL 192.168.50.2 - 192.168.50.10 255.255.255.0 IP mask
local pool VPN_POOL 192.168.100.2 - 192.168.100.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ASDM image disk0: / asdm - 641.bin
don't allow no asdm history
ARP timeout 14400
!
Server network objects
NAT (private, foreign) static tcp ftp 5851 service interface
network object obj - 192.168.10.0
NAT (private, foreign) dynamic interface
network object obj - 192.168.20.0
NAT (outside) dynamic public interface
network server-01 object
NAT (private, outside) interface static 2325 2325 tcp service
network server-02 object
NAT (private, outside) interface static udp syslog syslog service
xbox network object
NAT (private, outside) interface static service udp 88 88
xbox-01 network object
NAT (private, outside) interface static service udp 3074-3074
xbox-02 network object
NAT (private, outside) interface static service tcp 3074-3074
xbox-03 network object
NAT (private, outside) interface static tcp domain domain service
xbox-04 network object
field of the udp NAT (private, foreign) of the static interface function
network server-03 object
NAT (private, outside) interface static tcp https https service
network server-04 object
Static NAT (private, outside) interface service tcp ssh 2322
network server-05 object
NAT (private, outside) interface static 5900 5900 tcp service
Desktop Network object
NAT (private, outside) interface static service tcp 3389 3389
kayla network object
NAT (private, outside) interface static service udp 5852 5852
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.248 management
redirect http outside 80
location of SNMP server on the Office floor
SNMP Server contact [email protected] / * /
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.248 management
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 30
access to administration management
dhcpd dns 24.205.1.14 66.215.64.14
dhcpd ping_timeout 750
dhcpd field xxxxxxxx.dyndns.org
dhcpd outside auto_config
!
dhcpd manage 192.168.1.4 - 192.168.1.5
dhcpd enable management
!
dhcpd address private 192.168.10.20 - 192.168.10.30
enable private dhcpd
!
dhcpd 192.168.20.2 public address - 192.168.20.30
dhcpd enable Public
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.43.244.18
Server NTP 129.6.15.28
WebVPN
internal Home_VPN group strategy
attributes of Group Policy Home_VPN
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol without ssl-client
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Home_VPN_splitTunnelAcl
value by default-field www.xxxxxx.com
the address value IPPOOL pools
WebVPN
the value of the URL - list ClientlessBookmark
political group internal kikou
group attributes political kikou
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list KaileY_splitTunnelAcl
XXXXXXX.dyndns.org value by default-field
username scottrog encrypted password privilege 0 xxxxxxxxxxxxxx
user_name john encrypted password privilege 0 xxxxxxxxxxxxxxx
username joek encrypted password privilege 0 xxxxxxxxxxxx
eostrike encrypted xxxxxxxxxxxx privilege 15 password username
username almostsi encrypted password privilege 0 xxxxxxxxxxxxxx
username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0
type tunnel-group Home_VPN remote access
attributes global-tunnel-group Home_VPN
IPPOOL address pool
LOCAL authority-server-group
authorization-server-group (outside LOCAL)
Group Policy - by default-Home_VPN
authorization required
IPSec-attributes tunnel-group Home_VPN
IKEv1 pre-shared-key *.
type tunnel-group SSLClientProfile remote access
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-alias
tunnel-group type ClientLESS remote access
tunnel-group kanazoé type remote access
attributes global-tunnel-group kanazoé
address VPN_POOL pool
by default-group-policy kikou
tunnel-group KaileY ipsec-attributes
IKEv1 pre-shared-key *.
by default-group Home_VPN tunnel-Group-map
!
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86
: end
ASA5505 #.
Here are the declarations of NAT for your first question:
network object obj - 192.168.100.0
255.255.255.0 subnet 192.168.100.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.50.0 obj - 192.168.50.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
And 'clear xlate' after the above and that should fix your first question.
I would check your second question and get back to you shortly.
-
Cisco ASA5505 with double tis + IPSEC
Hello guys,.
I have problem with double ISP + IPSEC on my cisco ASA5505 dry more license.
Routing works OK (to connect to the Internet from siteA is work trought
1 also second ISP) but IPSEC works trought just the first
INTERNET SERVICE PROVIDER! There seemt that phase 1 and 2 of the Protocol IPSEC is correct but the packages
Encrypt just but no not decryption. You have an idea what is the problem?
I try to ping from the (PC - 10.4.1.66) siteA siteB (PC - 10.3.128.50)
Thank you
config site A:
##########################################################################
ASA5505 Version 8.2 (1)
interface Vlan1
nameif inside
security-level 100
IP 10.4.1.65 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.2 255.255.255.0
!
interface Vlan3
internet nameif
security-level 0
IP address 212.89.235.yy 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
outside_cryptomap list extended access allow icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.3.0.0 255.255.0.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.16.0.0 255.255.0.0
access inside extended ip permit list an entire
extended permitted inside a whole icmp access list
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
Internet MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (internet) 1
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.4.1.64 255.255.255.248
Access-group internet_in in interface outside
internet_in group to access the Web interface
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
Internet route 0.0.0.0 0.0.0.0 212.89.235.yy 254
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
interface type echo protocol ipIcmpEcho 212.89.229.xx outdoor
NUM-package of 3
frequency 10
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map0 1 match address outside_cryptomap
card crypto outside_map0 1 set 212.89.229.xx counterpart
outside_map0 card crypto 1jeu transform-set ESP-AES-256-SHA
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_1
outside_map0 interface card crypto outside
outside_map0 card crypto internet interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP enable internet
crypto ISAKMP policy 3
preshared authentication
aes-256 encryption
sha hash
Group 2
life 300
!
track 1 rtr 123 accessibility
Telnet 10.4.1.64 255.255.255.248 inside
Telnet timeout 1440
SSH 10.4.1.64 255.255.255.248 inside
SSH 212.89.229.xx 255.255.255.255 outside
SSH timeout 60
SSH version 2
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 194.160.23.2 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
username xx
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
siteA # sh crypto isakmp his d
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 212.89.229.xx
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 91
# sh crypto ipsec siteA his
Interface: internet
Tag crypto map: outside_map0, seq num: 1, local addr: 212.89.235.yy
outside_cryptomap list of access allowed icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
local ident (addr, mask, prot, port): (10.4.1.64/255.255.255.248/1/0)
Remote ident (addr, mask, prot, port): (10.3.128.0/255.255.255.0/1/0)
current_peer: 212.89.229.xx
program #pkts: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 7, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.235.115, remote Start crypto. : 212.89.229.2
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: 2A9B550B
SAS of the esp on arrival:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4374000/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4373999/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
# sh logging asdm siteA | I have 10.3.128.50
6. 19 sep 2011 10:27:37 | 302020: built outgoing ICMP connection for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
6. 19 sep 2011 10:27:39 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
config site B:
##########################################################################
ASA 5510 Version 8.0 (4)
interface Ethernet0/0
nameif outside
security-level 0
IP address 212.89.229.xx 255.255.255.240
OSPF cost 10
interface Ethernet0/1.10
VLAN 10
nameif users
security-level 50
IP 10.3.128.0 255.255.255.0
10.3.128.0 IP Access-list extended siteA 255.255.255.0 allow 10.4.1.64 255.255.255.248
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
outside_map crypto card 9 matches the address SiteA
card crypto outside_map 9 peers set 212.89.229.xx
card crypto outside_map 9 game of transformation-ESP-AES-256-SHA
life card crypto outside_map 9 set security-association seconds 28800
card crypto outside_map 9 set security-association life kilobytes 4608000
outside_map crypto 10 card matches the address SiteA
card crypto outside_map 10 peers set 212.89.235.yy
outside_map crypto 10 card value transform-set ESP-AES-256-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
crypto ISAKMP policy 20
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 212.89.235.yy type ipsec-l2l
212.89.235.yy group of tunnel ipsec-attributes
pre-shared-key *.
SiteB # sh crypto isakmp his d
HIS active: 7
Generate a new key SA: 1 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 8
8 peer IKE: 212.89.235.115
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 245
# Sh crypto ipsec SiteB his | b 212.89.235.yy
current_peer: 212.89.235.yy
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
decaps #pkts: 12, #pkts decrypt: 12, #pkts check: 12
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.229.xx, remote Start crypto. : 212.89.235.yy
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: CF456F65
SAS of the esp on arrival:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914999/27310)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0 x 00000000 0x00001FFF
outgoing esp sas:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/27308)
Size IV: 16 bytes
support for replay detection: Y
# sh logging asdm siteB. I have 10.4.1.66
6. 19 sep 2011 10:29:49 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
6. 19 sep 2011 10:29:50 | 302020: built ICMP incoming connections for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
I'm glad that this answer to your question, feel free to mark the post as answered and the rate of useful messages
Good day.
-
Cutting of NTP on specific interfaces
Hello
I want to be able to use our HQ Internet like NTP source router for the rest of our network equipment - including other Internet routers at remote sites. It is all set up and everything works fine, but I would like to disable NTP on external face interfaces for remote sites...
In my view, that which will achieve...
config t
int g0/0/0 (interface in the face of Internet)
Disable NTP
!
In this way, I'll still be able to get my info the Inter HQ routers IP MGMT NTP.
But,
for the HQ Internet router, I need to be able to access the Internet NTP servers we get our clock info from. On this router 'disable ntp' on the interface-oriented Internet break NTP. What do I need set up on the router internet HQ-oriented interface Internet to stop the router from a source to anyone on the Internet, but still be able to get info of the clock of the Internet and act as a source for the rest of our network equipment?
I thought it would work "no source ntp interfaceinterface", but the command is not supported on the 4400 s I guess that.
Thank you, Pat
Your configuration looks good. Access group "peer", it's the only one that actually allows a router to BE synchronized, so to speak, that is, influenced by other devices. The "serve only" allows (HQ router in your case) to update others, but not BE updated or influenced by others. Who is?
So that the router HQ to reject applications for IPs defined Internet, but always to accept updates from these IPs, the group 'serve only"access must be configured on the routers of the Internet. Think about it, it is almost certain that these routers have configured this anyway, because they won't have their time synchronized with you, or any other customer endorsement.
-
Hi all, I'm about to replace an existing a new ASA 5510 firewall. The environment is pretty simple, just an external and internal interface. I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems. I am concerned mainly with my NAT statements. Nothing in the following config (sterilized) seems out of place? Thank you!!
------------------------------------------------------------
ASA 4,0000 Version 5
!
ciscoasa hostname
enable the encrypted password xxxxxxxxxx
XXXXXXXXXX encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 40.100.2.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.30.0.100 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa844-5 - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
network of the 10.10.0.78 object
Home 10.10.0.78
Nospam description
network of the 10.10.0.39 object
Home 10.10.0.39
Description exch
network of the 55.100.20.109 object
Home 55.100.20.109
Description mail.oursite.com
network of the 10.10.0.156 object
Home 10.10.0.156
Description
network of the 55.100.20.101 object
Home 55.100.20.101
Description
network of the 10.10.0.155 object
Home 10.10.0.155
Ftp description
network of the 10.10.0.190 object
Home 10.10.0.190
farm www Description
network of the 10.10.0.191 object
Home 10.10.0.191
farm svc Description
network of the 10.10.0.28 object
Home 10.10.0.28
Vpn description
network of the 10.10.0.57 object
Home 10.10.0.57
Description cust.oursite.com
network of the 10.10.0.66 object
Home 10.10.0.66
Description spoint.oursite.com
network of the 55.100.20.102 object
Home 55.100.20.102
Description cust.oursite.com
network of the 55.100.20.103 object
Home 55.100.20.103
Ftp description
network of the 55.100.20.104 object
Home 55.100.20.104
Vpn description
network of the 55.100.20.105 object
Home 55.100.20.105
app www description
network of the 55.100.20.106 object
Home 55.100.20.106
app svc description
network of the 55.100.20.107 object
Home 55.100.20.107
Description spoint.oursite.com
network of the 55.100.20.108 object
Home 55.100.20.108
Description exchange.oursite.com
ICMP-type of object-group DM_INLINE_ICMP_1
response to echo ICMP-object
ICMP-object has exceeded the time
ICMP-unreachable object
Exchange_Inbound tcp service object-group
EQ port 587 object
port-object eq 993
port-object eq www
EQ object of the https port
port-object eq imap4
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
object-group service DM_INLINE_SERVICE_1
will the service object
the purpose of the tcp destination eq pptp service
the DM_INLINE_NETWORK_1 object-group network
network-object, object 10.10.0.190
network-object, object 10.10.0.191
the DM_INLINE_NETWORK_2 object-group network
network-object, object 10.10.0.156
network-object, object 10.10.0.57
DM_INLINE_TCP_2 tcp service object-group
port-object eq www
EQ object of the https port
object-group service sharepoint tcp
port-object eq 9255
port-object eq www
EQ object of the https port
outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group
outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp
outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1
outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2
outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-649 - 103.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78
NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39
NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109
NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156
NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57
NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155
NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28
NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190
NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191
NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1
Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.10.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Telnet timeout 5
SSH 10.10.0.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
source of NTP server outside xxxxxxxxxx
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:40cee3a773d380834b10195ffc63a02f
: end
Hello
You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.
The ACL configuration is fine, Nat is fine, so you should have problems,
Kind regards
Julio
Maybe you are looking for
-
Sent mail loses formatting of text-help
Hello, I use Thunderbird for 1 month. For the last 3-4 days I noticed that outgoing mail or sending are not performed with the formatting of the text I gave during the composition of the mail. I tried with the activation of the options such as option
-
How can I activate the Tablet mode for kindle fire
I loaded Firefox on my Kindle fire from an FTP site and seems to work.Firefox site indicates that the Kindle fire uses the default mobile mode and to have a Tablet mode by default see below but nothing is there.
-
Firfox 5 Windows 7 occurs only with facebook. no other site has this problem works very well with explore
-
Taking the Mac Mini from Canada to Europe
I have a Mac Mini to the Canada last year, and I wonder if I can use it in Europe. I did a search online and was unable to find information updated on this. If I need to buy a new power cord, where can I get one?
-
Command prompt to activate Windows 10 after the upgrade to Windows 7
Separated from this thread. I'm having a similar problem, from 7 to 10. Recently, I buy a pc refurbishment that came from a "Microsoft authorized repairer" and gave me a "genuine windows 7 product key" I have tried to upgrade to windows 10 after havi