Connection IPsec via ASDM ASA 5510 config

Similar Questions

• Cisco ASA 5510 config with SSM

  I was tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (that I never did, only routers and switches) and I have a few questions.  I'm inside the ASDM and I am trying to configure my external interface...  The 5510 provided with a map of the SSM, and I assumed it would be my external interface, but I guess I'm wrong because it is not an option when running through the wizard.  I know what the SSM card for, I do not understand why there is not an external interface.  Whence this connect (just for my LAN?)?

  Currently, I have implemented the management interface to our ip and the subnet and connected through that.  I see the management interface and eth0 - eth 3.

  It's as simple as it can get, I just need the external interface to our public ip address, configure access rules to match my sonicwall.

  Also on the version, its operation ASA 8.2.1.  Should I upgrade to 8.3.1?  What is the ED after the version (not familiar with it).

  Thank you!

  These rules on the SAA are default rules, that is to say whatever it is initiated from the inside is allowed, but anything launched from outside is allowed in. Sorry, but I'm not familiar with SonicWall at all to give you advice on the rules, you will need installation. But what if all you have is an external interface and inside then will need you a nat.pat to ensure that internal addresses can go out and access list to restrict these internal if necessary networks. If you have incoming traffic is according to mail, web server, etc, then you will again be a nat and an access list to allow traffic.

  The document attached (you can ignore the router configs) should hopefully give you a better idea of how incoming transport works and how to apply access lists to the interface.

  Let me know if it helps.

• Review of the ASA 5510 Config

  Hi all, I'm about to replace an existing a new ASA 5510 firewall.  The environment is pretty simple, just an external and internal interface.  I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems.  I am concerned mainly with my NAT statements.  Nothing in the following config (sterilized) seems out of place?  Thank you!!

  ------------------------------------------------------------

  ASA 4,0000 Version 5

  !

  ciscoasa hostname

  enable the encrypted password xxxxxxxxxx

  XXXXXXXXXX encrypted passwd

  names of

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP 40.100.2.2 255.255.255.252

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 10.30.0.100 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  Shutdown

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  boot system Disk0: / asa844-5 - k8.bin

  passive FTP mode

  permit same-security-traffic inter-interface

  network of the 10.10.0.78 object

  Home 10.10.0.78

  Nospam description

  network of the 10.10.0.39 object

  Home 10.10.0.39

  Description exch

  network of the 55.100.20.109 object

  Home 55.100.20.109

  Description mail.oursite.com

  network of the 10.10.0.156 object

  Home 10.10.0.156

  Description

  www.oursite.com-Internal

  network of the 55.100.20.101 object

  Home 55.100.20.101

  Description

  www.oursite.com-External

  network of the 10.10.0.155 object

  Home 10.10.0.155

  Ftp description

  network of the 10.10.0.190 object

  Home 10.10.0.190

  farm www Description

  network of the 10.10.0.191 object

  Home 10.10.0.191

  farm svc Description

  network of the 10.10.0.28 object

  Home 10.10.0.28

  Vpn description

  network of the 10.10.0.57 object

  Home 10.10.0.57

  Description cust.oursite.com

  network of the 10.10.0.66 object

  Home 10.10.0.66

  Description spoint.oursite.com

  network of the 55.100.20.102 object

  Home 55.100.20.102

  Description cust.oursite.com

  network of the 55.100.20.103 object

  Home 55.100.20.103

  Ftp description

  network of the 55.100.20.104 object

  Home 55.100.20.104

  Vpn description

  network of the 55.100.20.105 object

  Home 55.100.20.105

  app www description

  network of the 55.100.20.106 object

  Home 55.100.20.106

  app svc description

  network of the 55.100.20.107 object

  Home 55.100.20.107

  Description spoint.oursite.com

  network of the 55.100.20.108 object

  Home 55.100.20.108

  Description exchange.oursite.com

  ICMP-type of object-group DM_INLINE_ICMP_1

  response to echo ICMP-object

  ICMP-object has exceeded the time

  ICMP-unreachable object

  Exchange_Inbound tcp service object-group

  EQ port 587 object

  port-object eq 993

  port-object eq www

  EQ object of the https port

  port-object eq imap4

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  object-group service DM_INLINE_SERVICE_1

  will the service object

  the purpose of the tcp destination eq pptp service

  the DM_INLINE_NETWORK_1 object-group network

  network-object, object 10.10.0.190

  network-object, object 10.10.0.191

  the DM_INLINE_NETWORK_2 object-group network

  network-object, object 10.10.0.156

  network-object, object 10.10.0.57

  DM_INLINE_TCP_2 tcp service object-group

  port-object eq www

  EQ object of the https port

  object-group service sharepoint tcp

  port-object eq 9255

  port-object eq www

  EQ object of the https port

  outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group

  outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp

  outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group

  outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1

  outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28

  outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2

  outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-649 - 103.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78

  NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39

  NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109

  NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156

  NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57

  NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155

  NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28

  NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190

  NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191

  NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1

  Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 10.10.0.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Telnet timeout 5

  SSH 10.10.0.0 255.255.255.0 inside

  SSH timeout 5

  SSH group dh-Group1-sha1 key exchange

  Console timeout 0

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  source of NTP server outside xxxxxxxxxx

  WebVPN

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:40cee3a773d380834b10195ffc63a02f

  : end

  Hello

  You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.

  The ACL configuration is fine, Nat is fine, so you should have problems,

  Kind regards

  Julio

• Error of the ASDM ASA 5510

  Hello

  I got my ASA working from work and the other day that I started getting an error:

  IMPOSSIBLE FOR THE LAUNCH OF (MY HOUSE @ IP STATIC) DEVICE MANAGER

  It used to work fine and I am able to load it on my local network. Someone said maybe this is my version of Java. So I downloaded Java 6 and installed that, without change. Does anyone have any ideas on what it could be?

  ----------------------------------------------------

  Application logging started at Fri Jan 21 12:04:58 MST 2014

  ---------------------------------------------

  Local Launcher version = 1.5.69

  Display local Launcher = 1.5 Version (69)

  Click on the OK button

  java.lang.NullPointerException

  at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  at com.cisco.launcher.s.actionPerformed (unknown Source)

  at javax.swing.AbstractButton.fireActionPerformed (unknown Source)

  in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.setPressed (unknown Source)

  at javax.swing.AbstractButton.doClick (unknown Source)

  to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)

  at javax.swing.SwingUtilities.notifyAction (unknown Source)

  at javax.swing.JComponent.processKeyBinding (unknown Source)

  at javax.swing.KeyboardManager.fireBinding (unknown Source)

  at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)

  at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)

  at javax.swing.JComponent.processKeyBindings (unknown Source)

  at javax.swing.JComponent.processKeyEvent (unknown Source)

  at java.awt.Component.processEvent (unknown Source)

  at java.awt.Container.processEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Window.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.EventQueue.dispatchEventImpl (unknown Source)

  to java.awt.EventQueue.access$ 200 (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  at java.awt.EventQueue.dispatchEvent (unknown Source)

  at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.run (unknown Source)

  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server

  at sun.security.ssl.Alerts.getSSLException (unknown Source)

  at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  at com.cisco.launcher.s.actionPerformed (unknown Source)

  at javax.swing.AbstractButton.fireActionPerformed (unknown Source)

  in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.setPressed (unknown Source)

  at javax.swing.AbstractButton.doClick (unknown Source)

  to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)

  at javax.swing.SwingUtilities.notifyAction (unknown Source)

  at javax.swing.JComponent.processKeyBinding (unknown Source)

  at javax.swing.KeyboardManager.fireBinding (unknown Source)

  at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)

  at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)

  at javax.swing.JComponent.processKeyBindings (unknown Source)

  at javax.swing.JComponent.processKeyEvent (unknown Source)

  at java.awt.Component.processEvent (unknown Source)

  at java.awt.Container.processEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Window.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.EventQueue.dispatchEventImpl (unknown Source)

  to java.awt.EventQueue.access$ 200 (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  at java.awt.EventQueue.dispatchEvent (unknown Source)

  at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.run (unknown Source)

  Caused by: java.security.cert.CertificateException: Java could not be trusted to server

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  ... more than 59

  java.lang.NullPointerException

  at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  at com.cisco.launcher.s.actionPerformed (unknown Source)

  at javax.swing.AbstractButton.fireActionPerformed (unknown Source)

  in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.setPressed (unknown Source)

  at javax.swing.AbstractButton.doClick (unknown Source)

  to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)

  at javax.swing.SwingUtilities.notifyAction (unknown Source)

  at javax.swing.JComponent.processKeyBinding (unknown Source)

  at javax.swing.KeyboardManager.fireBinding (unknown Source)

  at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)

  at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)

  at javax.swing.JComponent.processKeyBindings (unknown Source)

  at javax.swing.JComponent.processKeyEvent (unknown Source)

  at java.awt.Component.processEvent (unknown Source)

  at java.awt.Container.processEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Window.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.EventQueue.dispatchEventImpl (unknown Source)

  to java.awt.EventQueue.access$ 200 (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  at java.awt.EventQueue.dispatchEvent (unknown Source)

  at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.run (unknown Source)

  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server

  at sun.security.ssl.Alerts.getSSLException (unknown Source)

  at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  at com.cisco.launcher.s.actionPerformed (unknown Source)

  at javax.swing.AbstractButton.fireActionPerformed (unknown Source)

  in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)

  at javax.swing.DefaultButtonModel.setPressed (unknown Source)

  at javax.swing.AbstractButton.doClick (unknown Source)

  to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)

  at javax.swing.SwingUtilities.notifyAction (unknown Source)

  at javax.swing.JComponent.processKeyBinding (unknown Source)

  at javax.swing.KeyboardManager.fireBinding (unknown Source)

  at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)

  at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)

  at javax.swing.JComponent.processKeyBindings (unknown Source)

  at javax.swing.JComponent.processKeyEvent (unknown Source)

  at java.awt.Component.processEvent (unknown Source)

  at java.awt.Container.processEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)

  at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)

  at java.awt.Component.dispatchEventImpl (unknown Source)

  at java.awt.Container.dispatchEventImpl (unknown Source)

  at java.awt.Window.dispatchEventImpl (unknown Source)

  at java.awt.Component.dispatchEvent (unknown Source)

  at java.awt.EventQueue.dispatchEventImpl (unknown Source)

  to java.awt.EventQueue.access$ 200 (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  in java.awt.EventQueue$ 3.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  in java.awt.EventQueue$ 4.run (unknown Source)

  at java.security.AccessController.doPrivileged (Native Method)

  in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)

  at java.awt.EventQueue.dispatchEvent (unknown Source)

  at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)

  at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.pumpEvents (unknown Source)

  at java.awt.EventDispatchThread.run (unknown Source)

  Caused by: java.security.cert.CertificateException: Java could not be trusted to server

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  ... more than 59

  Been trying for ASDM file Version; URL = https://199.195.168.123/admin/

  java.lang.NullPointerException

  at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.connect (unknown Source)

  at com.cisco.launcher.y.a (unknown Source)

  at com.cisco.launcher.y.if (unknown Source)

  at com.cisco.launcher.r.a (unknown Source)

  at com.cisco.launcher.s.do (unknown Source)

  at com.cisco.launcher.s.null (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  to com.cisco.launcher.s.access$ 000 (unknown Source)

  to com.cisco.launcher.s$ 2.a (unknown Source)

  to com.cisco.launcher.g$ 2.run (unknown Source)

  at java.lang.Thread.run (unknown Source)

  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server

  at sun.security.ssl.Alerts.getSSLException (unknown Source)

  at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.connect (unknown Source)

  at com.cisco.launcher.y.a (unknown Source)

  at com.cisco.launcher.y.if (unknown Source)

  at com.cisco.launcher.r.a (unknown Source)

  at com.cisco.launcher.s.do (unknown Source)

  at com.cisco.launcher.s.null (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  to com.cisco.launcher.s.access$ 000 (unknown Source)

  to com.cisco.launcher.s$ 2.a (unknown Source)

  to com.cisco.launcher.g$ 2.run (unknown Source)

  at java.lang.Thread.run (unknown Source)

  Caused by: java.security.cert.CertificateException: Java could not be trusted to server

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  ... 21 more

  Try to IDM. URL =https://199.195.168.123/idm/idm.jnlp/

  java.lang.NullPointerException

  at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)

  at com.cisco.launcher.w.a (unknown Source)

  at com.cisco.launcher.s.for (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  to com.cisco.launcher.s.access$ 000 (unknown Source)

  to com.cisco.launcher.s$ 2.a (unknown Source)

  to com.cisco.launcher.g$ 2.run (unknown Source)

  at java.lang.Thread.run (unknown Source)

  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server

  at sun.security.ssl.Alerts.getSSLException (unknown Source)

  at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.Handshaker.fatalSE (unknown Source)

  at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)

  at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)

  at sun.security.ssl.Handshaker.processLoop (unknown Source)

  at sun.security.ssl.Handshaker.process_record (unknown Source)

  at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)

  to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)

  to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)

  to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)

  to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)

  at com.cisco.launcher.w.a (unknown Source)

  at com.cisco.launcher.s.for (unknown Source)

  at com.cisco.launcher.s.new (unknown Source)

  to com.cisco.launcher.s.access$ 000 (unknown Source)

  to com.cisco.launcher.s$ 2.a (unknown Source)

  to com.cisco.launcher.g$ 2.run (unknown Source)

  at java.lang.Thread.run (unknown Source)

  Caused by: java.security.cert.CertificateException: Java could not be trusted to server

  at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)

  ... 19 more

  Hello

  It is a known issue with Java 1.7update 51. The Launcher will not work with update51. We are working on that.  as a solution, please launch the ASDM using the webstart.

• Limited Cisco ASA 5510 IPSEC

  Hi guys

  There are IPsec deadline for ASA 5510?

  There are users complain on connected, they cannot access any server on the local network. but now it works fine

  .PNG

  

  Hello

  What do you mean by limit? The number of IPSEC sessions is limited to 250, if I remember correctly.

  To limit access to internal resources, there is not.

  These users complain using the same IPSEC vpn as others? Is that your exemption of crypto and nat that allows all internal resources?

  Thank you

  PS: Please do not forget to rate and score as correct answer if this answered your question

• disable the cisco ASA connection using only activate password via asdm

  Hi all

  How to disable the connection to my cisco asa 5520 using only activate password via asdm? I like to asdm connection using the user name and password. TIA!

  The command:

   aaa authentication http console LOCAL

  .. .will be force users accessing to ASDM (which uses transport http (s)) to be authenticated on the LOCAL database.

  You can also specify another list of defined authentication method, such as RADIUS, RADIUS or AD. (Although t wew love to leave a LOCAL method on the spot, in which case your external authentication server is not available.)

• ASA 5510 IPSEC VPN connection problem

  Hello

  We have an ASA 5510 (ASA version 8.0) of remote access VPN configured and works most of the time, but there is a problem when you have more than one client that connects to the same office remotely.  When the first VPN client is connected to the remote desktop, everything works fine, but when the second client connects to the VPN, it connects fine but do not get any traffice return to customer.  I can see under monitor-> statistical VPN-> Sessions-> remote access-> Rx Bytes is 0. Both connections are from the same public IP address of the remote desktop.  I changed some settings on NAT - T and a few other things, but without success.

  Could someone help me please how to fix this?

  Thank you very much.

  Make sure that customers use because that probably her you're not. (default value is NAT - T).

  Federico.

• Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

  Hello

  I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

  Config

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  ciscoasa hostname

  activate the 5QB4svsHoIHxXpF password / encrypted

  names of

  xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

  xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

  xxx.xxx.xxx.xxx name Mail_Server

  xxx.xxx.xxx.xxx IncomingIP name

  xxx.xxx.xxx.xxx SAP name

  xxx.xxx.xxx.xxx Web server name

  xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

  isa_server_outside name 192.168.2.2

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  address IP IncomingIP 255.255.255.248

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.253 255.255.255.0

  management only

  !

  passwd 123

  passive FTP mode

  clock timezone IS 2

  clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

  TCP_8081 tcp service object-group

  EQ port 8081 object

  DM_INLINE_TCP_1 tcp service object-group

  EQ port 3389 object

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  EQ smtp port object

  EQ Port pop3 object

  port-object eq 3200

  port-object eq 3300

  port-object eq 3600

  port-object eq 3299

  port-object eq 3390

  EQ port 50000 object

  port-object eq 3396

  port-object eq 3397

  port-object eq 3398

  port-object eq imap4

  EQ port 587 object

  port-object eq 993

  port-object eq 8000

  EQ port 8443 object

  port-object eq telnet

  port-object eq 3901

  purpose of group TCP_8081

  EQ port 1433 object

  port-object eq 3391

  port-object eq 3399

  EQ object of port 8080

  EQ port 3128 object

  port-object eq 3900

  port-object eq 3902

  port-object eq 7777

  port-object eq 3392

  port-object eq 3393

  port-object eq 3394

  Equalizer object port 3395

  port-object eq 92

  port-object eq 91

  port-object eq 3206

  port-object eq 8001

  EQ port 8181 object

  object-port 7778 eq

  port-object eq 8180

  port-object 22222 eq

  port-object eq 11001

  port-object eq 11002

  port-object eq 1555

  port-object eq 2223

  port-object eq 2224

  object-group service RDP - tcp

  EQ port 3389 object

  3901 tcp service object-group

  3901 description

  port-object eq 3901

  object-group service tcp 50000

  50000 description

  EQ port 50000 object

  Enable_Transparent_Tunneling_UDP udp service object-group

  port-object eq 4500

  access-list connection to SAP Note inside_access_in

  inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

  access-list inside_access_in note outgoing VPN - PPTP

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

  access-list inside_access_in note outgoing VPN - GRE

  inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

  Comment from inside_access_in-list of access VPN - GRE

  inside_access_in list extended access will permit a full

  access-list inside_access_in note outgoing VPN - Client IKE

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

  Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access udp allowed any any eq field

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access permit tcp any any eq field

  Note to inside_access_in to access list carried forward Ports

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

  access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

  outside_access_in of access allowed any ip an extended list

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access will permit a full

  outside_access_in list extended access allowed grateful if any host Mail_Server

  outside_access_in list extended access permit tcp any host Mail_Server eq pptp

  outside_access_in list extended access allow esp a whole

  outside_access_in ah allowed extended access list a whole

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

  list of access allowed standard VPN 192.168.2.0 255.255.255.0

  corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 603.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global (outside) 2 Mail_Server netmask 255.0.0.0

  Global 1 interface (outside)

  Global interface (2 inside)

  NAT (inside) 0-list of access corp_vpn

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

  public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

  static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

  static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

  static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

  static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

  static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

  public static 192.168.2.0 (inside, outside) - corp_vpn access list

  Access-group outside_access_in in interface outside

  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.2.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp - esp-md5-hmac transet

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic dynmap 10 set pfs

  Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

  cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

  cryptomap interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  Telnet 192.168.2.0 255.255.255.0 inside

  Telnet 192.168.1.0 255.255.255.0 management

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

  dhcpd domain.local domain inside interface

  !

  a basic threat threat detection

  host of statistical threat detection

  Statistics-list of access threat detection

  Management Server TFTP 192.168.1.123.

  internal group mypolicy strategy

  mypolicy group policy attributes

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value VPN

  Pseudo vpdn password 123

  vpdn username attributes

  VPN-group-policy mypolicy

  type of remote access service

  type mypolicy tunnel-group remote access

  tunnel-group mypolicy General attributes

  address-pool

  strategy-group-by default mypolicy

  tunnel-group mypolicy ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

  : end

  Thank you very much.

  Hello

  You probably need

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  inspect the icmp error

  Your Tunnel of Split and NAT0 configurations seem to.

  -Jouni

• Unable to connect to server vpn behind ASA 5510 with windows clients

  Hi all

  I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.

  This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.

  Within the ASDM:

  (1) Server Public created for Protocol 1723

  (2) Public created for the GRE protocol Server

  3) created two public servers have the same public and private addresses

  (4) the foregoing has created config Public Private static route in the section NAT firewall

  (5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE

  When you try to connect, I get the following entry in the debug log.

  6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)

  but nothing else.

  The server shows not attempting a connection so I think I'm missing something on the firewall now.

  Also inside interface there is a temporary rule:

  Source: no

  Destination: any

  Service: IP

  Action: enabled

  This should allow all outbound traffic only as far as I know...

  Any help would be greatly appreciated.

  Chris

  Hi Chris,

  ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.

  1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.

  is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.

  Ufuk Güler

• IPSEC with the router and asa 5510

  Hi all

  I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.

  Thank you

  Hello

  Isakmp policy match on both devices? What version of ios is running on the router and the asa5510

  Thank you

• How to determine the cause of the ipsec tunnel fall on ASA 5510

  Is there an easy way to determine the cause of tunnel VPN ipsec l2l fall on one asa 5510? I have enabled logging, but the buffer is full so fast, I can't find something when it is 24 hours later. I'm working on obtaining a server/aggregator syslog configuration but... until it is complete I need a temporary measure. Suggestions?

  Hi Jessica.

  For the buffering limit, you can try:

  Increase the maximum buffer size.

  limit the newspapers to the class of vpn:

  Buffered Debug class vpn connection.

  On the other hand, you can try him debugs:

  Debug crypto peer peer_address condition

  debugging cry isa 128

  debugging ipsec 128 cry

  If you lose the ssh session debugging is disabled.  Finally for the vpn tunnels usually it goes down due to:

  Idle time-out

  the dead peer detection

  remove it from the other end.

  HTH.

• Chrombook L2TP/IPSec for ASA 5510

  Hello

  I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.

  Run a debug crypto isakmp 5 I see the following logs (ip changed...)

  Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

  Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes

  06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

  06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

  Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).

  Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

  Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

  1.1.1.1 = address remote chromebook NAT

  2.2.2.2 = ASA 5510 acting as distance termintaion access point

  3.3.3.3 = Chromebook private address

  I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address.  Not sure if this is the cause or how to solve this problem, if it is.

  Can someone advise please

  Thank you

  Ryan

  7.2 is old code.  You can re - test with 9.0.x or 9.1.x.

  https://support.Google.com/Chromebook/answer/1282338?hl=en

• ASA 5510 IPSec

  Hello

  So I'm pretty familiar with asa

  But not many with VPNS

  My goal is to get as much security as possible when a user via the vpn connection

  which means, I want the user to connect with a user name, password and a certificate is just for this user

  and not a group certificate

  also to validate the user via LDAP

  But if the two cannot do it together, it is more important for me, the first option I mentioned

  so my question is, how can it be done on the asa? is it possible to connect by using a different certificate each user

  It was possible on my old firewall using OpenVpn

  I want to use the asa as the certificate server

  I use 6.4 AMPS

  ASA 5510 Software version 8.4 (4)

  Thanks in advance.

  For the legacy VPN Client, you can use a certification of company as that integrate Windows Server 2 k 3/2 k 8. The ASA-CA SSL - VPN only are supported. But for a new deployment you should really go for the AnyConnect Client.

• Separation of monitor only and Admin for Cisco ASDM (ASA) access for users authenticated via LDAP

  Hello

  We have two groups of ads on network Admins, one for the system administrators group. The network Admins will get Priv lvl 15 the other Priv lvl 3.

  This is the setup I use:

  TestASA # sh run ldap-attribute-map of test4
  Comment by card privileged-level name
  map-value comment fw - ro 5
  map-value comment fw - rw 15
  memberOf IETF Radius-Service-Type card name
  map-value memberOf "cn = s-FW-Admin, OR = security groups, DC = 802101, DC = local" 6
  map-value memberOf "cn = s-fw-ro, OR = security groups, DC = 802101, DC = local" 5

  The user in both groups can connect ssh and asdm but all users get the same rights priv lvl 15.

  Someone at - it an idea?

  You must visit the listed link below to configure ASA to only read access and access admin. not sure, if you have already been there.

  https://supportforums.Cisco.com/docs/doc-33843

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Refuse the TCP (no relation) dan disassembly TCP connection ON ASA 5510, HELP Please

  IM currently implemented with AIP-SSM-10 ASA 5510 IPS and I have problem with ASA, with IPS feature currently disabled, I keep received complain blocked/idle the connection to the oracle server, using port 8000 host remote-office, I traced with syslog and message received from large number associated with the oracle server IP address.

  the network diagram is a bit like this:

  ________ ________ _____________

  | Oracle | switch | ASA 5510 |

  | Server | | ___ |---| transparent |

  -------- -------------

  192.168.10.206 |

  |

  |

  -------------

  | ROUTER |

  |___________|

  |

  ________ -------------

  | DISTANCE | ------ | Router |

  | THE USER | -------------

  ----------

  192.168.5.x

  and the syslog message looks like:

  302013: built inbound connection TCP 1662347 for OUTSIDE:192.168.5.52/1311 (192.168.5.52/1311) inside:192.168.10.206/8000 (192.168.10.206/8000)

  302014: disassembly of the TCP connection 1662345 for OUTSIDE:192.168.5.52/1310 for inside:192.168.10.206/8000 duration 0: 00:00 542 bytes TCP fins

  302013: built inbound connection TCP 1662345 for OUTSIDE:192.168.5.52/1310 (192.168.5.52/1310) inside:192.168.10.206/8000 (192.168.10.206/8000)

  302014: disassembly of the TCP connection 1662343 for OUTSIDE:192.168.5.52/1309 for inside:192.168.10.206/8000 duration 0: 00:00 539 bytes TCP fins

  302013: built inbound connection TCP 1662343 for OUTSIDE:192.168.5.52/1309 (192.168.5.52/1309) inside:192.168.10.206/8000 (192.168.10.206/8000)

  106015: deny TCP 192.168.5.52/1302 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  302014: disassembly of the TCP connection 1662338 for OUTSIDE:192.168.5.52/1308 for inside:192.168.10.206/8000 duration 0: 00:00 538 bytes TCP fins

  106015: deny TCP 192.168.5.52/1301 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  106015: deny TCP 192.168.5.52/1298 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  106015: deny TCP 192.168.5.52/1303 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)

  can someone help me, I'm completely stuck on this problem to cause...

  Thank you.

  7.1 (2), which contains the fix for it, is already posted at http://www.cisco.com/cgi-bin/tablebuild.pl/pix.

  If the workaround works for you, however, and you don't touch any other problems, then I would probably recommend you just stay on this version, but I'll leave it up to you.