Connection IPsec via ASDM ASA 5510 config
Hello, I have a problem finishing (IKEv1) IPSec connection to be used with Chromebooks. I crossed the config and think it's okay, but with a connection attempt I get: rejected AAA user authentication: reason = invalid password: local database: user = xxxxx
I try to use the user account local for current tests and have confirmed and confirmed the password is correct. No idea why authentication is not passed?
Tony,
In case you are using MS-CHAPv2, the user account should be like:
username, password cisco123 mschap cisco
Let me know.
Thank you.
Please note all useful messages.
Tags: Cisco Security
Similar Questions
-
Cisco ASA 5510 config with SSM
I was tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (that I never did, only routers and switches) and I have a few questions. I'm inside the ASDM and I am trying to configure my external interface... The 5510 provided with a map of the SSM, and I assumed it would be my external interface, but I guess I'm wrong because it is not an option when running through the wizard. I know what the SSM card for, I do not understand why there is not an external interface. Whence this connect (just for my LAN?)?
Currently, I have implemented the management interface to our ip and the subnet and connected through that. I see the management interface and eth0 - eth 3.
It's as simple as it can get, I just need the external interface to our public ip address, configure access rules to match my sonicwall.
Also on the version, its operation ASA 8.2.1. Should I upgrade to 8.3.1? What is the ED after the version (not familiar with it).
Thank you!
These rules on the SAA are default rules, that is to say whatever it is initiated from the inside is allowed, but anything launched from outside is allowed in. Sorry, but I'm not familiar with SonicWall at all to give you advice on the rules, you will need installation. But what if all you have is an external interface and inside then will need you a nat.pat to ensure that internal addresses can go out and access list to restrict these internal if necessary networks. If you have incoming traffic is according to mail, web server, etc, then you will again be a nat and an access list to allow traffic.
The document attached (you can ignore the router configs) should hopefully give you a better idea of how incoming transport works and how to apply access lists to the interface.
Let me know if it helps.
-
Hi all, I'm about to replace an existing a new ASA 5510 firewall. The environment is pretty simple, just an external and internal interface. I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems. I am concerned mainly with my NAT statements. Nothing in the following config (sterilized) seems out of place? Thank you!!
------------------------------------------------------------
ASA 4,0000 Version 5
!
ciscoasa hostname
enable the encrypted password xxxxxxxxxx
XXXXXXXXXX encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 40.100.2.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.30.0.100 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa844-5 - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
network of the 10.10.0.78 object
Home 10.10.0.78
Nospam description
network of the 10.10.0.39 object
Home 10.10.0.39
Description exch
network of the 55.100.20.109 object
Home 55.100.20.109
Description mail.oursite.com
network of the 10.10.0.156 object
Home 10.10.0.156
Description
network of the 55.100.20.101 object
Home 55.100.20.101
Description
network of the 10.10.0.155 object
Home 10.10.0.155
Ftp description
network of the 10.10.0.190 object
Home 10.10.0.190
farm www Description
network of the 10.10.0.191 object
Home 10.10.0.191
farm svc Description
network of the 10.10.0.28 object
Home 10.10.0.28
Vpn description
network of the 10.10.0.57 object
Home 10.10.0.57
Description cust.oursite.com
network of the 10.10.0.66 object
Home 10.10.0.66
Description spoint.oursite.com
network of the 55.100.20.102 object
Home 55.100.20.102
Description cust.oursite.com
network of the 55.100.20.103 object
Home 55.100.20.103
Ftp description
network of the 55.100.20.104 object
Home 55.100.20.104
Vpn description
network of the 55.100.20.105 object
Home 55.100.20.105
app www description
network of the 55.100.20.106 object
Home 55.100.20.106
app svc description
network of the 55.100.20.107 object
Home 55.100.20.107
Description spoint.oursite.com
network of the 55.100.20.108 object
Home 55.100.20.108
Description exchange.oursite.com
ICMP-type of object-group DM_INLINE_ICMP_1
response to echo ICMP-object
ICMP-object has exceeded the time
ICMP-unreachable object
Exchange_Inbound tcp service object-group
EQ port 587 object
port-object eq 993
port-object eq www
EQ object of the https port
port-object eq imap4
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
object-group service DM_INLINE_SERVICE_1
will the service object
the purpose of the tcp destination eq pptp service
the DM_INLINE_NETWORK_1 object-group network
network-object, object 10.10.0.190
network-object, object 10.10.0.191
the DM_INLINE_NETWORK_2 object-group network
network-object, object 10.10.0.156
network-object, object 10.10.0.57
DM_INLINE_TCP_2 tcp service object-group
port-object eq www
EQ object of the https port
object-group service sharepoint tcp
port-object eq 9255
port-object eq www
EQ object of the https port
outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group
outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp
outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1
outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2
outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-649 - 103.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78
NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39
NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109
NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156
NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57
NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155
NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28
NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190
NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191
NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1
Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.10.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Telnet timeout 5
SSH 10.10.0.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
source of NTP server outside xxxxxxxxxx
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:40cee3a773d380834b10195ffc63a02f
: end
Hello
You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.
The ACL configuration is fine, Nat is fine, so you should have problems,
Kind regards
Julio
-
Hello
I got my ASA working from work and the other day that I started getting an error:
IMPOSSIBLE FOR THE LAUNCH OF (MY HOUSE @ IP STATIC) DEVICE MANAGER
It used to work fine and I am able to load it on my local network. Someone said maybe this is my version of Java. So I downloaded Java 6 and installed that, without change. Does anyone have any ideas on what it could be?
----------------------------------------------------
Application logging started at Fri Jan 21 12:04:58 MST 2014
---------------------------------------------
Local Launcher version = 1.5.69
Display local Launcher = 1.5 Version (69)
Click on the OK button
java.lang.NullPointerException
at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
at com.cisco.launcher.s.actionPerformed (unknown Source)
at javax.swing.AbstractButton.fireActionPerformed (unknown Source)
in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.setPressed (unknown Source)
at javax.swing.AbstractButton.doClick (unknown Source)
to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)
at javax.swing.SwingUtilities.notifyAction (unknown Source)
at javax.swing.JComponent.processKeyBinding (unknown Source)
at javax.swing.KeyboardManager.fireBinding (unknown Source)
at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)
at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)
at javax.swing.JComponent.processKeyBindings (unknown Source)
at javax.swing.JComponent.processKeyEvent (unknown Source)
at java.awt.Component.processEvent (unknown Source)
at java.awt.Container.processEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Window.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.EventQueue.dispatchEventImpl (unknown Source)
to java.awt.EventQueue.access$ 200 (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
at java.awt.EventQueue.dispatchEvent (unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.run (unknown Source)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server
at sun.security.ssl.Alerts.getSSLException (unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
at com.cisco.launcher.s.actionPerformed (unknown Source)
at javax.swing.AbstractButton.fireActionPerformed (unknown Source)
in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.setPressed (unknown Source)
at javax.swing.AbstractButton.doClick (unknown Source)
to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)
at javax.swing.SwingUtilities.notifyAction (unknown Source)
at javax.swing.JComponent.processKeyBinding (unknown Source)
at javax.swing.KeyboardManager.fireBinding (unknown Source)
at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)
at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)
at javax.swing.JComponent.processKeyBindings (unknown Source)
at javax.swing.JComponent.processKeyEvent (unknown Source)
at java.awt.Component.processEvent (unknown Source)
at java.awt.Container.processEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Window.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.EventQueue.dispatchEventImpl (unknown Source)
to java.awt.EventQueue.access$ 200 (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
at java.awt.EventQueue.dispatchEvent (unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.run (unknown Source)
Caused by: java.security.cert.CertificateException: Java could not be trusted to server
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
... more than 59
java.lang.NullPointerException
at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
at com.cisco.launcher.s.actionPerformed (unknown Source)
at javax.swing.AbstractButton.fireActionPerformed (unknown Source)
in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.setPressed (unknown Source)
at javax.swing.AbstractButton.doClick (unknown Source)
to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)
at javax.swing.SwingUtilities.notifyAction (unknown Source)
at javax.swing.JComponent.processKeyBinding (unknown Source)
at javax.swing.KeyboardManager.fireBinding (unknown Source)
at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)
at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)
at javax.swing.JComponent.processKeyBindings (unknown Source)
at javax.swing.JComponent.processKeyEvent (unknown Source)
at java.awt.Component.processEvent (unknown Source)
at java.awt.Container.processEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Window.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.EventQueue.dispatchEventImpl (unknown Source)
to java.awt.EventQueue.access$ 200 (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
at java.awt.EventQueue.dispatchEvent (unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.run (unknown Source)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server
at sun.security.ssl.Alerts.getSSLException (unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
at com.cisco.launcher.s.actionPerformed (unknown Source)
at javax.swing.AbstractButton.fireActionPerformed (unknown Source)
in javax.swing.AbstractButton$ Handler.actionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed (unknown Source)
at javax.swing.DefaultButtonModel.setPressed (unknown Source)
at javax.swing.AbstractButton.doClick (unknown Source)
to javax.swing.plaf.basic.BasicRootPaneUI$ Actions.actionPerformed (unknown Source)
at javax.swing.SwingUtilities.notifyAction (unknown Source)
at javax.swing.JComponent.processKeyBinding (unknown Source)
at javax.swing.KeyboardManager.fireBinding (unknown Source)
at javax.swing.KeyboardManager.fireKeyboardAction (unknown Source)
at javax.swing.JComponent.processKeyBindingsForAllComponents (unknown Source)
at javax.swing.JComponent.processKeyBindings (unknown Source)
at javax.swing.JComponent.processKeyEvent (unknown Source)
at java.awt.Component.processEvent (unknown Source)
at java.awt.Container.processEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.KeyboardFocusManager.redispatchEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.preDispatchKeyEvent (unknown Source)
at java.awt.DefaultKeyboardFocusManager.typeAheadAssertions (unknown Source)
at java.awt.DefaultKeyboardFocusManager.dispatchEvent (unknown Source)
at java.awt.Component.dispatchEventImpl (unknown Source)
at java.awt.Container.dispatchEventImpl (unknown Source)
at java.awt.Window.dispatchEventImpl (unknown Source)
at java.awt.Component.dispatchEvent (unknown Source)
at java.awt.EventQueue.dispatchEventImpl (unknown Source)
to java.awt.EventQueue.access$ 200 (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
in java.awt.EventQueue$ 3.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
in java.awt.EventQueue$ 4.run (unknown Source)
at java.security.AccessController.doPrivileged (Native Method)
in java.security.ProtectionDomain$ 1.doIntersectionPrivilege (unknown Source)
at java.awt.EventQueue.dispatchEvent (unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter (unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.pumpEvents (unknown Source)
at java.awt.EventDispatchThread.run (unknown Source)
Caused by: java.security.cert.CertificateException: Java could not be trusted to server
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
... more than 59
Been trying for ASDM file Version; URL = https://199.195.168.123/admin/
java.lang.NullPointerException
at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.connect (unknown Source)
at com.cisco.launcher.y.a (unknown Source)
at com.cisco.launcher.y.if (unknown Source)
at com.cisco.launcher.r.a (unknown Source)
at com.cisco.launcher.s.do (unknown Source)
at com.cisco.launcher.s.null (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
to com.cisco.launcher.s.access$ 000 (unknown Source)
to com.cisco.launcher.s$ 2.a (unknown Source)
to com.cisco.launcher.g$ 2.run (unknown Source)
at java.lang.Thread.run (unknown Source)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server
at sun.security.ssl.Alerts.getSSLException (unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.connect (unknown Source)
at com.cisco.launcher.y.a (unknown Source)
at com.cisco.launcher.y.if (unknown Source)
at com.cisco.launcher.r.a (unknown Source)
at com.cisco.launcher.s.do (unknown Source)
at com.cisco.launcher.s.null (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
to com.cisco.launcher.s.access$ 000 (unknown Source)
to com.cisco.launcher.s$ 2.a (unknown Source)
to com.cisco.launcher.g$ 2.run (unknown Source)
at java.lang.Thread.run (unknown Source)
Caused by: java.security.cert.CertificateException: Java could not be trusted to server
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
... 21 more
Try to IDM. URL =https://199.195.168.123/idm/idm.jnlp/
java.lang.NullPointerException
at com.sun.deploy.security.DeployManifestChecker.printWarningsIfRequired (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.doShowDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.TrustDeciderDialog.showDialog (unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)
at com.cisco.launcher.w.a (unknown Source)
at com.cisco.launcher.s.for (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
to com.cisco.launcher.s.access$ 000 (unknown Source)
to com.cisco.launcher.s$ 2.a (unknown Source)
to com.cisco.launcher.g$ 2.run (unknown Source)
at java.lang.Thread.run (unknown Source)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java could not be trusted to server
at sun.security.ssl.Alerts.getSSLException (unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.Handshaker.fatalSE (unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate (unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage (unknown Source)
at sun.security.ssl.Handshaker.processLoop (unknown Source)
at sun.security.ssl.Handshaker.process_record (unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord (unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake (unknown Source)
to sun.net. www.protocol.https.HttpsClient.afterConnect (unknown Source)
to sun.net. www.protocol.https.AbstractDelegateHttpsURLConnection.connect (unknown Source)
to sun.net. www.protocol.http.HttpURLConnection.getInputStream (unknown Source)
to sun.net. www.protocol.https.HttpsURLConnectionImpl.getInputStream (unknown Source)
at com.cisco.launcher.w.a (unknown Source)
at com.cisco.launcher.s.for (unknown Source)
at com.cisco.launcher.s.new (unknown Source)
to com.cisco.launcher.s.access$ 000 (unknown Source)
to com.cisco.launcher.s$ 2.a (unknown Source)
to com.cisco.launcher.g$ 2.run (unknown Source)
at java.lang.Thread.run (unknown Source)
Caused by: java.security.cert.CertificateException: Java could not be trusted to server
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted (unknown Source)
... 19 more
Hello
It is a known issue with Java 1.7update 51. The Launcher will not work with update51. We are working on that. as a solution, please launch the ASDM using the webstart.
-
Hi guys
There are IPsec deadline for ASA 5510?
There are users complain on connected, they cannot access any server on the local network. but now it works fine
Hello
What do you mean by limit? The number of IPSEC sessions is limited to 250, if I remember correctly.
To limit access to internal resources, there is not.
These users complain using the same IPSEC vpn as others? Is that your exemption of crypto and nat that allows all internal resources?
Thank you
PS: Please do not forget to rate and score as correct answer if this answered your question
-
disable the cisco ASA connection using only activate password via asdm
Hi all
How to disable the connection to my cisco asa 5520 using only activate password via asdm? I like to asdm connection using the user name and password. TIA!
The command:
aaa authentication http console LOCAL
.. .will be force users accessing to ASDM (which uses transport http (s)) to be authenticated on the LOCAL database.
You can also specify another list of defined authentication method, such as RADIUS, RADIUS or AD. (Although t wew love to leave a LOCAL method on the spot, in which case your external authentication server is not available.)
-
ASA 5510 IPSEC VPN connection problem
Hello
We have an ASA 5510 (ASA version 8.0) of remote access VPN configured and works most of the time, but there is a problem when you have more than one client that connects to the same office remotely. When the first VPN client is connected to the remote desktop, everything works fine, but when the second client connects to the VPN, it connects fine but do not get any traffice return to customer. I can see under monitor-> statistical VPN-> Sessions-> remote access-> Rx Bytes is 0. Both connections are from the same public IP address of the remote desktop. I changed some settings on NAT - T and a few other things, but without success.
Could someone help me please how to fix this?
Thank you very much.
Make sure that customers use because that probably her you're not. (default value is NAT - T).
Federico.
-
Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!
Hello
I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.
Config
ciscoasa # sh run
: Saved
:
ASA Version 8.0 (3)
!
ciscoasa hostname
activate the 5QB4svsHoIHxXpF password / encrypted
names of
xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name
xxx.xxx.xxx.xxx ISA_Server_second_external_IP name
xxx.xxx.xxx.xxx name Mail_Server
xxx.xxx.xxx.xxx IncomingIP name
xxx.xxx.xxx.xxx SAP name
xxx.xxx.xxx.xxx Web server name
xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name
isa_server_outside name 192.168.2.2
!
interface Ethernet0/0
nameif outside
security-level 0
address IP IncomingIP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.253 255.255.255.0
management only
!
passwd 123
passive FTP mode
clock timezone IS 2
clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00
TCP_8081 tcp service object-group
EQ port 8081 object
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq ftp
port-object eq www
EQ object of the https port
EQ smtp port object
EQ Port pop3 object
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
EQ port 50000 object
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
EQ port 587 object
port-object eq 993
port-object eq 8000
EQ port 8443 object
port-object eq telnet
port-object eq 3901
purpose of group TCP_8081
EQ port 1433 object
port-object eq 3391
port-object eq 3399
EQ object of port 8080
EQ port 3128 object
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
Equalizer object port 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
EQ port 8181 object
object-port 7778 eq
port-object eq 8180
port-object 22222 eq
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP - tcp
EQ port 3389 object
3901 tcp service object-group
3901 description
port-object eq 3901
object-group service tcp 50000
50000 description
EQ port 50000 object
Enable_Transparent_Tunneling_UDP udp service object-group
port-object eq 4500
access-list connection to SAP Note inside_access_in
inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in note outgoing VPN - PPTP
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in note outgoing VPN - GRE
inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any
Comment from inside_access_in-list of access VPN - GRE
inside_access_in list extended access will permit a full
access-list inside_access_in note outgoing VPN - Client IKE
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq
Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access udp allowed any any eq field
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access permit tcp any any eq field
Note to inside_access_in to access list carried forward Ports
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
outside_access_in list extended access allowed grateful if any host Mail_Server
outside_access_in list extended access permit tcp any host Mail_Server eq pptp
outside_access_in list extended access allow esp a whole
outside_access_in ah allowed extended access list a whole
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group
list of access allowed standard VPN 192.168.2.0 255.255.255.0
corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 603.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 2 Mail_Server netmask 255.0.0.0
Global 1 interface (outside)
Global interface (2 inside)
NAT (inside) 0-list of access corp_vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside
public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet
static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server
static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside
static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp
static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside
public static 192.168.2.0 (inside, outside) - corp_vpn access list
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac transet
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet
cryptomap 10 card crypto ipsec-isakmp dynamic dynmap
cryptomap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.2.0 255.255.255.0 inside
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain.local domain inside interface
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
Management Server TFTP 192.168.1.123.
internal group mypolicy strategy
mypolicy group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN
Pseudo vpdn password 123
vpdn username attributes
VPN-group-policy mypolicy
type of remote access service
type mypolicy tunnel-group remote access
tunnel-group mypolicy General attributes
address-pool
strategy-group-by default mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.
Hello
You probably need
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp error
Your Tunnel of Split and NAT0 configurations seem to.
-Jouni
-
Unable to connect to server vpn behind ASA 5510 with windows clients
Hi all
I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.
This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.
Within the ASDM:
(1) Server Public created for Protocol 1723
(2) Public created for the GRE protocol Server
3) created two public servers have the same public and private addresses
(4) the foregoing has created config Public Private static route in the section NAT firewall
(5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE
When you try to connect, I get the following entry in the debug log.
6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)
but nothing else.
The server shows not attempting a connection so I think I'm missing something on the firewall now.
Also inside interface there is a temporary rule:
Source: no
Destination: any
Service: IP
Action: enabled
This should allow all outbound traffic only as far as I know...
Any help would be greatly appreciated.
Chris
Hi Chris,
ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.
1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.
is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.
Ufuk Güler
-
IPSEC with the router and asa 5510
Hi all
I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.
Thank you
Hello
Isakmp policy match on both devices? What version of ios is running on the router and the asa5510
Thank you
-
How to determine the cause of the ipsec tunnel fall on ASA 5510
Is there an easy way to determine the cause of tunnel VPN ipsec l2l fall on one asa 5510? I have enabled logging, but the buffer is full so fast, I can't find something when it is 24 hours later. I'm working on obtaining a server/aggregator syslog configuration but... until it is complete I need a temporary measure. Suggestions?
Hi Jessica.
For the buffering limit, you can try:
Increase the maximum buffer size.
limit the newspapers to the class of vpn:
Buffered Debug class vpn connection.
On the other hand, you can try him debugs:
Debug crypto peer peer_address condition
debugging cry isa 128
debugging ipsec 128 cry
If you lose the ssh session debugging is disabled. Finally for the vpn tunnels usually it goes down due to:
Idle time-out
the dead peer detection
remove it from the other end.
HTH.
-
Chrombook L2TP/IPSec for ASA 5510
Hello
I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.
Run a debug crypto isakmp 5 I see the following logs (ip changed...)
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes
06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.
06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800)
, : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!
1.1.1.1 = address remote chromebook NAT
2.2.2.2 = ASA 5510 acting as distance termintaion access point
3.3.3.3 = Chromebook private address
I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address. Not sure if this is the cause or how to solve this problem, if it is.
Can someone advise please
Thank you
Ryan
7.2 is old code. You can re - test with 9.0.x or 9.1.x.
-
Hello
So I'm pretty familiar with asa
But not many with VPNS
My goal is to get as much security as possible when a user via the vpn connection
which means, I want the user to connect with a user name, password and a certificate is just for this user
and not a group certificate
also to validate the user via LDAP
But if the two cannot do it together, it is more important for me, the first option I mentioned
so my question is, how can it be done on the asa? is it possible to connect by using a different certificate each user
It was possible on my old firewall using OpenVpn
I want to use the asa as the certificate server
I use 6.4 AMPS
ASA 5510 Software version 8.4 (4)
Thanks in advance.
For the legacy VPN Client, you can use a certification of company as that integrate Windows Server 2 k 3/2 k 8. The ASA-CA SSL - VPN only are supported. But for a new deployment you should really go for the AnyConnect Client.
-
Hello
We have two groups of ads on network Admins, one for the system administrators group. The network Admins will get Priv lvl 15 the other Priv lvl 3.
This is the setup I use:
TestASA # sh run ldap-attribute-map of test4
Comment by card privileged-level name
map-value comment fw - ro 5
map-value comment fw - rw 15
memberOf IETF Radius-Service-Type card name
map-value memberOf "cn = s-FW-Admin, OR = security groups, DC = 802101, DC = local" 6
map-value memberOf "cn = s-fw-ro, OR = security groups, DC = 802101, DC = local" 5The user in both groups can connect ssh and asdm but all users get the same rights priv lvl 15.
Someone at - it an idea?
You must visit the listed link below to configure ASA to only read access and access admin. not sure, if you have already been there.
https://supportforums.Cisco.com/docs/doc-33843
~ BR
Jatin kone* Does the rate of useful messages *.
-
Refuse the TCP (no relation) dan disassembly TCP connection ON ASA 5510, HELP Please
IM currently implemented with AIP-SSM-10 ASA 5510 IPS and I have problem with ASA, with IPS feature currently disabled, I keep received complain blocked/idle the connection to the oracle server, using port 8000 host remote-office, I traced with syslog and message received from large number associated with the oracle server IP address.
the network diagram is a bit like this:
________ ________ _____________
| Oracle | switch | ASA 5510 |
| Server | | ___ |---| transparent |
-------- -------------
192.168.10.206 |
|
|
-------------
| ROUTER |
|___________|
|
________ -------------
| DISTANCE | ------ | Router |
| THE USER | -------------
----------
192.168.5.x
and the syslog message looks like:
302013: built inbound connection TCP 1662347 for OUTSIDE:192.168.5.52/1311 (192.168.5.52/1311) inside:192.168.10.206/8000 (192.168.10.206/8000)
302014: disassembly of the TCP connection 1662345 for OUTSIDE:192.168.5.52/1310 for inside:192.168.10.206/8000 duration 0: 00:00 542 bytes TCP fins
302013: built inbound connection TCP 1662345 for OUTSIDE:192.168.5.52/1310 (192.168.5.52/1310) inside:192.168.10.206/8000 (192.168.10.206/8000)
302014: disassembly of the TCP connection 1662343 for OUTSIDE:192.168.5.52/1309 for inside:192.168.10.206/8000 duration 0: 00:00 539 bytes TCP fins
302013: built inbound connection TCP 1662343 for OUTSIDE:192.168.5.52/1309 (192.168.5.52/1309) inside:192.168.10.206/8000 (192.168.10.206/8000)
106015: deny TCP 192.168.5.52/1302 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)
302014: disassembly of the TCP connection 1662338 for OUTSIDE:192.168.5.52/1308 for inside:192.168.10.206/8000 duration 0: 00:00 538 bytes TCP fins
106015: deny TCP 192.168.5.52/1301 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)
106015: deny TCP 192.168.5.52/1298 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)
106015: deny TCP 192.168.5.52/1303 to 192.168.10.206/8000 flags ACK END on the OUTSIDE interface (no link)
can someone help me, I'm completely stuck on this problem to cause...
Thank you.
7.1 (2), which contains the fix for it, is already posted at http://www.cisco.com/cgi-bin/tablebuild.pl/pix.
If the workaround works for you, however, and you don't touch any other problems, then I would probably recommend you just stay on this version, but I'll leave it up to you.
Maybe you are looking for
-
Satellite L20-181: Impossible to activate the display on the TV
Hi, I can't get my laptop to display on my TV. I use a 4pin s-video/rca cable. I'm sure that the cable works well because it works when I use it to connect my desktop pc to the tv. Maybe it's possible that the configuration of the pins for computers
-
C/C++ support?
I would wear a popular app iPhone, I developed and would like to understand the level of support available for C/C++ in the Blackberry development environment. To clarify, the code C/C++, I would need to run in the BB app must be compiled or built so
-
print envelope A7 on printer Envy 110
I need to know how to print an envelope A7, use of Envy 110 printer under Windows 7.
-
CD - RW formatted "like flash drive" is now read-only?
I swear it never happened to me before. He asked if I wanted to format "as a flash drive" or "for CD or DVD drive" and I chose "flash player" because I want to write for her, etc. After a long process of formatting (very long), the player is now read
-
'Cannot convert FAT32 to NTFS disk.
When I try to convert an order to my D drive, I get the following response cannot convert volume on this disk