IPS on ASA 5505 test modules
How all you check traffic IPS on the AIP SSC5 in a 5505, because the default signatures are retired and you can't the fights, we can't activate 2000-2012 on the 5505 signatures.
Look at the web-signatures. There are a couple of them that shoudn't be retired. Such as directory traversal attacks or access to cmd.exe. These can be easily verified in a browser or with a like nessus vulnerability scanner.
Tags: Cisco Security
Similar Questions
-
the upgrade of IPS chains, ASA-SSM - 10 module
I'll have a difficult time, the upgrade of the module ASA IPS SSM-10. I down loaded the IPS-GIS-s327-req - e1.pkg to the FTP Win XP (my workstation). The following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
"error: execUpgradeSoftware: connection failed. Any suggestion would be appreciated.
Also, have you been able to update your signature?
-
HI Experts,
Can you please give me an idea on what this module IDS/IPS for ASA 5505?
How much does it cost? How to install and configure to work with ASA 5505?
We have also a few site to site of ASA 5505 VPN configuration. This would affect somehow?
Thank you very much
ANUP
ANUP-
You should be able to find the links that I provided for you with a general search on Cisco's Web site for 'ssc-5' and 'installation' and 'configure '.
No, you should still ASA terminate Internet access. You want to have the SSC-5 module (IPS) to monitor the interfaces from the INSIDE, (always wanting to make IDS/IPS inside a firewall). This way you can see the traffic after it has been decrypted on your VPN, and after the traffic has been filtered to your firewall rules.
-Bob
-
Block the specific IP traffic in ASA 5505
Hi, we have an ASA 5505 in transparent mode and run a web service online. However, we notice a number of attempts to intrution from China and Korea and we need to block these IP traffic can anyone help please?
config script is
transparent firewall
hostname xxyyASA
Select msi14F/SlH4ZLjHH of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Description - the Internet-
switchport access vlan 2
!
interface Ethernet0/1
Description - connected to the LAN-
!
interface Ethernet0/2
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
Bridge-Group 1
security-level 100
!
interface Vlan2
nameif outside
Bridge-Group 1
security-level 0
!
interface BVI1
Description - for management only-
IP address xxx.yyy.zzz.uuu 255.255.xxx.yyy
!
passive FTP mode
network of the WWW-SERVER-OBJ object
Home xxx.yyy.zzz.jjj
Description - webserver-
WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group
Description - Services published on the WEB server-
WWW-SERVER-SERVICES-UDP-OBJ udp service object-group
Description - Services published on the WEB server - UDP
Beach of port-object 221 225
1719-1740 object-port Beach
OUTSIDE-IN-ACL scope tcp access list deny any any eq 3306
OUTSIDE-IN-ACL scope tcp access list deny any any eq telnet
OUTSIDE-IN-ACL scopes allowed icmp an entire access list
OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
access list OUTSIDE-IN-ACL scopes permit tcp host xxx.yyy.zzz.uuu object WWW-SERVER-OBJ eq 3306
OUTSIDE-IN-ACL scopes permitted udp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ
We need to block access of host say 64.15.152.208
Just need the best step to follow and block access, without affecting the service or other host
Thank you
Insert a line like:
OUTSIDE-IN-ACL scope access list deny host ip 64.15.152.208 all
in front of your 3rd line "... to enable icmp a whole."
If you have many of them, maybe do:
object-group network blacklist
host of the object-Network 64.15.152.208
network-host another.bad.ip.here object
object-network entire.dubious.subnet.here 255.255.255.0
...
OUTSIDE-IN-ACL scope object-group BLACKLIST ip deny access list all
If you want to take in scores of reputation on the outside, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.
Note that fleeing bad hosts help with targeted attacks, but not with denial of service; only, he moves to point decline since the application for the firewall server, without much effect on the net on your uplink bandwidth consumption.
-Jim Leinweber, WI State Lab of hygiene
-
How to accompany the IDS in ASA 5505 and 5520?
Dear All;
We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?
Part number: Description QTY. ASA5505-BUN-K9
ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES
1
CON-SNT-AS5BUNK9
SMARTNET 8X5XNBD ASA5505-BUN-K9
1
SF-ASA5505 - 8.2 - K8
ASA 5505 Series Software v8.2
1
CAB-AC-C5
Power supply cord Type C5 U.S.
1
ASA5500-BA-K9
ASA 5500 license (3DES/AES) encryption
1
ASA5505-PWR-AC
ASA 5505 power adapter
1
ASA5505-SW-10
ASA 5505 10 user software license
1
SSC-WHITE
ASA 5505 hood SSC of the location empty
1
ASA-ANYCONN-CSD-K9
ASA 5500 AnyConnect Client + Cisco Security Office software
1
Part number: Description QTY. ASA5520-BUN-K9
ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES
2
CON-SNT-AS2BUNK9
SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES
2
ASA5520-VPN-PL
ASA 5520 VPN over 750 IPsec User License (7.0 only)
2
ASA-VPN-CLNT-K9
Cisco VPN Client (Windows Solaris Linux Mac) software
2
SF - ASA - 8.2 - K8
ASA 5500 Series Software v8.2
2
CAB - ACU
Power supply cord (UK) C13 BS 1363 2.5 m
2
ASA-180W-PWR-AC
Power supply ASA 180W
2
ASA5500-BA-K9
ASA 5500 license (3DES/AES) encryption
2
ASA-ANYCONN-CSD-K9
ASA 5500 AnyConnect Client + Cisco Security Office software
2
SSM-WHITE
ASA/IPS SSM hood of the location
2
Thanks in advance.
Rashed Ward.
Okay, I was not quite correct in my first post.
These modules - modules only available for corresponding models of ASA.
They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.
When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.
When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.
In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.
To better understand, familiarize themselves with this link:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html
-
Client VPN und Cisco asa 5505 tunnel work but no traffic
Hi all
I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.
I have the following problem:
I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.
To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.
Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.
After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.
I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).
What I did wrong. Could someone let me know what I have to do today.
With hope for your help Dimitri.
ASA configuration after reset and basic configuration: works to the Internet from within the course.
: Saved
: Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010
!
ASA Version 8.2 (2)
!
ciscoasa hostname
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
PPPoE client vpdn group home
IP address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 194.25.0.60
Server name 194.25.0.68
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session
inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session
inside_access_in list extended access deny ip any any debug log
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128
homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
ASDM location 192.168.0.0 255.255.0.0 inside
ASDM location 192.168.10.0 255.255.255.0 inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN group home request dialout pppoe
VPDN group House localname 04152886790
VPDN group House ppp authentication PAP
VPDN username 04152886790 password 1
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
TFTP server 192.168.1.5 inside c:/tftp-root
WebVPN
Group Policy inner residential group
attributes of the strategy of group home group
value of 192.168.1.1 DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list homegroup_splitTunnelAcl
username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn
user01 username attributes
VPN-strategy group home group
tunnel-group home group type remote access
attributes global-tunnel-group home group
address homepool pool
Group Policy - by default-homegroup
tunnel-group group residential ipsec-attributes
pre-shared-key ciscotest
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb
: end
Hello
Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).
If you connect via VPN, check the following:
1. the tunnel is established:
HS cry isa his
Must say QM_IDLE or MM_ACTIVE
2 traffic is flowing (encrypted/decrypted):
HS cry ips its
3. Enter the command:
management-access inside
And check if you can PING the inside ASA VPN client IP.
4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).
Federico.
-
Cisco ASA 5505 VPN Site to Site
Hi all
First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..
I'd appreciate any help that can be directed to this problem please. Slowly losing my mind
Please see details below:
Two ADMS are 7.1
IOS
ASA 1
Nadia
:
ASA Version 9.0 (1)
!
hostname PAYBACK
activate the encrypted password of HSMurh79NVmatjY0
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
link Trunk Description of SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 92.51.193.158 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
address 192.168.20.1 255.255.255.0
!
Vlan30 interface
nameif printers
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
192.168.40.1 IP address 255.255.255.0
!
connection line banner welcome to the Payback loyalty systems
boot system Disk0: / asa901 - k8.bin
passive FTP mode
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
domain-lookup DNS servers
DNS lookup domain printers
DNS domain-lookup wireless
DNS server-group DefaultDNS
Server name 83.147.160.2
Server name 83.147.160.130
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
ftp_server network object
network of the Internal_Report_Server object
Home 192.168.20.21
Description address internal automated report server
network of the Report_Server object
Home 89.234.126.9
Description of server automated reports
service object RDP
service destination tcp 3389 eq
Description RDP to the server
network of the Host_QA_Server object
Home 89.234.126.10
Description QA host external address
network of the Internal_Host_QA object
Home 192.168.20.22
host of computer virtual Description for QA
network of the Internal_QA_Web_Server object
Home 192.168.20.23
Description Web Server in the QA environment
network of the Web_Server_QA_VM object
Home 89.234.126.11
Server Web Description in the QA environment
service object SQL_Server
destination eq 1433 tcp service
network of the Demo_Server object
Home 89.234.126.12
Description server set up for the product demo
network of the Internal_Demo_Server object
Home 192.168.20.24
Internal description of the demo server IP address
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_26 object
255.255.255.192 subnet 192.168.50.0
network of the NETWORK_OBJ_192.168.0.0_16 object
Subnet 192.168.0.0 255.255.0.0
service object MSSQL
destination eq 1434 tcp service
MSSQL port description
VPN network object
192.168.50.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_24 object
192.168.50.0 subnet 255.255.255.0
service object TS
tcp destination eq 4400 service
service of the TS_Return object
tcp source eq 4400 service
network of the External_QA_3 object
Home 89.234.126.13
network of the Internal_QA_3 object
Home 192.168.20.25
network of the Dev_WebServer object
Home 192.168.20.27
network of the External_Dev_Web object
Home 89.234.126.14
network of the CIX_Subnet object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_84.39.233.50 object
Home 84.39.233.50
network of the NETWORK_OBJ_92.51.193.158 object
Home 92.51.193.158
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
the tcp destination eq ftp service object
the purpose of the tcp destination eq netbios-ssn service
the purpose of the tcp destination eq smtp service
service-object TS
the Payback_Internal object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
service-object TS
service-object, object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object RDP
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
object-group service DM_INLINE_SERVICE_5
purpose purpose of the MSSQL service
service-object RDP
service-object TS
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_6
service-object TS
service-object, object TS_Return
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
Note to outside_access_in to access list that this rule allows Internet the interal server.
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-list of FTP access
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list of SMTP access
Note to outside_access_in to access list Net Bios
Comment from outside_access_in-SQL access list
Comment from outside_access_in-list to access TS - 4400
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server
access host access-list outside_access_in note rule internal QA
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www
Notice on the outside_access_in of the access-list access to the internal Web server:
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server
Note to outside_access_in to access list rule allowing access to the demo server
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list to access MSSQL
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
Note to outside_access_in access to the development Web server access list
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
AnyConnect_Client_Local_Print deny any4 any4 ip extended access list
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137
AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns
Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0
permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
information recording console
asdm of logging of information
address record
the journaling recipient
level alerts
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
MTU 1500 printers
MTU 1500 wireless
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (wireless, outdoors) source Dynamics one interface
NAT (servers, outside) no matter what source dynamic interface
NAT (servers, external) static source Internal_Report_Server Report_Server
NAT (servers, external) static source Internal_Host_QA Host_QA_Server
NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM
NAT (servers, external) static source Internal_Demo_Server Demo_Server
NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
NAT (servers, external) static source Internal_QA_3 External_QA_3
NAT (servers, external) static source Dev_WebServer External_Dev_Web
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1ASA 2
ASA Version 9.0 (1)
!
Payback-CIX hostname
activate the encrypted password of HSMurh79NVmatjY0
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
Description this port connects to the local network VIRTUAL 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
IP 84.39.233.50 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
banner welcome to Payback loyalty - CIX connection line
passive FTP mode
summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group defaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the host-CIX-1 object
host 192.168.100.2
Description This is the VM server host machine
network object host-External_CIX-1
Home 84.39.233.51
Description This is the external IP address of the server the server VM host
service object RDP
source between 1-65535 destination eq 3389 tcp service
network of the Payback_Office object
Home 92.51.193.158
service object MSQL
destination eq 1433 tcp service
network of the Development_OLTP object
Home 192.168.100.10
Description for Eiresoft VM
network of the External_Development_OLTP object
Home 84.39.233.52
Description This is the external IP address for the virtual machine for Eiresoft
network of the Eiresoft object
Home 146.66.160.70
Contractor s/n description
network of the External_TMC_Web object
Home 84.39.233.53
Description Public address to the TMC Web server
network of the TMC_Webserver object
Home 192.168.100.19
Internal description address TMC Webserver
network of the External_TMC_OLTP object
Home 84.39.233.54
External targets OLTP IP description
network of the TMC_OLTP object
Home 192.168.100.18
description of the interal target IP address
network of the External_OLTP_Failover object
Home 84.39.233.55
IP failover of the OLTP Public description
network of the OLTP_Failover object
Home 192.168.100.60
Server failover OLTP description
network of the servers object
subnet 192.168.20.0 255.255.255.0
being Wired network
192.168.10.0 subnet 255.255.255.0
the subject wireless network
192.168.40.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the Eiresoft_2nd object
Home 137.117.217.29
Description 2nd Eiresoft IP
network of the Dev_Test_Webserver object
Home 192.168.100.12
Description address internal to the Test Server Web Dev
network of the External_Dev_Test_Webserver object
Home 84.39.233.56
Description This is the PB Dev Test Webserver
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_2
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_3
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_4
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_5
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_6
service-object MSQL
service-object RDP
the Payback_Intrernal object-group network
object-network servers
Wired network-object
wireless network object
object-group service DM_INLINE_SERVICE_7
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_8
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_9
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_10
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_11
service-object RDP
the tcp destination eq ftp service object
outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1
Note to access list OLTP Development Office of recovery outside_access_in
outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group
Comment from outside_access_in-access Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group
Note to outside_access_in access to OLTP for target recovery Office Access list
outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group
Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server
outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group
Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft
outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group
Note to outside_access_in access from the 2nd IP Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group
outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source CIX-host-1 External_CIX-host-1
NAT (inside, outside) static source Development_OLTP External_Development_OLTP
NAT (inside, outside) static source TMC_Webserver External_TMC_Web
NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP
NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover
NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 92.51.193.156 255.255.255.252 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHello
There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.
All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.
Here are a few suggestions on what to change
ASA1
Minimal changes
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.
Other suggestions
These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.
PAT-SOURCE network object-group
source networks internal PAT Description
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
no nat (wireless, outdoors) source Dynamics one interface
no nat (servers, outside) no matter what source dynamic interface
The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.
Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.
network of the SERVERS object
subnet 192.168.20.0 255.255.255.0
network of the VPN-POOL object
192.168.50.0 subnet 255.255.255.0
NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL
no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
ASA2
Minimal changes
the object of the LAN network
255.255.255.0 subnet 192.168.100.0
being REMOTE-LAN network
192.168.10.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM.
Other suggestions
PAT-SOURCE network object-group
object-network 192.168.100.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.
Hope this makes any sense and has helped
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
IPS of ASA journals collection
Hello
How can I collect newspapers of the IPS of the ASA? My firewall is ASA 5515 x, 9.1 (5) with module version IPS 4,0000 E4. Please let me know the commands to view the logs of IPS, also, how can I monitor these logs?
Kind regards
Martin
You must use either:
a. Device Manager IPS (basically ASDM pointed toward the IPS vs ASA address address and used real time connect to the visualization and the configuraiton)
(b) IPS Manager Express (keeps newspapers even when not active GUI, allows to manage several IPS), or
cisco Security Manager.
The first two are free tools for IPS unique or small facilities, and the third is a licensed - the company-wide product.
-
ASA 5505 possibly interfere/blocking calls Incound UC560
ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462
All,
We had this problem the phone when we lose connectivity for some reason any. Here is an example:
We have an ASA 5505 before our UC560. Power lost to ASA (power connector from main Board loose) primary did identical backup with config. The layout-design is the following:
UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">---WAN(3>
After the passage of the ASAs, incoming calls have been piecemeal. I can see the traffic on the firewall when the calls log, nothing otherwise. OS on the device are:
UC560 - 15.0 XA (1r).
ASA 5505-4, 0000 38
Contacted the provider and after calls debugging support have been expire with the 408 SIP error.
Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.
So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA. Here is the config ASA (it's pretty long, sorry):
Output of the command: "show run".
: Saved
:
: Serial number:
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA 4,0000 Version 38
!
XXXXX-CA hostname
activate the encrypted password of WUGxGkjzJJSPhT9N
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
WUGxGkjzJJSPhT9N encrypted passwd
names of
DNS-guard
192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
!
interface Ethernet0/0
Description-> Internet
switchport access vlan 2
!
interface Ethernet0/1
Description-> inside
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
Shutdown
No nameif
no level of security
no ip address
!
interface Vlan2
Description-> Internet<>
nameif outside
security-level 0
address IP XXX.XXX. XXX.242 255.255.255.240
!
interface Vlan10
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
!
exec banner * W A R N I N G *.
banner exec unauthorised access prohibited. All access is
banner exec monitored and the intruder may be continued
exec banner to the extent of the law.
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
Banner motd this is a private computer system.
Banner motd, access is allowed only by authorized employees or agents of the
company banner motd.
Banner motd system can be used only for the authorized company.
Banner motd business management approval is required for all access privileges.
Banner motd, as this system is equipped with a safety system designed to prevent
Banner motd and attempts of unauthorized access record.
Banner motd
Banner motd unauthorized access or use is a crime under the law.
banner asdm XXXXX Enterprises Inc. $(hostname)
boot system Disk0: / asa904-38 - k8.bin
boot system Disk0: / asa904-29 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS domain-lookup outside
permit same-security-traffic intra-interface
object obj voip network
10.1.1.0 subnet 255.255.255.0
network object obj - 192.168.254.0--->--->
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
object obj cue-network
10.1.10.0 subnet 255.255.255.0
object obj priv-network
192.168.10.0 subnet 255.255.255.0
object obj data network
subnet 10.0.1.0 255.255.255.0
network object obj - 192.168.0.0
192.168.0.0 subnet 255.255.255.0
Description not used
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
Description not used
object obj nj-asa-private-network
Subnet 192.168.2.0 255.255.255.0
network obj object -? asa-private-network
192.168.5.0 subnet 255.255.255.0
network obj object -? asa-private-network
192.168.6.0 subnet 255.255.255.0
network obj object -? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network obj object -? asa-priv-networl
subnet 192.168.4.0 255.255.255.0
network obj object -? asa-private-network
192.168.7.0 subnet 255.255.255.0
object obj-asa-Interior-voip-nic network
host 10.1.1.1
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
network object obj - 0.0.0.0
host 0.0.0.0
object obj-vpn-nic network
Home 192.168.10.20
object obj XXXX-asa-private-network
192.168.8.0 subnet 255.255.255.0
House of XXXX description
network obj object -? asa-private-network
192.168.9.0 subnet 255.255.255.0
object asa inside-network data
subnet 10.0.1.0 255.255.255.0
asa data-outside-network object
subnet XXX.XXX. XXX.240 255.255.255.240
network of china-education-and-research-network-center object
Home 202.194.158.191
Acl explicitly blocked description
China unicom shandong network item
60.214.232.0 subnet 255.255.255.0
Acl explicitly blocked description
pbx-cue-Interior-nic network object
Home 10.1.10.2
pbx-cue-outside-nic network object
host 10.1.10.1
telepacific-voip-trunk network object
Home 64.60.66.250
Description is no longer used
us-la-mianbaodianying network object
Home 68.64.168.46
Acl explicitly blocked description
object network cue
10.1.10.0 subnet 255.255.255.0
private-network data object
192.168.10.0 subnet 255.255.255.0
pbx-outside-data-nic network object
host 10.0.1.2
pbx-voip-Interior-nic network object
host 10.1.1.1
voip network object
10.1.1.0 subnet 255.255.255.0
vpn-server-nic network object
Home 192.168.10.20
asa-data-outside-nic network object
host XXX.XXX. XXX.242
asa-voip-ctl-outside-nic network object
host XXX.XXX. XXX.244
the object 192.168.0.0 network
192.168.0.0 subnet 255.255.255.0
Description not used
the object 192.168.1.0 network
subnet 192.168.1.0 255.255.255.0
Description not used
nj-asa-priv-netowrk network object
Subnet 192.168.2.0 255.255.255.0
network of the 192.168.254.0 object
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
network of the object? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network of the object? asa-private-network
subnet 192.168.4.0 255.255.255.0
network of the object? asa-private-network
192.168.5.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.6.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.7.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.9.0 subnet 255.255.255.0
the XXXX-asa-private-network object network
192.168.8.0 subnet 255.255.255.0
network object XXX.XXX. XXX.242
host XXX.XXX. XXX.242
service object 47
tcp source eq eq 47 47 destination service
object network dvr
Home 192.168.10.16
network dvr-nat-tcp8888 object
Home 192.168.10.16
network dvr-nat-tcp6036 object
Home 192.168.10.16
network dvr-nat-udp6036 object
Home 192.168.10.16
dvr-8888 service object
destination eq 8888 tcp service
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service dvr-6036-tcp - udp
port-object eq 6036
détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
access-list out_in note remote access attempted
out_in list extended access deny ip object China unicom shandong network any4
access-list out_in note remote access attempted
out_in list extended access deny ip object we-the-mianbaodianying any4
out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
out_in list extended access allow icmp any4 object vpn-server-nic
out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
out_in list extended access allow accord any4 object vpn-server-nic
out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
Comment from out_in-HTTPS access outside the access list
out_in list extended access permitted tcp any4 object data-private-network eq https
outside_access_in list extended access allow icmp host 192.168.10.20 any4
access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
outside_access_in list extended access allowed host any4 object 47 192.168.10.20
outside_access_in list extended access allow accord any4 host 192.168.10.20
outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
outside_access_in list extended access allowed object dvr-8888 any object dvr
outside_access_in list extended access allow icmp any4 host 10.1.1.1
access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
go to list of access outside_access_in note incoming https.
outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
pager lines 24
Enable logging
exploitation forest-size of the buffer 1048576
monitor debug logging
debug logging in buffered memory
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
exploitation forest flash-bufferwrap
No registration message 106015
No message logging 313001
No registration message 313008
no logging message 106023
No message logging 710003
no logging message 106100
No message logging 302015
No message recording 302014
No message logging 302013
No message logging 302018
No message logging 302017
No message logging 302016
No message logging 302021
No message logging 302020
destination of exports flow inside 192.168.10.20 4432
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 3 burst-size 1
ICMP allow any response of echo outdoors
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
ICMP permitted host 75.140.0.86 outside
ICMP allow any inside
ASDM image disk0: / asdm-715 - 100.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
!
object obj-asa-Interior-voip-nic network
NAT XXX.XXX static (inside, outside). XXX.244
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT (inside, outside) dynamic obj - 0.0.0.0
object obj-vpn-nic network
NAT XXX.XXX static (inside, outside). XXX.254
network dvr-nat-tcp8888 object
NAT (inside, outside) interface static 8888 8888 tcp service
network dvr-nat-tcp6036 object
NAT (inside, outside) interface static 6036 6036 tcp service
network dvr-nat-udp6036 object
NAT (inside, outside) interface static service udp 6036 6036
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 192.168.254.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
authentication & encryption v3 private Server SNMP group
SNMP server group No_Authentication_No_Encryption v3 /noauth
SNMP-server host inside the 192.168.10.20 community *.
Server SNMP Ontario, CA location
SNMP Server contact [email protected] / * /
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
Crypto ca trustpoint CAP-RTP-001_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint CAP-RTP-002_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_0 key pair
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_1 key pair
Configure CRL
Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
registration auto
full domain name no
name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
_internal_PP_ctl_phoneproxy_file key pair
Configure CRL
Crypto ca trustpoint Cisco-Mfg-CA
Terminal registration
Configure CRL
Crypto ca trustpoint phoneproxy_trustpoint
registration auto
full domain name XXXXXXXXXX.com
name of the object CN = XXXXXX - ASA
phoneproxy_trustpoint key pair
Configure CRL
trustpool crypto ca policy
string encryption CAP-RTP-001_trustpoint ca certificates
certificate ca 7612f960153d6f9f4e42202032b72356
quit smoking
string encryption CAP-RTP-002_trustpoint ca certificates
certificate ca 353fb24bd70f14a346c1f3a9ac725675
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
certificate e1aee24c
CA
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
certificate e4aee24c
quit smoking
Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
certificate e8aee24c
quit smoking
a string of ca crypto Cisco-Mfg-CA certificates
certificate ca 6a6967b3000000000003
quit smoking
Crypto ca certificate chain phoneproxy_trustpoint
certificate 83cbe64c
quit smoking
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.0.1.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access insidepriority-queue outdoors
TX-ring-limit of 256
!
maximum-session TLS-proxy 24
!
!
TLS-proxy tls_proxy
_internal_PP_ctl_phoneproxy_file point server trust
CTL-file ctl_phoneproxy_file
file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
!
Media-termination asdm_media_termination
address XXX.XXX. XXX.245 outside interface
address interface inside 10.0.1.245!
Phone-proxy asdm_phone_proxy
Media-termination asdm_media_termination
interface address 10.1.1.1 TFTP server on the inside
TLS-proxy tls_proxy
no settings disable service
XXX.XXX proxy server address. Outside the xxx.242 80 interface
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.168.10.60 source inside
internal group myGROUP strategy
Group myGROUP policy attributes
VPN-idle-timeout no
VPN-session-timeout no
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ezvpn1
allow to NEM
XXXXX group policy / internal remote
attributes of group XXXXX policy / remote
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
username fstorm attributes
type of remote access service
username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
attributes username cisco
type of remote access service
username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu8 attributes
type of remote access service
username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
username XXXXXU1 attributes
Strategy Group-VPN-XXXXX / remote
type of remote access service
username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu3 attributes
type of remote access service
username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu2 attributes
type of remote access service
username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu5 attributes
type of remote access service
username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu4 attributes
type of remote access service
username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu7 attributes
type of remote access service
username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu6 attributes
type of remote access service
tunnel-group XXXXX type remote access / remote
attributes global-tunnel-group XXXXX / remote
XXXXX address pool / remote
Group Policy - by default-XXXXX / remote
IPSec-attributes tunnel-group XXXXX / remote
IKEv1 pre-shared-key *.
type tunnel-group mytunnel remote access
tunnel-group mytunnel General-attributes
strategy - by default-group myGROUP
mytunnel group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-card CM-VOICE-SIGNAL
match dscp af31
class-map-outside-phoneproxy
match eq 2443 tcp port
class-map inspection_default
match default-inspection-traffic
Class-map data
match flow ip destination-address
match tunnel-group mytunnel
class-card CM-VOICE
match dscp ef
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
inspect the icmp
class class by default
Statistical accounting of user
flow-export-type of event all 192.168.10.20 destination
outside-policy policy-map
class outside-phoneproxy
inspect the thin phone-proxy asdm_phone_proxy
CM-VOICE class
priority
CM-VOICE-SIGNAL class
priority
World-Policy policy-map
!
global service-policy global_policy
207.46.163.138 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
: endIf someone could give a clue as to what could be the problem, I would appreciate it.
/ / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //
Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!
Now, given that your issue is resolved, you must mark the thread as "answered" :)
Thank you for evaluating useful messages!
-
I have a Cisco ASA 5505 that I am trying to set up a web server on a demilitarized zone. I have the DMZ interface works, but I'm not able to get access to the server connected to the DMZ interface. I have been looking for a week now on google, but have not met the installation...
I have the following interfaces (do not use real ips)...
WAN - 123.123.100.1
LAN - 192.168.0.1
Port DMZ - 172.16.8.1 - 7
Web server - 172.16.8.2 connected on port 7
ASA version 8.2 (5)
I'm looking to have access to the Web from the inside via RDP server and access the external clients, more than 80. It must also communicate with a DB server located in another facility through a VPN.
Any help would be appreciated. I was pulling my hair out on this one.
Thank you
Mike
Generally speaking, inside the DMZ is allowed by default. If you have any access list applied on your inside interface you would need to add the entry to the DMZ address of the RADIUS server on tcp/3389 (rdp).
Incoming outside traffic would need a static NAT and access list.
Web server to a remote site via VPN would need the addresses of remote DMZ network defined in reference to the access list of the cryptomap used by the VPN. You also usually have a NAT exemption for that traffic.
All of them are of common use cases for an ASA. If you can share a version sanitized for your running configuration, we might be able to see what's missing.
-
ASA 5505 Security Plus license question
Hi all!
I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):
The activation key running is not valid, using the default
......
This platform includes a basic license.
......
Unable to retrieve the activation key permanent flash
I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?
Thank you!!!
-ken
ciscoasa # sh - activation key
Serial number: JMXXXXXXHU
Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
The activation key running is not valid, using the default settings:
The devices allowed for this platform:
The maximum physical Interfaces: 8 perpetual
VLAN: 3 restricted DMZ
Double ISP: Disabled perpetual
Junction VIRTUAL LAN ports: perpetual 0
The hosts on the inside: 10 perpetual
Failover: Disabled perpetual
VPN - A: enabled perpetual
VPN-3DES-AES: disabled perpetual
AnyConnect Premium peers: 2 perpetual
AnyConnect Essentials: Disabled perpetual
Counterparts in other VPNS: 10 perpetual
Total VPN counterparts: 25 perpetual
Shared license: disabled perpetual
AnyConnect for Mobile: disabled perpetual
AnyConnect Cisco VPN phone: disabled perpetual
Assessment of Advanced endpoint: disabled perpetual
Proxy UC phone sessions: 2 perpetual
Proxy total UC sessions: 2 perpetual
Botnet traffic filter: disabled perpetual
Intercompany Media Engine: Disabled perpetual
This platform includes a basic license.
Unable to retrieve the activation key permanent flash.
The permanent activation key flash is the SAME as the key permanent running.
Hi Ken,
If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.
If you have lost the key, you'll want to open a support case to get it retrieved.
Hope that helps.
-Mike
-
ASA 5505 VPN sessions maximum 25?
Hello friend´s
The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:
Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?
Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?
I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?
Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.
Kind regards!
Hi Alex,
The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.
To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.
Find the official documentation for the ASA5505 on the following link:
Rate if helps.
-Randy-
-
Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate thepassword encrypted
passwdencrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin passwordencrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endMattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.
Add the statement of rule sheep in asa and try again.
NAT (inside) 0-list of access pixtosw
Concerning
-
ASA 5505->; ASA 5520 Site - to drops frequent
Hello
I'm about to give up the blow this ASA 5505. Basically, what happens is to install the 5505 connects to the 5520, establishes the tunnel and all is well. In the 10 or 15 minutes, everything falls, and the VPN tunnel refuses to come back until I reload the 5505. It's BORING. This SAA is in a building that has been closed and is used for safety so that whenever this happens that I am standing in a strengthening of expletives gel.
The 5520, messages are the following:
3 Feb 15:28:24 asalicious.ips.k12.in.us Feb 03 15:28:42 IS: % ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
3 Feb 15:28:25 asalicious.ips.k12.in.us Feb 03 15:28:43 UTC: % ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
pleated Phase 1 detected package. Retransmit the last packet.
3 Feb 15:28:31 asalicious.ips.k12.in.us Feb 03 15:28:49 IS: % ASA-vpn-6-713905: IP = 70.63.52.210, P1 retransmit msg sent to the WSF MM-Also:
5 IKE peers: 70.63.52.210
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3
6 IKE peers: 70.63.52.210
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3If anyone has any ideas that would be great. The work of the "thing" for literally 20 minutes and everything is peachy - then DEATH!
The two code 8.2 current to identical execution.
Thank you
Tim
Hi Tim,.
Sorry for the pain, VPN drops are caused by several things, hence the request for the config because we need to isolate it, for example, incompatibility of configuration could be one of the reasons that the SAs could be negotiated with the tunnels that are not quite defined for this particular tunnel. As well the drop could occur due to the DPD lost on the path or because some IP renewal.
Regarding the config I need to see the relevant sides ACL Crypto, exempt NAT and the relevant definitions of Crypto rules (in this part, see if you can post all of those included)
Thank you
Ivan
-
I am VPN concept, test on my ASA 5505 in preparation for migration to the other two 5510 s. I've set up two groups of VPN; internal that can split tunneling, but grants the user access in the network of the NAT'ed and one making crossed, forcing the user to back on the same interface by using a range of IP addresses that is viable.
The first works very well, but I'm having problems to make the latter to work.
I can connect to any server on the internal network, but cannot get to the Internet. I use an internal DNS server on the internal network and cannot resolve IP addresses no problem.
I suspect that I'm missing something relatively minor. Can someone take a look at my config 5505 and let me know what happens?
I have this set up in my work network, 192.168.252.0/24. The IP outside the firewall is 192.168.252.76 (assigned by DHCP) and the internal network behind the firewall is 192.168.1.0/24. The VPN IP address range is 192.168.2.0/26. I have a test server Linux sitting behind the firewall by using 192.168.1.2, which I can access very well using the split tunneling and method of the hairpin. But after connecting to the firewall with the help of crossed and NO split tunneling, drop all my other external connections.
Thanks in advance.
Customers are expected to come in according to the interface vpn vpn ends on. In your case, the external interface. If you wanted to pat on the external interface vpn clients to the address 64.xx.xx.96.
Global (outside) 2 64.xx.xx.96 255.255.255.224
NAT (outside) 2 192.168.2.64 255.255.255.192
Maybe you are looking for
-
I just plugged a 4 TB WD external hard drive. NOT too much computer. NEED HELP! The computer display as free of 3.63 to 3.63 TB properties. It was just plug n play set up - I did nothing besides plug it. I think that it is in the MBR format. I
-
Process multiple files in a single loop
I'm trying to collect data from several text files that I have in a folder. Is there a CVI function which could loop through files that contain the data that I need until he crossed all the? If not, all of the files have a similar name (pucklocatio
-
Im trying to retrieve information from a hard disk.
Recently, at work, we had a computer that displayed the dreaded death blue screen. It wasn't a problem we have other computers to use, but my boss would like to try to recover some of the files on the hard drive. So the question is... 1. is there a
-
Replacement for Lightroom 3 CD
I want to install Lightroom 3 on my new laptop, however, the CD was cracked and I need a replacement. How can I do this?Bruce
-
I'm trying to signout of photoshop, but it keeps saying no internet connection