L2l IPSec VPN blocks SQL (ASA v8.4)
Good evening everyone,
I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running. VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server. What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.
Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.
While I find some time to clean up the config this weekend, I have ideas.
Thank you very much
Simon.
Hi Simon,.
If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.
I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)
Object-group service GROUP SQL-tcp PORTS
EQ port 1433 object
EQ object Port 1434
Port-object eq 1521
outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object
Concerning
Tags: Cisco Security
Similar Questions
-
l2l ipsec vpn - problem XAUTH need-based policy
Hello
I have a problem that I see a few solutions but they do not work.
I have a p2p IPSec vpn, which worked until I added access remote VPN configuration (which works perfectly).
According to the documents, I used isakmp policy allowing mixed tunnels. Now, whenever I try to send traffic through the l2l link I get the following debugging results telling me that the remote router is demanding XAUTH.
September 8 09:53:12: ISAKMP: (2015): the total payload length: 12
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): need XAUTH
September 8 09:53:12: ISAKMP: node set 1635909437 to CONF_XAUTH
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute
September 8 09:53:12: ISAKMP: (2015): launch peer config [source]. ID = 1635909437
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT
September 8 09:53:12: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:20: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:27: ISAKMP (2015): increment the count of errors on the node, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP (2015): increment the count of errors on his, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:28: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:36: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:42: ISAKMP (2015): increment the count of errors on the node, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP (2015): increment the count of errors on his, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:44: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:44: ISAKMP: node set 2054552354 to CONF_XAUTH
September 8 09:53:44: ISAKMP: (2015): HASH payload processing. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): treatment of payload to DELETE. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): peer does not paranoid KeepAlive.
So, it seems that Phase 1 ends without XAUTH.
Here's my cryptographic configurations:
Keyring cryptographic s2s
pre-shared key key address [source] [key]
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
lifetime 28800
!
crypto ISAKMP policy 10
preshared authentication
lifetime 28800
!
Configuration group customer crypto isakmp [RA_GROUP]
key [key2]
DNS 192.168.7.7
win 192.168.7.222
ninterface.com field
pool SDM_POOL_1
ACL 100
Max-users 6
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp ISA_PROF profile
S2S keyring
function identity [source] address 255.255.255.255
ISAKMP crypto unified profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN_T_BW
Crypto ipsec transform-set MY - SET esp - aes 256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac trans-rem
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec df - bit clear
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Crypto dynamic-map [RA_GROUP] 77
the transform-set trans-rem value
Isakmp profile unified set
market arriere-route
!
!
!
list of authentication of card crypto clientmap client RAD_GRP
map clientmap isakmp authorization list rtr crypto / remote
client configuration address map clientmap crypto answer
card crypto clientmap 77-isakmp dynamic ipsec [RA_GROUP]
!
client configuration address card crypto [RA_GROUP] answer
!
Crypto card remote isakmp authorization list rtr / remote
!
RTP 10 ipsec-isakmp crypto map
set peer [source]
MY - Set transform-set
PFS group2 Set
match address 111
It is a bit of a breakfast dogs because I'm at the time of implementation of policies.
I managed to block xauth before I used policy by adding no_xauth the end of my speech key but I can't work out how to add this using the strategy.
I'm something simple Paris that I missed.
Thanks for your help!
Hi Bruno.
Thanks for the brief explanation.
What crypto map is applied on the external interface?
I think the "crypto isakmp profile" solution is the best way and they seem to be ok, however, we must remember that you cannot have a single card encryption by interface, so you should have something like this:
1 - crypto dynamic-map outside_dynamic 10
game of transformation-ESP-AES-SHA
2-outside_map 10 ipsec-isakmp crypto map
the value of xxxx.xxxx.xxxx.xxxx peer
Map 3-crypto outside_map 65535-isakmp ipsec dynamic outside_dynamic
4-interface f0/0
outside_map card crypto
* I'm not configure all of the cryptographic configuration, I wanted to give you a better idea.
Please correct your configuration to accommodate one card encryption.
Just to add more information on isakmp profiles:
Let me know.
Thank you.
Portu.
-
ASA 5505 - I can't create an IPSEC VPN between two ASA 5505
Hello
I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:
1 Configure ASA-1 (host name, vlan 1 and vlan 2).
2. configure a static route
3. create object network (local and remote)
4. create the access list
5. create ikev1 crypto
6. create tunnel-group
7 Configure nat
and I repeat the steps above with the ASA but another change IP.
Are to correct the above steps?
Why can I not create an IPSEC VPN between devices?.
No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.
-
L2l IPSec VPN 3000 and PIX 501
Hello
I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.
I followed the following documentation:
However the L2L session does not appear on the hub when I check the active sessions.
The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.
Any help or advice are appreciated.
I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.
For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.
Here is an example of sample config
I hope this helps!
-
IPSec VPN between Cisco ASA and Fortigate1000
Hello
I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...
the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...
The question is: How do I configure the interface on the SAA ACCORD?
Thanks in advance, Experts...
Kind regards...
ASA firewall does not support the interface/GRE GRE tunnel.
If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.
If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml
Hope that helps.
-
Dynamic to static L2L IPSec VPN
Hello
I've implemented a dynamic to static IPSec Site to Site VPN between a branch (ship) ASA5505 and headquarters. Now, this solution does not allow HQ initiate the IPsec connection.
There is a router behind the ASA5505. I heard that if I want to keep the tunnel upward, so that the HQ customers can switch the traffic to remote clients through the tunnel, I would need to run ALS IP icmp probes on the router behind the ASA.
Could someone explain how to implement it?
Thanks for your help.
Frank
The ICMP probe can be done through any device that is able to do ping, not only of the router.
The reason is that it is interesting traffic triggers the traffic is encrypted by the vpn tunnel, tunnel will stay up, so you will be able to open the connection to the AC to your remote site.
Hope that helps.
-
Impossible to establish L2L ipsec VPN
Hi all
I have a PIX firewall in which 20 VPN are completed. one of my new requirment is to establish a vpn tunnel to another location in which I do not have access. my side, I will have a private IP pool that is allowed through the tunnel. I set up a nat with one of the IP from the pool and my server internal.
I tried a lot of VPN tunnel is not coming
Please check the configuration of the memory and the complete configuration attached. In my config 10.66.100.208 255.255.255.248 is the ip pool and 192.168.0.239 is my server. When I try to ping 192.168.108.75 192.168.0.239 County acl VPN increases but tunnel is not coming
Please look for it and help me to sourt on this issue.
==============================================================
NAT ip 10.66.100.208 access list allow 255.255.255.248 host 192.168.108.75
NAT ip 10.66.100.208 access list allow 255.255.255.248 host 10.67.1.5OR ip 10.66.100.208 access list permit 255.255.255.248 host 192.168.108.75
OR ip 10.66.100.208 access list permit 255.255.255.248 host 10.67.1.5Crypto ipsec transform-set OR esp-3des esp-sha-hmac
part of pre authentication ISAKMP policy 25
ISAKMP policy 25 3des encryption
ISAKMP policy 25 sha hash
25 5 ISAKMP policy group
ISAKMP living 25 1440 duration strategyForsberg 38 ipsec-isakmp crypto map
card crypto forsberg 38 match OR address
forsberg 38 crypto map peer set 1.1.1.250card crypto forsberg 38 transform-set OR
3600 seconds, duration of life card crypto forsberg 38 set - the security associationpublic static 10.66.100.209 (Interior, exterior) 192.168.0.239 netmask 255.255.255.255 0 0
ISAKMP key Fa$1xx!@$ address 1.1.1.250 netmask 255.255.255.255
======================================================================================
pixfirewall # sh OR access list
OR access list; 2 items
permit for line or access-list 1 ip 10.66.100.208 255.255.255.248 host 192.168.108.75 (hitcnt = 87)
permits for Access-list OR line 2 ip 10.66.100.208 255.255.255.248 host 10.67.1.5 (hitcnt = 0)
pixfirewall #.Hello
The reason for this can be many. You can paste him debugs together here? Just ' clear crypto isakmp his ' and ' clear crypto ipsec his "and then open the tunnel to get the complete set of debugs.
Thank you and best regards,
Assia
-
several L2L ipsec VPN to the same destination (ip address)
Hi all
im lookin to establish an a L2L ips multiple tunnels (a tunnel for each subnet) of my cisco asa 5510 to the same destination.
should the cisco asa capable of this?
How can I do?
concerning
You can do this if you want to say-
Lets say site A - got 3 subnet and Site B has had a.
In this case, you need to do is to add ACL to crypto.
Thank you
Ajay
-
ASA IPSEC VPN with public IP dynamic
Hey,.
I have never deployed IPSEC VPN tunnel using ASA on two sides of a side using public IP dynamic production. I normally deploy VPN Tunnels with both sides using public static IP addresses (not always a public IP address on ASA directly however).
So I wonder how stable it works with a static public IP and the other side uses dynamic public IP?
Thank you
Shuai
If you use certificates and psk or main mode and aggressive it will work very well. I have a number of production sites using this method.
Sent by Cisco Support technique iPad App
-
Remote IPSec VPN - client Windows 7 and ASA 5505
Hello
I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.
Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.
In the log, I see the warnings of this type:
TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)
I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.
Thank you for your help.
Petar Koraca
That's what you would have needed on versions 8.3 and earlier versions:
permit same-security-traffic intra-interface
Global 1 interface (outside)
NAT (outside) 1 192.168.150.0 255.255.255.0
However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.150.0_24 object
dynamic NAT interface (outdoors, outdoor)
Give it a shot and let me know how it goes.
-
communications between IPSec VPN and AnyConnect SSLVPN
Hi all
I have 2 ASAs and interconnected with ipsec VPN.
one of the ASA has SSLVPN users to access intranet resources.
but do not know how to get inside the network on an another ASA
my network architecture is less to:
192.168.1.0/24---ASA1---Internet---ASA2---172.24.0.0/16
SSLVPN use 192.168.55.0/24 ip on the external interface
L2L IPSec VPN is established between ASA1 and ASA2
192.168.1.x could access 172.24.0.0/16 via NATing to of ASA2 inside the ip interface
But now I want 192.168.55.0/24 access 172.24.0.0/16, some set up but does not work...
Are there any suggestions?
Thank you very much
Hi the split tunnel, you add with the ASA2 network should allow vpn clients send the traffic through the tunnel when they want to reach the remote subnet.
Can add you this too
nonat_outside ip access list allow
NAT (outside) 0-list of access nonat_outside
Also in the config you have not added the crypto to ASA1 acl entry. who is 192.168.55.0 to 172.24.0.0
See if that helps
-
Hi all
I am trying to add remote Cisco switches to our Analyzer from Solarwinds network performance and I'm unable to see the community strings of switches behind our Firewall ASA across L2L IPSEC vpn tunnels.
First of all, I can ping and see all the traffic behind the firewall. Configuration manager (NCM) works fine, it can download and download configs of the remote switches. It's just the SNMP which does not seem to talk. Here are the lines of configuration of the remote switches:
SNMP-server community * RO
SNMP-server community * RW
This configuration works fine on the other our network switches that are not accessible via a VPN tunnel. Y at - it another line I need to add that pointing to the server from SolarWinds SNMP traffic?
When I try to add the switch to Solarwinds, he sees the IP perfectly but once I added community strings RO and RW it performs a test fails every time and will not let me continue to add the device.
Any help would be GREATLY appreciated! Thank you!
Matt
Exit to Windows firewall and check the Antivirus on Solarwinds as well. This may be the origin of the problem (a working time or does not not once). Another possibility (can be), if you have all IPS inline and inspect traffic, this could cause the issue. Check to see if any program/device in the path is kinetically limiting ICMP/SNMP packets #of.
What version of NPM?
THX
MS
-
Easy VPN with IPSec VPN L2L (Site - to - Site) in the same ASA 5505
Hi Experts,
We have an ASA 5505 in our environment, and currently two IPSec VPN L2L tunnels are established. But we intend to connect with VPN (Network Extension Mode) easy to another site as a customer. Is it possible to configure easy VPN configurations by keeping the currently active IPSec L2L VPN(Site-to-Site) tunnels? If not possible is there any work around?
Here's the warning we get then tried to configure the easy VPN Client.
NOCMEFW1 (config) # vpnclient enable
* Delete "nat (inside) 0 S2S - VPN"
* Detach crypto card attached to the outside interface
* Remove the tunnel groups defined by the user
* Remove the manual configuration of ISA policies
CONFLICT of CONFIG: Configuration that would prevent the Cisco Easy VPN Remo success
you
operation was detected and listed above. Please solve the
above a configuration and re - activate.
Thanks and greetings
ANUP sisi
"Dynamic crypto map must be installed on the server device.
Yes, dynamic crypto is configured on the EasyVPN server.
Thank you
-
Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming
HelloW everyone.
I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.
but the vpn does not come to the top. can someone tell me what can be the root cause?
Here is the configuration of twa asa: (I changed the ip address all the)
Singapore:
See the race
ASA 2.0000 Version 4
!
ASA5515-SSG520M hostname
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.15.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.5.3 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 160.83.172.8 255.255.255.224
<--- more="" ---="">
!
<--- more="" ---="">
interface GigabitEthernet0/3
<--- more="" ---="">
Shutdown
<--- more="" ---="">
No nameif
<--- more="" ---="">
no level of security
<--- more="" ---="">
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.219 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
connection of the banner ^ C please disconnect if you are unauthorized access ^ C
connection of the banner please disconnect if you are unauthorized access
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
network of the SG object
<--- more="" ---="">
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.15.202
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
<--- more="" ---="">
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.15.0_24 object
192.168.15.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of information
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500
no failover
<--- more="" ---="">
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
!
network of the SG object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1--->--->--->--->--->--->--->--->--->
Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- more="" ---="">
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http serverCommunity trap SNMP-server host test 192.168.168.231 *.
No snmp server location
No snmp Server contact
Server enable SNMP traps syslog
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 103.246.3.54
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2--->--->--->
life 86400Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
tunnel-group 143.216.30.7 type ipsec-l2l
tunnel-group 143.216.30.7 General-attributes
Group Policy - by default-GroupPolicy1
<--- more="" ---="">
IPSec-attributes tunnel-group 143.216.30.7
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
Overall description
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
<--- more="" ---="">
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:ccce9a600b491c8db30143590825c01d
: endMalaysia:
:
ASA 2.0000 Version 4
!
hostname ASA5515-SSG5-MK
activate the encrypted password of PVSASRJovmamnVkD
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.6.70 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
IP 192.168.12.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
IP 143.216.30.7 255.255.255.248
<--- more="" ---="">
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif test
security-level 100
IP 192.168.168.218 255.255.255.0
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
<--- more="" ---="">
Interface Port - Channel 1
No nameif
no level of security
IP 1.1.1.1 255.255.255.0
!
boot system Disk0: / asa922-4-smp - k8.bin
passive FTP mode
clock timezone GMT + 8 8
network of the SG object
192.168.15.0 subnet 255.255.255.0
network of the MK object
192.168.6.0 subnet 255.255.255.0
service of the TCP_5938 object
Service tcp destination eq 5938
Team Viewer description
service tcp_3306 object
Service tcp destination eq 3306
service tcp_465 object
tcp destination eq 465 service
service tcp_587 object
Service tcp destination eq 587
service tcp_995 object
tcp destination eq 995 service
service of the TCP_9000 object
<--- more="" ---="">
tcp destination eq 9000 service
network of the Inside_host object
Home 192.168.6.23
service tcp_1111 object
Service tcp destination eq 1111
service tcp_7878 object
Service tcp destination eq 7878
service tcp_5060 object
SIP, service tcp destination eq
service tcp_5080 object
Service tcp destination eq 5080
network of the NETWORK_OBJ_192.168.2.0_24 object
192.168.6.0 subnet 255.255.255.0
inside_access_in list extended access allowed object SG ip everything--->--->--->--->--->
VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 30000
debug logging in buffered memory
recording of debug trap
asdm of logging of information
<--- more="" ---="">
host test 192.168.168.231 record
host test 192.168.168.203 record
Within 1500 MTU
MTU 1500 DMZ
Outside 1500 MTU
test MTU 1500
management of MTU 1500--->
reverse IP check management interface path
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 7221.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
!
network of the MK object
NAT dynamic interface (indoor, outdoor)
network of the Inside_host object
NAT (inside, outside) interface static 9000 9000 tcp service
inside_access_in access to the interface inside group
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
<--- more="" ---="">
Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http serverNo snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
<--- more="" ---="">
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
<--- more="" ---="">
--->--->--->
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
card crypto CRYPTO-map 2 set peer 160.83.172.8
card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
CRYPTO-card interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocol
username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
<--- more="" ---="">
tunnel-group MK SG type ipsec-l2l
IPSec-attributes tunnel-group MK-to-SG
IKEv1 pre-shared-key *.
tunnel-group 160.83.172.8 type ipsec-l2l
tunnel-group 160.83.172.8 General-attributes
Group Policy - by default-GroupPolicy1
IPSec-attributes tunnel-group 160.83.172.8
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
<--- more="" ---="">
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: endGood news, that VPN has been implemented!
According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.
Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.
In addition, you can try to enable ICMP inspection:
Policy-map global_policy
class inspection_defaultinspect the icmp
inspect the icmp error
--->---> -
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
Maybe you are looking for
-
Why FF act as if each start is a new installation and hang on to old tabs?
I updated Firefox to version 8.0.1 to 9.0.1 about an hour ago, and it has been wrong since. I suspect it's a matter of preference, but I'm not sure. Every time I have start FF (or restart), he seems to think that this is the first time, it was run /
-
AuthenTec HP simplepass 2011 no longer works with Firefox 6
HP Simple pass 2011, the latest version of the software "HP Simplepass", made by Authentec (so, NOT of Egistec or similar) does not work with Firefox 6.
-
Qosmio F20-137 user information
The paper version of the said user manual more information is on the computer, but I can only find a .pdf of the manual paper version - which is almost useless. Does anyone know where a more comprehensive manual is available? Can someone help with th
-
Satellite P200D - problem with the ATI (atikmdag) driver
Hello My system:P200D-111 HD 2600, AMD Turion 64 X 2, Vista Home Premium 32 bit The problem:White, computer screen stops him self or the Vista comment: driver atikmdag caused a problem and to restore.Whenever the computer stops him self, Vista gives
-
All- I have my data (20 columns of ~ 700 000 lines) stored in a binary file and I would like to add a timestamp to each row of data. I intend to use the sampling with the number of samples to add the time at which the sample was recorded in data. I