Large packet ICMP unreachable
Hello
My ID in PIX receive package unreachable ICMP, but Logging In terminal monitor shows nothing on the ID, even if it is already set to debug mode. Tearing down the tcp connection 252 for outside xxx.xxx.xxx.xxx inside xxx.xxx.xxx.xxx 2906 tcp fins, it's say? What happens in this scenario...
Thanks for helping beginners
Tonny
Hello
Demolish message seems normal. It's a normal shutdown of TCP message. Regarding the login details, could you set up a syslog server and send all messages to it. May be it will record messages from IDS.
BTW is active IDS?
Thank you
Nadeem
Tags: Cisco Security
Similar Questions
-
too many ICMP unreachable/exceeded
Hello
I have a problem here pix 506th and my network is slow to death this 3 days, when I have terminal monitor (debug mode) I saw there was a lot of icmp unreachable and exceeded from unknown ip, over 30 different ip detected. but that suppose to be right ID information? not that kind of attack. Any possible cause of this problem?
Thank you
Hello, there are a lot of reasons.
Are you sure there's no worm in your network?
ICMP unreachable means you sent an IP packet to a machine that does not have the open TCP/UDP port. Who can be the result of a worm track scan of IP addresses for vulnerabilities and internet hosts meet.
Time exceeded ICMP can occur after a traceroute or IP routing loops. There is nothing you can do on the loops in the internet.
I hope this helps! Please note all messages.
Regards, Martin
-
Packet ICMP of Linksys outside x 3000
Dear people,
At this moment we have a Linksys x 3000 configured as a modem on a connection ADSL (PPPoA)
Since our monitoring server, we send ICMP packets to see if the connection is active (or not).
The problem is when we turn off the SP1 ipV4 firewall and do not check the: "Filter anonymous Internet requests," we are still getting timeout of external guests don't. Is this a bug? And if not; How can we enable the ping from outside networks?
We really want to allow Ping because the monitoring software.The firmware is the latest version: 1.0.0.1
Thanks in advanced for any help.
Juice all let you know, I just talked to Linksys support and it's a bug:
(Cisco technician) to all Participants:
I just checked my resources & is the problem that you are facing a problem for 3000 X & our we are currently working on a resolution.(Cisco technician) to all Participants:
I will need to escalate this matter to the climbing team & they'll get back you the same thing.
(Cisco technician) to all Participants:
As I mentioned, our research team working on it. Meanwhile, I will increase the same case, so someone from the climbing tema will be able to get back to you about the same. If you have a preference for contacing, please let me know that as well.(Cisco technician) to all Participants:
Alright.
I thank you for the opportunity to serve you through Live Chat Cisco Support for Linksys products.
Good day.Topic can be closed.
(Mod Note: message has been modified.) ID of the technician's badge has been removed.)
-
Hello
I installed 4255 IPS with version 2.0000 E4 and the use of IME 7.0.2.
I'm not able to view the logs in the EMI (event monitoring), but when I access it by CLI (show events) I can see the newspapers.
I also tried to set a signature for large packet ICMP log and deny traffic (with the help of refuse the inlne package and refuse the attacker inline) and ping
a server from inside to the outside with a big package. In this case, EMI showed the newspapers, but he did not deny the traffic.
Did I miss something here?
Another question, IPS at least records traffic ip that are configured for "never block ip addresses.
Please I need help.
Thanks and regards,
George
George;
1-OK, it's good that the State of the event is logged.
2 - by checking all the four severities in the properties of the device, you asked IME not retrieve events from these four severities. You should uncheck these severities to enable IME recover all the severities of event. Please note the text with IME reads, "exclude the following severity level alerts.
3 - if there are no events in real time, probably not having historical events.
4. as your sensor is configured for inline and promiscuous operation, deny actions come into force on the events generated by the inline interface pair. If the event is generated by the interface of promiscuity, the deny action cannot be performed.
Whether your network is completely IPv4; It is possible for systems running Windows and Mac OS X to have IPv6 enabled by default and in turn generate the traffic on your network.
If a signature event fires and "Product Alert" action is affected, the IPS must record the activity regardless of the host being listed as not to block or not.
Scott
-
Packet switching not EFC / what is 'classification of output EAC?
Hello
I noticed a 3945-DRY with fairly high CPU load without doing much, because there are more packages switching process that the CFR switched.
To study, I did the following:
Router #sh ip cef switching statistics feature
Input characteristics IPv4 CEF:
Feature road Drop consume Punt Punt2Host gave
Access the list 24911921 0 0 14678240 0
0 0 0 0 20433673 routing policy
24911921 0 0 14678240 20433673 total
Output features IPv4 CEF:
Feature Drop consume Punt Punt2Host new i / f
Class output EAC 715266717 0 0 0 0
Total 0 0 715266717 0 0
Characteristics of post-encap IPv4 CEF:
Feature Drop consume Punt Punt2Host new i / f
IPSEC Post-encap 1 655816389 0 0 0
Total 1 655816389 0 0 0
CEF IPv4 for us offers:
Feature Drop consume Punt Punt2Host new i / f
Total 0 0 0 0 0
Features of punt IPv4 CEF:
Feature Drop consume Punt Punt2Host new i / f
Total 0 0 0 0 0
Features local IPv4 CEF:
Feature road Drop consume Punt Punt2Host gave
Total 0 0 0 0 0
Punted them (= "punted" another mechanism of switching, not switched cef) packages for the feature 'EAC exit class' increase of ~ 1000 per second.
This made me wonder, what exactly is the feature 'CEC output class'. As I can see in the following output, this feature is enabled on my Tunnel Interface:
Router ip int tu0 #sh
Tunnel0 is up, line protocol is up
The Internet address is x.x.x.x/xx
Broadcast address is x.x.x.x
Address determined by non-volatile memory
MTU is 1400 bytes
Support address is not set
Transfer of directed broadcast is disabled
Multicast reserved joined groups: 224.0.0.10
Outgoing access list is not defined
Inbound access list is not defined
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachable is always sent
Mask the ICMP responses are never sent
IP fast switching is enabled
Fast on the same switching interface IP is disabled
IP stream switching is disabled
IP CEF switching is enabled
Vector turbo IP CEF switching
Turbo IP vector draw
Tunnel VPN routing/Forwarding "xxx".
Quick change IP multicast is enabled
Fast switching of distributed IP multicast is disabled
Flags of IP route cache is fast, CEF
Router discovery is disabled
Output IP packet accounting is disabled
Accounting of IP access violation is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP policy mapping is disabled
Input characteristics: process Packet Capture, check MCI, TCP adjust MSS
Characteristics of the output: classification of output of EAC, PNDH redirect, adjust EAC ranking NAT, TCP MSS, QoS preclassification
Display the characteristics of encapsulation: IPSEC Post-encap output classification
WCCP redirect outgoing is disabled
WCCP redirect incoming is disabled
WCCP redirect exclude is disabled
Someone tell me, what is "CCE output ranking" and why this is receptive used by my router?
Hello Sebastian,.
EAC is the engine of common classification. I think that its used to "match" traffic for features like qos, nat, etc.. ". Based on the "HS in you ' out, some features on the direction of the output are originally be punted packets. You can try "debug ip cef drop" for a few seconds while the meter is incremented, usually it will give a reason to punt. The most common reasons are listed below.
ACL log or log-entry option (or)
An unreachable next hop for a route (or)
A missing arp entry for a next jump (or)
Entry to arp for outside nat... etc.
Please rate this post without fault if you found it useful. *
Thank you best regards &,.
Vignesh R P
-
IPSEC packets are not encrypted
Hello (and Happy Thanksgiving in the USA),
We recently switched our ASA and applied again the saved for the new device configuration. There is a VPN site-to site that works and a remote VPN client that does not work. We use certain Cisco VPN clients and some Shrew Soft VPN clients. I compared the config of the ASA again to that of ASA old and I can't find all the differences (but the remote client VPN was working on the old ASA). Remote clients connect and a tunnel is created, but they are unable to pass traffic. Systems on the network where the ASA are able to access the internet.
Out of sho isakmp crypto his (ignore peer #1, this is the site to site VPN work)
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 generate a new key ITS d)
Total SA IKE: 2
1 peer IKE: xx.168.155.98
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: xx.211.206.48
Type: user role: answering machine
Generate a new key: no State: AM_ACTIVE
Output of sho crypto ipsec his (info about VPN site-to-site deleted). Packets are decrypted but unencrypted.
Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c ip
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.1.100/255.255.255.255/0/0)
current_peer: xx.211.206.48, username: me
dynamic allocated peer ip: 10.20.1.100
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts check: 20
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
endpt local crypto. : public-ip/4500, crypto endpt distance. : xx.211.206.48/4
500
Path mtu 1500, fresh ipsec generals 82, media, mtu 1500
current outbound SPI: 7E0BF9B9
current inbound SPI: 41B75CCD
SAS of the esp on arrival:
SPI: 0x41B75CCD (1102535885)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28776
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xC06BF0DD (3228299485)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x000003FF 0xFFF80001
outgoing esp sas:
SPI: 0x7E0BF9B9 (2114714041)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program,}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28774
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
SPI: 0xCBF945AC (3422111148)
transform: aes - esp esp-sha-hmac no compression
running parameters = {RA, Tunnel, NAT-T program Rekeyed}
slot: 0, id_conn: 16384, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP
calendar of his: service life remaining key (s): 28772
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Config of ASA
: Saved
: Written by me at 19:56:37.957 pst Tuesday, November 26, 2013
!
ASA Version 8.2 (4)
!
hostname mfw01
domain company.int
enable encrypted password xxx
XXX encrypted passwd
names of
Name xx.174.143.97 description cox cox-gateway Gateway
name 172.16.10.0 iscsi-description iscsi network
name 192.168.1.0 network heritage heritage network description
name 10.20.50.0 management-description management network
name 10.20.10.0 network server server-description
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 description of private Exchange private-Exchange
name 10.20.10.3 description of private-private ftp ftp
name 192.168.1.202 description private-private-ip-phones ip phones,
name 10.20.10.6 private-kaseya kaseya private description
name 192.168.1.2 private mitel 3300 description private mitel 3300
name 10.20.10.1 private-pptp pptp private description
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal private-tportal description
name 10.20.10.8 private-xarios private-xarios description
name 192.168.1.215 private-xorcom description private-xorcom
Name xx.174.143.99 description public Exchange public-Exchange
public xx.174.143.100 public-ftp ftp description name
Name xx.174.143.101 public-tportal public tportal description
Name xx.174.143.102 public-sharepoint description public-sharepoint
name of the public ip description public-ip-phones-phones xx.174.143.103
name mitel-public-3300 xx.174.143.104 description public mitel 3300
Name xx.174.143.105 public-xorcom description public-xorcom
xx.174.143.108 public-remote control-support name description public-remote control-support
Name xx.174.143.109 public-xarios public xarios description
Name xx.174.143.110 public-kaseya kaseya-public description
Name xx.174.143.111 public-pptp pptp-public description
name Irvine_LAN description Irvine_LAN 192.168.2.0
Name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
Name xx.174.143.107 public-RevProxy description public RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
Name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-bridge description private-bridge
name 192.168.1.96 description private-remote control-support private-remote control-support
!
interface Ethernet0/0
public nameif
security-level 0
IP address public ip 255.255.255.224
!
interface Ethernet0/1
Speed 100
full duplex
nameif private
security-level 100
address private-gateway IP, 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
the IP 192.168.0.1 255.255.255.0
management only
!
passive FTP mode
clock timezone pst - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain mills.int
object-group service ftp
the tcp eq ftp service object
the purpose of the tcp eq ftp service - data
object-group service DM_INLINE_SERVICE_1
Group-object ftp
the eq tftp udp service object
DM_INLINE_TCP_1 tcp service object-group
port-object eq 40
EQ port ssh object
object-group service web-server
the purpose of the service tcp eq www
the eq https tcp service object
object-group service DM_INLINE_SERVICE_2
EQ-tcp smtp service object
object-group web server
object-group service DM_INLINE_SERVICE_3
EQ-ssh tcp service object
object-group web server
object-group service kaseya
the purpose of the service tcp eq 4242
the purpose of the service tcp 5721 eq
EQ-8080 tcp service object
the eq 5721 udp service object
object-group service DM_INLINE_SERVICE_4
Group-object kaseya
object-group web server
object-group service DM_INLINE_SERVICE_5
will the service object
the eq pptp tcp service object
object-group service VPN
will the service object
ESP service object
the purpose of the service ah
the eq pptp tcp service object
EQ-udp 4500 service object
the eq isakmp udp service object
the MILLS_VPN_VLANS object-group network
object-network 10.20.1.0 255.255.255.0
Server-network 255.255.255.0 network-object
user-network 255.255.255.0 network-object
255.255.255.0 network-object-network management
legacy-network 255.255.255.0 network-object
object-group service InterTel5000
the purpose of the service tcp 3998 3999 range
the 6800-6802 range tcp service object
the eq 20001 udp service object
the purpose of the udp 5004 5007 range service
the purpose of the udp 50098 50508 range service
the purpose of the udp 6604 7039 range service
the eq bootpc udp service object
the eq tftp udp service object
the eq 4000 tcp service object
the purpose of the service tcp eq 44000
the purpose of the service tcp eq www
the eq https tcp service object
the purpose of the service tcp eq 5566
the eq 5567 udp service object
the purpose of the udp 6004 6603 range service
the eq 6880 tcp service object
object-group service DM_INLINE_SERVICE_6
ICMP service object
the eq 2001 tcp service object
the purpose of the service tcp eq 2004
the eq 2005 tcp service object
object-group service DM_INLINE_SERVICE_7
ICMP service object
Group object InterTel5000
object-group service DM_INLINE_SERVICE_8
ICMP service object
the eq https tcp service object
EQ-ssh tcp service object
RevProxy tcp service object-group
RevProxy description
port-object eq 5500
XenDesktop tcp service object-group
Xen description
EQ object of port 8080
port-object eq 2514
port-object eq 2598
object-port 27000 eq
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
public_access_in list any host public-ip extended access allowed object-group DM_INLINE_SERVICE_8
public_access_in list any host public-ip extended access allowed object-group VPN
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_7 any host public-ip-phones
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any public ftp host
public_access_in allowed extended access list tcp any host public-xorcom DM_INLINE_TCP_1 object-group
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any host public-Exchange
public_access_in allowed extended access list tcp all welcome RevProxy-public-group of objects RevProxy
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_3 any host public-remote control-support
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any host public-xarios
public_access_in list extended access allowed object-group web server any host public-sharepoint
public_access_in list extended access allowed object-group web server any host public-tportal
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_4 any host public-kaseya
public_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any host public-pptp
public_access_in list extended access permit ip any host public-XenDesktop
private_access_in list extended access permit icmp any one
private_access_in of access allowed any ip an extended list
VPN_Users_SplitTunnelAcl list standard allowed server-network access 255.255.255.0
VPN_Users_SplitTunnelAcl list standard allowed user-network access 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow management-network 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow 10.20.1.0 255.255.255.0
VPN_Users_SplitTunnelAcl standard access list allow legacy-network 255.255.255.0
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
private_nat0_outbound list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
public_1_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 255.255.255.0 Irvine_LAN
public_2_cryptomap list extended access allowed object-group ip MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
Enable logging
list of logging level warnings error events
Monitor logging warnings
logging warnings put in buffered memory
logging trap warnings
exploitation forest asdm warnings
e-mail logging warnings
private private-kaseya host connection
forest-hostdown operating permits
logging of trap auth class alerts
MTU 1500 public
MTU 1500 private
management of MTU 1500
mask 10.20.1.100 - 10.20.1.110 255.255.255.0 IP local pool VPN_Users
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 101 (public)
private_nat0_outbound of access list NAT 0 (private)
NAT (private) 101 0.0.0.0 0.0.0.0
NAT (management) 101 0.0.0.0 0.0.0.0
static DNS (private, public) public-private-netmask 255.255.255.255 ip phones, ip phones,
static DNS (private, public) private public-ftp-ftp netmask 255.255.255.255
static (private, public) public-private-xorcom netmask 255.255.255.255 xorcom dns
static DNS (private, public) public Exchange private-Exchange netmask 255.255.255.255
RevProxy-public (private, public) public static private-RevProxy netmask 255.255.255.255 dns
static DNS (private, public) public-remote control-support private-remote control-support netmask 255.255.255.255
static (private, public) public-private-xarios netmask 255.255.255.255 xarios dns
static public-sharepoint (private, public) private-sharepoint netmask 255.255.255.255 dns
TPORTAL-public (private, public) public static private-tportal netmask 255.255.255.255 dns
static (private, public) public-private-netmask 255.255.255.255 kaseya kaseya dns
static public-pptp (private, public) private-pptp netmask 255.255.255.255 dns
static public-XenDesktop (private, public) private-XenDesktop netmask 255.255.255.255 dns
Access-group public_access_in in the public interface
Access-group behind closed doors, interface private_access_in
Public route 0.0.0.0 0.0.0.0 cox-gateway 1
Private server network route 255.255.255.0 10.20.1.254 1
Route private user-network 255.255.255.0 10.20.1.254 1
Private networking route 255.255.255.0 10.20.1.254 1
Route private network iscsi 255.255.255.0 10.20.1.254 1
Private heritage network 255.255.255.0 route 10.20.1.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Admin-control LDAP attribute-map
Comment by card privileged-level name
LDAP attribute-map allow dialin
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
msNPAllowDialin card-value TRUE IPSecUsers
attribute-map LDAP Mills-VPN_Users
name of the msNPAllowDialin IETF-Radius-class card
msNPAllowDialin card-value FALSE NOACCESS
map-value msNPAllowDialin true IPSecUsers
LDAP attribute-map network admins
memberOf IETF Radius-Service-Type card name
map-value memberOf NOACCESS FAKE
map-value memberOf 'Network Admins' 6
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt Mills
host of Mills (private) AAA-server private-pptp
auth-ms01.mills.int NT domain controller
AAA-server Mills_NetAdmin protocol ldap
AAA-server Mills_NetAdmin (private) host private-pptp
Server-port 389
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
AAA-server NetworkAdmins protocol ldap
AAA-server NetworkAdmins (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map network-admins
AAA-server ADVPNUsers protocol ldap
AAA-server ADVPNUsers (private) host private-pptp
or base LDAP-dn = San Diego, dc = factories, dc = int
or LDAP-group-base dn = San Diego, dc = factories, dc = int
LDAP-scope subtree
name attribute LDAP cn
LDAP-login-password *.
LDAP-connection-dn cn = asa, OU = Service accounts, or = San Diego, dc = factories, dc = int
microsoft server type
LDAP-attribute-map-Mills-VPN_Users
Console to enable AAA authentication LOCAL ADVPNUsers
Console HTTP authentication of the AAA ADVPNUsers LOCAL
AAA authentication serial console LOCAL ADVPNUsers
Console Telnet AAA authentication LOCAL ADVPNUsers
authentication AAA ssh console LOCAL ADVPNUsers
Enable http server
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
Community private private-kaseya SNMP-server host * version 2 c
Server SNMP - San Diego location plants
contact SNMP server, help the Mills
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt noproxyarp private
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto public_map 1 match address public_1_cryptomap
card crypto public_map 1 set pfs
card crypto public_map 1 set xx.168.155.98 counterpart
card crypto public_map 1 the value transform-set ESP-3DES-MD5-ESP-AES-128-SHA
public_map card crypto 1 set nat-t-disable
card crypto public_map 1 phase 1-mode of aggressive setting
card crypto public_map 2 match address public_2_cryptomap
card crypto public_map 2 pfs set group5
card crypto public_map 2 peers set xx.181.134.141
card crypto public_map 2 game of transformation-ESP-AES-128-SHA
public_map card crypto 2 set nat-t-disable
public_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
public crypto map public_map interface
crypto ISAKMP enable public
crypto ISAKMP policy 1
preshared authentication
aes encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 1
lifetime 28800
Telnet 0.0.0.0 0.0.0.0 private
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 public
SSH 0.0.0.0 0.0.0.0 private
SSH 0.0.0.0 0.0.0.0 management
SSH timeout 5
Console timeout 0
management of 192.168.0.2 - dhcpd addresses 192.168.0.254
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
authenticate the NTP
NTP server 216.129.110.22 public source
NTP server 173.244.211.10 public source
NTP server 24.124.0.251 public source prefers
WebVPN
allow the public
enable SVC
internal group NOACCESS strategy
NOACCESS group policy attributes
VPN - concurrent connections 0
VPN-tunnel-Protocol svc
internal IPSecUsers group strategy
attributes of Group Policy IPSecUsers
value of server WINS 10.20.10.1
value of server DNS 10.20.10.1
Protocol-tunnel-VPN IPSec
allow password-storage
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Users_SplitTunnelAcl
Mills.int value by default-field
the address value VPN_Users pools
Irvine internal group policy
Group Policy attributes Irvine
Protocol-tunnel-VPN IPSec
username admin password encrypted in Kra9/kXfLDwlSxis
type VPNUsers tunnel-group remote access
tunnel-group VPNUsers General attributes
address pool VPN_Users
authentication-server-group Mills_NetAdmin
Group Policy - by default-IPSecUsers
tunnel-group VPNUsers ipsec-attributes
pre-shared-key *.
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 General-attributes
Group Policy - by default-Irvine
XX.189.99.114 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 General-attributes
Group Policy - by default-Irvine
XX.205.23.76 group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 General-attributes
Group Policy - by default-Irvine
XX.168.155.98 group of tunnel ipsec-attributes
pre-shared-key *.
!
Global class-card class
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
World-Policy policy-map
Global category
inspect the dns
inspect esmtp
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the sip
inspect the skinny
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
!
service-policy-international policy global
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes is glazed looking at it for too long. Something seems wrong? Maybe I missed a command that would not appear in the config?
Thanks in advance to those who take a glance.
We see that the UI is sent the echo request but there is no response to echo. This seems to be a routing problem between the ASA and the host you are trying to ping. You can see the range so that the traffic to 10.20.1.0 network is routed to the ASA. If there is no other routing device make sure that the default gateway is correct on the host computer, you're trying to reach.
If you try to ping a windows machine make sure that the windows firewall is disabled or allows ICMP.
--
Please do not forget to rate and choose a response from xorrect
-
PIX does not allow packets loarge
I can ping with l - 992, but fail with-l 993.
Ping 172.16.17.1 with 992 bytes of data:
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Ping statistics for 172.16.17.1:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 1ms, Maximum = 1ms, average = 1ms
Ping 172.16.17.1 with 993 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.17.1:
Packets: Sent = 4, received = 0, lost = 4 (100% loss),
I also see that attached to the devices in the DMZ are taken excessively long time.
The MTU size on all interfaces is always the default value of 1500.
Hi Jimmysturn:
Which is likely happened here is that you have ID political attack linked to your external interface with the action 'drop' or 'reset' all packages that match the signature in the category of the attack.
Signature 2151 (large ICMP) will drop packets hit the PIX off interface or those who pass through the PIX outside interface when you ping with large packet size (+ 993 bytes):
From your post, you must have had the following policy of IDS on your PIX:
IP audit name attackpolicy attack action fall
(or
IP audit name attackpolicy action fall attack alarm
or
attack IP audit name attackpolicy raz action alarm
or both)
If you want to ping with big package, there are several things you can do:
(1) remove the policy of "attackpolicy" completely from your external interface. It will turn off all of the IDS signatures in the category of the attack.
Carefully look at this and see if it's what you want to do.
To achieve the above, issue the following command:
"no interface verification ip outside of attackpolicy"
(2) turn off the signature 2151 by running the command:
"disable signature verification ip 2151.
That would disable only the big signing of ICMP attack while leaving the other signatures of attacks in the category of GIS attack ON.
(3) set signature action to open a session (a syslog server or the internal buffer) large ICMP packets instead of dropping. Again, this should be determined carefully as option 1.
To achieve the above goal, issue the following command:
IP audit alarm action name attackpolicy attack
It will be useful.
Please indicate the position accordingly if you find it useful.
Sincerely,
Binh
-
ASA VPN Site to Site (WITH the NAT) ICMP problem
Hi all!
I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)
It works with this configuration, with the exception of the ICMP.
This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)
Is there a way to do this?
Thank you all!
Marco
------------------------------------------------------------------------------------
ASA Version 8.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.1.0 network-remote control
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.200.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 10.0.0.2 255.255.255.0
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 0
192.168.123.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
the DM_INLINE_NETWORK_1 object-group network
object-network 151.1.1.0 255.255.255.0
object-network 192.168.200.0 255.255.255.0
outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
dmz_access_in list extended access permit icmp any one
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
notifications of logging asdm
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all dmz
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 5 192.168.123.229
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.200.0 255.255.255.0
NAT (outside) 5 VPN_NAT list of outdoor access
Access-group outside_access_in in interface outside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 0.0.0.0 0.0.0.0 inside
remote control-network http 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set peer 10.0.0.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
------------------------------------------------------------------------------------Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
-
PIX 501 ICMP access list Question
According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:
PIX1 (config) # access - list ethernet1 permit icmp any any echo response
PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible
Access-group ethernet1 PIX1 (config) # interface inside
This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.
Thank you
This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.
By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.
Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.
Let me know if it helps.
-
Configuration of the ASA is below!
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Hello
Here's what you'll need:
permit same-security-traffic intra-interface
VPN_CLIENT_ACL standard access list allow 192.168.12.0 255.255.255.0
destination NAT (outside, outside) SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL static static source
Patrick
-
Could not locate the next hop for ICMP outside:10.60.30.111/1 to inside:10.89.30.41/0 routing
ASA 5505 Split tunneling stopped working when upgraded to 8.3 (1) 8.4 (3).
A user has to connect to the old device of 8.3 (1) that they could access all of our subnets: 10.1.0.0/16, 10.33.0.0/16, 10.89.0.0/16, 10.60.0.0/16
but now, they can't and in the newspapers, I see just
6 October 31, 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 routing cannot locate the next hop for ICMP to outside:10.60.30.111/1 to inside:10.89.30.41/0
any tips? I almost tried everything. the running configuration is:
: Saved
:
ASA Version 8.4 (3)
!
host name asa
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.60.70.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP 80.90.98.217 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS lookup field inside
DNS domain-lookup outside
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_10.33.0.0_16 object
10.33.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.60.0.0_16 object
10.60.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.89.0.0_16 object
10.89.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.1.0.0_16 object
10.1.0.0 subnet 255.255.0.0
network tetPC object
Home 10.60.10.1
test description
network of the NETWORK_OBJ_10.60.30.0_24 object
10.60.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.30.64_26 object
255.255.255.192 subnet 10.60.30.64
the SSH server object network
Home 10.60.20.6
network of the SSH_public object
network ftp_public object
Home 80.90.98.218
rdp network object
Home 10.60.10.4
ftp_server network object
Home 10.60.20.2
network ssh_public object
Home 80.90.98.218
Service FTP object
tcp destination eq 12 service
network of the NETWORK_OBJ_10.60.20.3 object
Home 10.60.20.3
network of the NETWORK_OBJ_10.60.40.192_26 object
255.255.255.192 subnet 10.60.40.192
network of the NETWORK_OBJ_10.60.10.10 object
Home 10.60.10.10
network of the NETWORK_OBJ_10.60.20.2 object
Home 10.60.20.2
network of the NETWORK_OBJ_10.60.20.21 object
Home 10.60.20.21
network of the NETWORK_OBJ_10.60.20.4 object
Home 10.60.20.4
network of the NETWORK_OBJ_10.60.20.5 object
Home 10.60.20.5
network of the NETWORK_OBJ_10.60.20.6 object
Home 10.60.20.6
network of the NETWORK_OBJ_10.60.20.7 object
Home 10.60.20.7
network of the NETWORK_OBJ_10.60.20.29 object
Home 10.60.20.29
service port_tomcat object
Beach service tcp 8080 8082 source
network of the TBSF object
172.16.252.0 subnet 255.255.255.0
the e-mail server object network
Home 10.33.10.2
Mail server description
service object HTTPS
tcp source eq https service
test network object
network access_web_mail object
Home 10.60.50.251
network downtown_Interface_host object
Home 10.60.50.1
Downtown host Interface description
service of the Oracle_port object
tcp source eq sqlnet service
network of the NETWORK_OBJ_10.60.50.248_29 object
subnet 10.60.50.248 255.255.255.248
network of the NETWORK_OBJ_10.60.50.1 object
Home 10.60.50.1
network of the NETWORK_OBJ_10.60.50.0_28 object
subnet 10.60.50.0 255.255.255.240
brisel network object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.191.191.0_24 object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.60.0_24 object
10.60.60.0 subnet 255.255.255.0
object-group service TCS_Service_Group
Description this group of Services offered is for the CLD's Clients
port_tomcat service-object
HTTPS_ACCESS tcp service object-group
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
object-network 10.1.0.0 255.255.0.0
network-object 10.33.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0
network-object 10.89.0.0 255.255.0.0
allow outside_1_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
outside_3_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 allow 10.1.0.0 255.255.0.0
OUTSIDE_IN list extended access permit icmp any one time exceed
OUTSIDE_IN list extended access allow all unreachable icmp
OUTSIDE_IN list extended access permit icmp any any echo response
OUTSIDE_IN list extended access permit icmp any any source-quench
OUTSIDE_IN list extended access permitted tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access allow icmp 80.90.98.222 host 80.90.98.217
OUTSIDE_IN list extended access permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh
Standard access list OAKDCAcl allow 10.60.0.0 255.255.0.0
Standard access list OAKDCAcl allow 10.33.0.0 255.255.0.0
access-list OAKDCAcl note backoffice
Standard access list OAKDCAcl allow 10.89.0.0 255.255.0.0
access-list OAKDCAcl note maint
OAKDCAcl list standard access allowed 10.1.0.0 255.255.0.0
access-list allowed standard osgd host 10.60.20.4
access-list allowed standard osgd host 10.60.20.5
access-list allowed standard osgd host 10.60.20.7
standard access list testOAK_splitTunnelAcl allow 10.60.0.0 255.255.0.0
list access allowed extended snmp udp any eq snmptrap everything
list of access allowed extended snmp udp any any eq snmp
downtown_splitTunnelAcl list standard access allowed host 10.60.20.29
webMailACL list standard access allowed host 10.33.10.2
access-list standard HBSC allowed host 10.60.30.107
access-list standard HBSC deny 10.33.0.0 255.255.0.0
access-list standard HBSC deny 10.89.0.0 255.255.0.0
allow outside_4_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.1.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.33.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.60.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.89.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 10.60.30.110 - 10.60.30.150 255.255.0.0 IP local pool OAKPRD_pool
IP local pool mail_sddress_pool 10.60.50.251 - 10.60.50.255 mask 255.255.0.0
test 10.60.50.1 mask 255.255.255.255 IP local pool
IP local pool ipad 10.60.30.90 - 10.60.30.99 mask 255.255.0.0
mask 10.60.40.200 - 10.60.40.250 255.255.255.0 IP local pool TCS_pool
local pool OSGD_POOL 10.60.50.2 - 10.60.50.10 255.255.0.0 IP mask
mask 10.60.60.0 - 10.60.60.255 255.255.0.0 IP local pool OAK_pool
IP verify reverse path inside interface
IP verify reverse path to the outside interface
IP audit alarm action name ThreatDetection attack
verification of IP within the ThreatDetection interface
interface IP outside the ThreatDetection check
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow any echo inside
ICMP allow any echo outdoors
enable ASDM history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_10.33.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.33.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.89.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.89.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.1.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.1.0.0_16
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.0_24 of NETWORK_OBJ_10.60.30.0_24 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.64_26 of NETWORK_OBJ_10.60.30.64_26 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.60.40.192_26 destination NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.40.192_26 any port_tomcat service
NAT (inside, outside) static source any destination of all public static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1
NAT (inside, outside) static static source NETWORK_OBJ_10.60.50.248_29 destination MailServer MailServer NETWORK_OBJ_10.60.50.248_29
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.50.0_28 of NETWORK_OBJ_10.60.50.0_28 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.191.191.0_24 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.191.191.0_24
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Route outside 0.0.0.0 0.0.0.0 80.90.98.222 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 10.60.10.10 255.255.255.255 inside
http 10.33.30.33 255.255.255.255 inside
http 10.60.30.33 255.255.255.255 inside
SNMP-server host within the 10.33.30.108 community * version 2 c
SNMP-server host within the 10.89.70.30 community *.
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set lux_trans_set ikev1 aes - esp esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 84.51.31.173
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 2 match address outside_2_cryptomap
peer set card crypto outside_map 2 98.85.125.2
card crypto outside_map 2 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 3 match address outside_3_cryptomap
peer set card crypto outside_map 3 220.79.236.146
card crypto outside_map 3 set transform-set ESP-3DES-SHA ikev1
card crypto 4 correspondence address outside_4_cryptomap outside_map
card crypto outside_map 4 set pfs
peer set card crypto outside_map 4 159.146.232.122
card crypto 4 ikev1 transform-set lux_trans_set set outside_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
IKEv1 crypto policy 50
preshared authentication
aes encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 70
preshared authentication
aes encryption
sha hash
Group 5
life 86400
Telnet 10.60.10.10 255.255.255.255 inside
Telnet 10.60.10.1 255.255.255.255 inside
Telnet 10.60.10.5 255.255.255.255 inside
Telnet 10.60.30.33 255.255.255.255 inside
Telnet 10.33.30.33 255.255.255.255 inside
Telnet timeout 30
SSH 10.60.10.5 255.255.255.255 inside
SSH 10.60.10.10 255.255.255.255 inside
SSH 10.60.10.3 255.255.255.255 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd dns 155.2.10.20 155.2.10.50 interface inside
dhcpd auto_config outside interface inside
!
a basic threat threat detection
length 3600 scanning-threat shun threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
TFTP server inside 10.60.10.10 configs/config1
WebVPN
internal testTG group policy
attributes of the strategy of group testTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
value of 155.2.10.20 DNS server 155.2.10.50
Protocol-tunnel-VPN l2tp ipsec
internal TcsTG group strategy
attributes of Group Policy TcsTG
VPN-idle-timeout 20
VPN-session-timeout 120
Ikev1 VPN-tunnel-Protocol
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
the address value TCS_pool pools
internal downtown_interfaceTG group policy
attributes of the strategy of group downtown_interfaceTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list downtown_splitTunnelAcl
internal HBSCTG group policy
HBSCTG group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value HBSC
internal OSGD group policy
OSGD group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
VPN-session-timeout no
Ikev1 VPN-tunnel-Protocol
group-lock value OSGD
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
internal OAKDC group policy
OAKDC group policy attributes
Ikev1 VPN-tunnel-Protocol
value of group-lock OAKDC
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list OAKDCAcl
Disable dhcp Intercept 255.255.0.0
the address value OAKPRD_pool pools
internal mailTG group policy
attributes of the strategy of group mailTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list webMailACL
internal OAK-distance group strategy
attributes of OAK Group Policy / remote
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value OAK-remote_splitTunnelAcl
VPN-group-policy OAKDC
type of nas-prompt service
attributes global-tunnel-group DefaultRAGroup
address pool OAKPRD_pool
ipad address pool
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group 84.51.31.173 type ipsec-l2l
IPSec-attributes tunnel-group 84.51.31.173
IKEv1 pre-shared-key *.
tunnel-group 98.85.125.2 type ipsec-l2l
IPSec-attributes tunnel-group 98.85.125.2
IKEv1 pre-shared-key *.
tunnel-group 220.79.236.146 type ipsec-l2l
IPSec-attributes tunnel-group 220.79.236.146
IKEv1 pre-shared-key *.
type tunnel-group OAKDC remote access
attributes global-tunnel-group OAKDC
address pool OAKPRD_pool
Group Policy - by default-OAKDC
IPSec-attributes tunnel-group OAKDC
IKEv1 pre-shared-key *.
type tunnel-group TcsTG remote access
attributes global-tunnel-group TcsTG
address pool TCS_pool
Group Policy - by default-TcsTG
IPSec-attributes tunnel-group TcsTG
IKEv1 pre-shared-key *.
type tunnel-group downtown_interfaceTG remote access
tunnel-group downtown_interfaceTG General-attributes
test of the address pool
Group Policy - by default-downtown_interfaceTG
downtown_interfaceTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group TunnelGroup1 remote access
type tunnel-group mailTG remote access
tunnel-group mailTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-mailTG
mailTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group testTG remote access
tunnel-group testTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-testTG
testTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group OSGD remote access
tunnel-group OSGD General-attributes
address OSGD_POOL pool
strategy-group-by default OSGD
tunnel-group OSGD ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group HBSCTG remote access
attributes global-tunnel-group HBSCTG
address OSGD_POOL pool
Group Policy - by default-HBSCTG
IPSec-attributes tunnel-group HBSCTG
IKEv1 pre-shared-key *.
tunnel-group 159.146.232.122 type ipsec-l2l
IPSec-attributes tunnel-group 159.146.232.122
IKEv1 pre-shared-key *.
tunnel-group OAK type remote access / remote
attributes global-tunnel-group OAK / remote
address pool OAK_pool
Group Policy - by default-OAK-remote control
IPSec-attributes tunnel-group OAK / remote
IKEv1 pre-shared-key *.
!
!
!
Policy-map global_policy
!
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
: end
enable ASDM history
Hi David,
I see that you have:
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
So, please make the following changes:
network object obj - 10.60.30.0
10.60.30.0 subnet 255.255.255.0
!
Route outside 10.60.30.0 255.255.255.0 80.90.98.222
Route outside 10.89.0.0 255.255.0.0 80.90.98.222
NAT (outside, outside) 1 source static obj - 10.60.30.0 obj - 10.60.30.0 static destination NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16 non-proxy-arp-search to itinerary
HTH
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
ASA 5515 - Anyconnect - inside the subnet connection problem
Hi all
I have a problem with the connection to the Interior/subnet using Anyconnect SSL VPN.
ASA worm. 5515
Please find below of configuration:
User access audit
ASA1 # show running-config
: Saved
:
ASA 9.1 Version 2
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
mask of local pool swimming POOLS-for-AnyConnect 10.0.70.1 - 10.0.70.50 IP 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP A.A.A.A 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
192.168.64.1 IP address 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 20
address IP B.B.B.B 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
network of the OBJ_GENERIC_ALL object
subnet 0.0.0.0 0.0.0.0
network outside_to_inside_FR-Appsrv01 object
Home 192.168.64.232
network outside_to_dmz_fr-websvr-uat object
Home 10.20.20.14
network inside_to_dmz object
192.168.64.0 subnet 255.255.255.0
gtc-tomcat network object
Home 192.168.64.228
network of the USA-Appsrv01-UAT object
Home 192.168.64.223
network of the USA-Websvr-UAT object
Home 10.20.20.13
network vpn_to_inside object
10.0.70.0 subnet 255.255.255.0
extended access list acl_out permit everything all unreachable icmp
acl_out list extended access permit icmp any any echo response
acl_out list extended access permit icmp any one time exceed
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 3389
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 28080
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 9876
acl_out list extended access permit udp any object outside_to_inside_FR-Appsrv01 eq 1720
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq www
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq https
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq 3389
acl_out list extended access permit tcp any object USA-Appsrv01-UAT eq 9876
acl_out list extended access permit udp any eq USA-Appsrv01-UAT object 1720
acl_out list extended access permit tcp any object USA-Websvr-UAT eq www
acl_out list extended access permit tcp any USA-Websvr-UAT eq https object
acl_out list extended access permit tcp any object USA-Websvr-UAT eq 3389
acl_out list extended access permit tcp any object USA-Appsrv01-UAT eq 3389
acl_dmz list extended access permit icmp any any echo response
acl_dmz of access allowed any ip an extended list
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 8080
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 8081
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 3389
acl_dmz list extended access permitted tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8080
acl_dmz list extended access permitted tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8081
access extensive list ip 192.168.64.0 gtcvpn2 allow 255.255.255.0 10.0.70.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT dynamic interface of OBJ_GENERIC_ALL source (indoor, outdoor)
NAT (inside, outside) static source all all static destination vpn_to_inside vpn_to_inside
!
network outside_to_inside_FR-Appsrv01 object
NAT static x.x.x.x (indoor, outdoor)
network outside_to_dmz_fr-websvr-uat object
NAT (dmz, outside) static x.x.x.x
network of the USA-Appsrv01-UAT object
NAT static x.x.x.x (indoor, outdoor)
network of the USA-Websvr-UAT object
NAT (dmz, outside) static x.x.x.x
Access-group acl_out in interface outside
Access-group acl_dmz in dmz interface
Route outside 0.0.0.0 0.0.0.0 B.B.B.B 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.64.204 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ASA1
GTCVPN2 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate of 19897d 54
308201cf 30820138 a0030201 02020419 897d 864886f7 0d 010105 5430 0d06092a
0500302c 3111300f 06035504 03130851 57455354 32343031 17301506 092a 8648
09021608 51574553 54323430 31343132 30333034 30333237 301e170d 86f70d01
5a170d32 34313133 30303430 3332375a 302 c 3111 55040313 08515745 300f0603
53543234 30311730 1506092a 864886f7 010902 16085157 45535432 34303081 0d
9f300d06 092 has 8648 86f70d01 01010500 03818d 00 30818902 818100a 2 5e873d21
dfa7cc00 ee438d1d bc400dc5 220f2dc4 aa896be4 39843044 d0521010 88 has 24454
b4b1f345 84ec0ad3 cac13d47 a71f367a 2e71f5fc 0a9bd55f 05d 75648 72bfb9e9
c5379753 26ec523d f2cbc438 d234616f a71e4f4f 42f39dde e4b99020 cfcd00ad
73162ab8 1af6b6f5 fa1b47c6 d261db8b 4a75b249 60556102 03010001 fa3fbe7c
300 d 0609 2a 864886 f70d0101 8181007a 05050003 be791b64 a9f0df8f 982d162d
b7c884c1 eb183711 05d676d7 2585486e 5cdd23b9 af774a8f 9623e91a b3d85f10
af85c009 9590c0b3 401cec03 4dccf99a f1ee8c01 1e6f0f3a 6516579c 12d9cbab
59fcead4 63baf64b 7adece49 7799f94c 1865ce1d 2c0f3ced e65fefdc a784dc50
350e8ba2 998f3820 e6370ae5 7e6c543b 6c1ced
quit smoking
Telnet 192.168.64.200 255.255.255.255 inside
Telnet 192.168.64.169 255.255.255.255 inside
Telnet 192.168.64.190 255.255.255.255 inside
Telnet 192.168.64.199 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_GTCVPN2 group strategy
attributes of Group Policy GroupPolicy_GTCVPN2
WINS server no
value of 192.168.64.202 DNS server 192.168.64.201
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list gtcvpn2
field default value mondomaine.fr
username cHoYQ5ZzE4HJyyq password of duncan / encrypted
username Aosl50Zig4zLZm4 admin password / encrypted
password encrypted sebol U7rG3kt653p8ctAz user name
type tunnel-group GTCVPN2 remote access
attributes global-tunnel-group GTCVPN2
Swimming POOLS-for-AnyConnect address pool
Group Policy - by default-GroupPolicy_GTCVPN2
tunnel-group GTCVPN2 webvpn-attributes
enable GTCVPN2 group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory 19
Subscribe to alert-group configuration periodic monthly 19
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0b972b3b751b59085bc2bbbb6b0c2281
: end
ASA1 #.I can connect to the ASA from outside with the Anyconnect client, split tunneling works well unfortunately I can't ping anything inside the network, VPN subnet: 255.255.255.0, inside the 192.168.64.x 255.255.255.0 subnet 10.0.70.x
When connecting from the outside, cisco anyconnect is showing 192.168.64.0/24 in the tab "details of the trip.
Do you know if I'm missing something? (internal subnet to subnet route vpn?)
Thank you
Use your internal subnet ASA as its default gateway? If this isn't the case, it will take a route pointing to the ASA inside the interface.
You can perform a packet - trace as:
Packet-trace entry inside tcp 192.168.64.2 80 10.0.70.1 1025
(simulation of traffic back from a web server inside a VPN client)
-
do not access my home network via antconnect
I am able to connect through the anyconnect client and get an ip address, but I am not able to access my administration (internal network)
Administration = 10.18.1.120
VPN pool = 172.16.10.0/28
10.17.13.120 outside
This is my config
ASA 1.0000 Version 2
!
!
interface GigabitEthernet0/0
nameif administration
security-level 100
IP 10.18.1.120 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP 10.17.13.120 255.255.0.0
!
interface GigabitEthernet0/2
nameif admin-out13
security-level 0
IP 10.13.1.120 255.255.0.0
!
interface GigabitEthernet0/3
nameif VOIP
security-level 0
IP 10.90.100.120 255.255.0.0
!
passive FTP mode
network of the NETWORK_OBJ_172.16.10.0_29 object
subnet 172.16.10.0 255.255.255.248
network of the Admin_Email_Server object
Home 10.18.4.120
e-mail Description admin server
network of the Admin_Srv_Farm object
10.18.4.0 subnet 255.255.255.0
Description subenet where the admin servers are hosted
ICMP-type of object-group ICMP_Group
alternate address ICMP-object
ICMP-object-conversion error
echo ICMP-object
response to echo ICMP-object
ICMP-object information-response
ICMP-object-request for information
ICMP object-mask-reply
Mask-request ICMP-object
ICMP-object mobile-redirect
ICMP-object-parameter problem
redirect ICMP-object
ICMP-object-announcement of router
ICMP-object-solicitation of router
Object-ICMP source-quench
ICMP-object has exceeded the time
ICMP-object-response to timestamp
Timestamp-request ICMP-object
Object-ICMP traceroute
ICMP-unreachable object
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
pager lines 24
Enable logging
asdm of logging of information
management of MTU 1500
administration of MTU 1500
Outside 1500 MTU
Admin-out13 MTU 1500
ip_phones MTU 1500
local pool ADMIN_VPN_POOL 172.16.10.1 - 172.16.10.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 66114.bin
don't allow no asdm history
ARP timeout 14400
NAT (administration, outside) static source any any static destination NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 non-proxy-arp-search to itinerary
public static NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 destination NAT (outside directors) static source Admin_Srv_Farm Admin_Srv_Farm
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 10.18.0.0 255.255.0.0 administration
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = admin-pare-fire
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 10.90.100.1 - 10.90.100.100 ip_phones
dhcpd 4.2.2.2 dns 8.8.8.8 interface ip_phones
dhcpd lease 1800 interface ip_phones
dhcpd field uz.ac.zw interface ip_phones
dhcpd option 3 ip 10.90.1.254 interface ip_phones
ip_phones enable dhcpd
!
!
maximum session 1000 TLS-proxy
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
AnyConnect profiles ITADMIN_VPN_client_profile disk0: / ITADMIN_VPN_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_ITADMIN_VPN group strategy
attributes of Group Policy GroupPolicy_ITADMIN_VPN
WINS server no
value of 10.18.4.120 DNS server 10.50.7.178
client ssl-VPN-tunnel-Protocol ikev2
uz.AC.ZW value by default-field
WebVPN
AnyConnect value ITADMIN_VPN_client_profile type user profiles
webster nwgth7HVlZ/qiWnP password encrypted username
webster username attributes
type of remote access service
username admin password encrypted xxxxxxxxxxx privilege 15
username user2 encrypted password privilege 15 xxxxxxxxxxx
attributes of user user2 name
type of remote access service
type tunnel-group ITADMIN_VPN remote access
attributes global-tunnel-group ITADMIN_VPN
address ADMIN_VPN_POOL pool
Group Policy - by default-GroupPolicy_ITADMIN_VPN
tunnel-group ITADMIN_VPN webvpn-attributes
enable ITADMIN_VPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
class class by default
Statistical accounting of user
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c9820a69d5b4fb9e3f7cce253f2450e4After the addition of administration management-access command, please check if you are able to ping to the administration interface (ip = 10.18.1.120) of the remote user's machine. In addition, run this command on the ASA.
Packet-trace entry administration icmp
8 0 detailed Once you run this copy please order the output and the share here. Please see links to the ip address of the host, sitting behind the administration interface that you think that the ip address of the internal host should be able to ping from outside. Assigned ip address is the ip address that is assigned to the pool anyconnect client.
Share the details here and we will be able to understand the question.
Thank you
Vishnu
-
ASA 5505. VPN Site-to-Site does not connect!
Hello!
Already more than a week there, as we had a new channel of communication of MGTSa (Ontario terminal Sercomm RV6688BCM, who barely made in the 'bridge' - had to do the provider in order to receive our white Cisco Ip address), and now I train as well more that one week to raise between our IKEv1 IPsec Site-to-Site VPN tunnel closes offices.
Configurable and use the wizard in ASDM and handles in the CLI, the result of a year, the connection does not rise.
Cisco version 9.2 (2), the image of the Cisco asa922 - k8.bin, Security Plus license version, version 7.2 AMPS (2).
What I'll never know...
Debugging and complete configuration enclose below.
Help, which can follow any responses, please! I was completely exhausted!Config:
Output of the command: "sh run".
: Saved
:
: Serial: XXXXXXXXXXXX
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (2)
!
hostname door-71
activate the encrypted password of F6OJ0GOws7WHxeql
names of
IP local pool vpnpool 10.1.72.100 - 10.1.72.120 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.72.254 255.255.255.0
!
interface Vlan2
nameif outside_mgts
security-level 0
62.112.100.R1 255.255.255.252 IP address
!
passive FTP mode
clock timezone 3 MSK/MSD
clock to DST MSK/MDD recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group MGTS
Server name 195.34.31.50
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NET72 object
10.1.72.0 subnet 255.255.255.0
network object obj - 0.0.0.0
host 0.0.0.0
network of the Nafanya object
Home 10.1.72.5
network object obj - 10.1.72.0
10.1.72.0 subnet 255.255.255.0
network of the NET61 object
10.1.61.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.96_27 object
subnet 10.1.72.96 255.255.255.224
network of the NETT72 object
10.1.72.0 subnet 255.255.255.0
network of the NET30 object
10.1.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.0_24 object
10.1.72.0 subnet 255.255.255.0
object-group service OG INET
the purpose of the echo icmp message service
response to echo icmp service object
service-object icmp traceroute
service-object unreachable icmp
service-purpose tcp - udp destination eq echo
the DM_INLINE_NETWORK_1 object-group network
network-object NET30
network-object, object NET72
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in extended access list permit ip object NET72 object-group DM_INLINE_NETWORK_1
access extensive list ip 10.1.72.0 inside_access_in allow 255.255.255.0 any
inside_access_in extended access list permit ip object Nafanya any idle state
inside_access_in list extended access allowed object-group OG INET an entire
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access deny ip any alerts on any newspaper
outside_mgts_access_in list extended access allowed object-group OG INET an entire
outside_mgts_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_mgts_access_in list extended access deny ip any alerts on any newspaper
access extensive list ip 10.1.72.0 outside_mgts_cryptomap allow 255.255.255.0 object NET61
VPN-ST_splitTunnelAcl permit 10.1.72.0 access list standard 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
outside_mgts MTU 1500
IP check path reverse interface outside_mgts
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside outside_mgts) static source NET72 NET72 NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 non-proxy-arp-search of route static destination
NAT (inside outside_mgts) static source NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 NET61 NET61 non-proxy-arp-search of route static destination
!
network obj_any object
NAT (inside outside_mgts) dynamic obj - 0.0.0.0
network of the NET72 object
NAT (inside outside_mgts) interface dynamic dns
inside_access_in access to the interface inside group
Access-group outside_mgts_access_in in the outside_mgts interface
Route 0.0.0.0 outside_mgts 0.0.0.0 62.112.100.R 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 10.1.72.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_mgts_map 1 match address outside_mgts_cryptomap
card crypto outside_mgts_map 1 set pfs Group1
peer set card crypto outside_mgts_map 1 91.188.180.42
card crypto outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_mgts_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_mgts_map interface outside_mgts
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
E-mail [email protected] / * /
name of the object CN = door-71
Serial number
IP address 62.112.100.42
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
registration auto
ASDM_TrustPoint1 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d 010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d 1964
60ae26ec 5f300d06 092 has 8648 01050500 03820101 00448753 7baa5c77 86f70d01
62857b 65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a 82781 44493217 and 38097952 d 003 5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c 024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df db835d76 98ffdb2b 8c8ab915 193b 8167
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate a39a2b54
3082025f 30820377 a0030201 020204 has 3 9a2b5430 0d06092a 864886f7 0d 010105
0500304 06035504 03130767 36313137 30120603 55040513 6174652d 3110300e b
c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd 70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f a 362973, 0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001 has 363 3061300f 0603551d 130101ff 0101ff30 04053003 0e060355 1d0f0101
ff040403 1f060355 02018630 230418 30168014 0cea70bf 0d0e0c4b eb34a0b1 1 d
8242 has 549 0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182 301D 5183ccf9
42a 54951 010105 05000382 0101004e 7bfe054a 0d 864886f7 0d06092a 83ccf930
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 2a97333b 96077966 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 bf38afb6 ea56b957 4430f692 a 4745, 411
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 881409b 5 89183841 f484f0e7 bd5f7b69
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit smoking
crypto isakmp identity address
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate outside_mgts port 443 customer service
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Crypto ikev1 allow inside
Crypto ikev1 enable outside_mgts
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
without ssh stricthostkeycheck
SSH 10.1.72.0 255.255.255.0 inside
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
vpnclient Server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
VPN - L2L vpnclient vpngroup password *.
vpnclient username aradetskayaL password *.
dhcpd auto_config outside_mgts
!
dhcpd update dns replace all two interface inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust ASDM_TrustPoint0 outside_mgts point
WebVPN
Select outside_mgts
internal GroupPolicy_91.188.180.X group strategy
attributes of Group Policy GroupPolicy_91.188.180.X
Ikev1 VPN-tunnel-Protocol
internal group VPN - ST strategy
attributes of group VPN - ST policy
value of 195.34.31.50 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN-ST_splitTunnelAcl
by default no
aradetskayaL encrypted HR3qeva85hzXT6KK privilege 15 password username
tunnel-group 91.188.180.X type ipsec-l2l
attributes global-tunnel-group 91.188.180.X
Group - default policy - GroupPolicy_91.188.180.42
IPSec-attributes tunnel-group 91.188.180.X
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
remote access to tunnel-group VPN - ST type
VPN-general ST-attributes tunnel-group
address vpnpool pool
Group Policy - by default-VPN-ST
tunnel-group ipsec VPN ST-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: enddoor-71 # sh crypto ikev1 hisThere are no SAs IKEv1
door-71 # sh crypto ikev2 hisThere are no SAs IKEv2
door-71 # sh crypto ipsec his
There is no ipsec security associationsdoor-71 # sh crypto isakmpThere are no SAs IKEv1
There are no SAs IKEv2
Global statistics IKEv1
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Notifys: 0
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 0
Package: 0
Fall packages: 0
NOTIFYs out: 0
Exchanges of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 0
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0IKEV1 statistics for Admission appeals
In negotiating SAs Max: 25
In negotiating SAs: 0
In negotiating SAs Highwater: 0
In negotiating SAs rejected: 0Global statistics IKEv2
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Fragments of fall: 0
In Notifys: 0
In Exchange for the P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
In IPSEC delete: 0
In delete IKE: 0
Bytes: 0
Package: 0
Fall packages: 0
Fragments of fall: 0
NOTIFYs out: 0
Exchange of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
On IPSEC delete: 0
The IKE Delete: 0
Locally launched sAs: 0
Locally launched sAs failed: 0
SAs remotely initiated: 0
SAs remotely initiated failed: 0
System capacity: 0
Authentication failures: 0
Decrypt failures: 0
Hash failures: 0
Invalid SPI: 0
In the Configs: 0
Configs: 0
In the Configs rejects: 0
Configs rejects: 0
Previous Tunnels: 0
Previous Tunnels wraps: 0
In the DPD Messages: 0
The DPD Messages: 0
The NAT KeepAlive: 0
IKE recomposition launched locally: 0
IKE returned to the remote initiated key: 0
Generate a new key CHILD initiated locally: 0
CHILD given to the remote initiated key: 0IKEV2 statistics for Admission appeals
Max active SAs: no limit
Max in negotiating SAs: 50
Challenge cookie line: never
Active sAs: 0
In negotiating SAs: 0
Incoming requests: 0
Accepted incoming requests: 0
A rejected incoming requests: 0
Out of requests: 0
Out of the applications accepted: 0
The outgoing rejected requests: 0
A rejected queries: 0
Rejected at the SA: 0 Max limit
Rejected low resources: 0
Rejected the current reboot: 0
Challenges of cookie: 0
Cookies transmitted challenges: 0
Challenges of cookie failed: 0IKEv1 global IPSec over TCP statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Incoming packets: 0
Inbound packets ignored: 0
Outgoing packets: 0
Outbound packets ignored: 0
The RST packets: 0
Heartbeat Recevied ACK packets: 0
Bad headers: 0
Bad trailers: 0
Chess timer: 0
Checksum errors: 0
Internal error: 0door-71 # sh statistical protocol all cryptographic
[Statistics IKEv1]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics IKEv2]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[IPsec statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[SSL statistics]
Encrypt packets of queries: 19331
Encapsulate packets of queries: 19331
Decrypt packets of queries: 437
Package requests decapsulating: 437
HMAC calculation queries: 19768
ITS creation queries: 178
SA asked to generate a new key: 0
Requests to remove SA: 176
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistical SSH are not taken in charge]
[Statistics SRTP]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 6238
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of queries random generation: 76
Failure of queries: 9door-71 # sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for the production of a self-signed certificate.Trustpoint ASDM_TrustPoint1:
Configured for the production of a self-signed certificate.If you need something more, then spread!
Please explain why it is that I don't want to work?Hello
When the IPSEC tunnel does not come to the top, the first thing comes to my mind is to run a tracer of package from the CLI and the phases in it. Please run this command from your firewall side and share the output. I've just compiled this command with the random ip address and ports of your given range.
Packet-trace entry inside tcp 10.1.72.2 1233 10.1.61.2 443 detailed
Best regards
Amandine
-
No Internet access after the connection of the cisco vpn client
Hi Experts,
Please check below config.the problem is vpn is connected but no internet access
on the computer after the vpn connection
ASA Version 8.0 (2)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.14.12 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
standard access list dubai_splitTunnelAcl allow 192.168.14.0 255.255.255.0
INSIDE_nat0_outbound list of allowed ip extended access all 192.168.14.240 255.255.2
55.240
pager lines 24
Within 1500 MTU
Outside 1500 MTU
IP local pool testpool 192.168.14.240 - 192.168.14.250
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access INSIDE_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.14.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac setFirstSet
Crypto-map dynamic dyn1 1 set transform-set setFirstSet
Crypto-map dynamic dyn1 1jeu reverse-road
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
password encrypted user testuser IqY6lTColo8VIF24 name
username password khans X5bLOVudYKsK1JS / encrypted privilege 15
tunnel-group mphone type remote access
tunnel-group mphone General attributes
address testpool pool
tunnel-group ipsec-attributes mphone
pre-shared-key *.
context of prompt hostname
Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
: end
ciscoasa #.Hello
Large. Try adding the below to make it work
vpn-sheep access list extended permits all ip 192.168.15.0 255.255.255.0
NAT (inside) 0-list of access vpn-sheep
Harish
Maybe you are looking for
-
My hard drive stoped working. Results of the hard drive: SMART hard drive check: past Hard ISK short DST: failure Failure ID: glgk2k-6ke70r-mfkt0k - 60 s 703 Product ID: D0X18EA #ABU -------- It is a Compaq CQ58
-
Seq context in multiple executions
Hi, I have to change the values of local variables TS of LV directly without the context of the sequence. I mean, I have a VI that is running standalone, it is not called by TS. Then I should only use the TS APIs. The use of these APIs I can access t
-
HP Pavilion P7-1459 fails to start after installing a new video card
I bought a GeForce GT 640 video card to put in my new HP Pavilion P7-1459, after checking the specs. The card requires a PCI-Express x 16 for Version 3.0 slot. Check, the HP Pavilion P7-1459 has one of those and all the other cards speca are well bel
-
Shared folders on 2008 r2 64 firewall
I'm having a problem of sharing folders on this server 2008r2. I have to share ok and everyone as the user in its own right but unless I turn off the firewall they can not access... They can see the server, but it won't let them see any action. If I
-
Windows Vista Home Premium 32 Bit > Windows 7 Home Premium 64-Bit?
Just a question, I currently have Vista Home Premium 32 Bit OEM and want to upgrade to Windows 7 64 bit. When you buy an upgrade pack does with Versions 32 and 64 BIT, I understand not doing a clean install, etc.. but the DVD with this capability u