NAT issue ASA 5510

Just upgraded my ASA 5510 of 8.2 (1) 8.4 (4) 1. Well, everything seems to work with one big exception.

NAT statements I had previously remained in force and even seem to reproduce in some cases.

Now, my question is I've set up a DMZ (security 50) interface and requiring a few servers to connect to the inside interface (Security 100). I created the necessary NAT statements within the ASDM to allow the DMZ servers to connect to a single inside the server. However, all the servers in the DMZ can still ping and connect to ALL inside servers.

An easy way to limit it? I try to limit the number of servers on the internal network that can access the demilitarized zone, but it seems that the DMZ has free rein at the present time.

Am happy to post my configs. I opened a case of TAC, but this firewall is still so new, the assistance contract has not yet been addressed by Cisco.

Thanks in advance.

I'll look when get home, but it is a quick answer.

If 192.168.1.0/24 is DNZ and 10.1.1.0/24 is inside

! - can only accommodate 192.168.1.40 DMZ host centimeters inside the network 10.1.1.25
dmz_access_in ip 192.168.1.40 host access list permit 10.1.1.25
! - deny everthing else inside the network
dmz_access_in list access deny ip 192.168.1.0 255.255.255.255 10.1.1.0 255.255.255.0
! - allow access to internet of the DNZ
dmz_access_in 192.168.1.0 ip access list allow 255.255.255.255 any

Samuel Petrescu

Tags: Cisco Security

Similar Questions

Issue of ASA 5510

Dear all,

I applied ASA 5510 in my network,

I configured 3 DMZ, inside and outside interfaces

ASA, I can access the Interior, DMZ and outside (Internet)

Inside users can communicate with the servers in the DMZ

Inside users goto Internet via the external interface

DMZ servers can goto Internet via the external interface

The DMZ servers cannot Ping inside the network

I've been using IpSec VPN on my router,

clients connect to the router using the Cisco VPN Client software,

NOW, when I understood ASA in the network, VPN clients are unable to communicate with the servers in the DMZ

security level 0 for outside

DMZ 50

100 for the inside

NAT is disabled with no command nat control

What I need to ON the NAT and some ACL must be put in place...

Please advise me what ACL I should implement, interface? Direction?

Which statement NAT should I include?

I want to access my network via VPN...

Help, please

Kind regards

Junaid

ICMP pings are not stateful. The firewall needs special treatment to dynamically allow pings back, this is done through the "ICMP inspection." The ICMP inspection is disabled by default. You can activate the inspection or use an ACL to allow ICMP traffic. Here is a useful link:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Please rate if useful.

Concerning

Farrukh

ASA 5510 routing issue.

Forgive me if this get confused.

I have a new ASA 5510, I set it up to use VPN. I can via IPSEC vpn and connect to 2 of my et.64 sous-reseaux.0 (we have 4 subnets in our range) I can ping, http, connect to the shares, SSH, etc. I use the ACL of our outgoing VPN module, so I have nothing here should be bad. The problem I have is learning to our network of laboratories located on the sous-reseau.128. I can't ping, connect, http anything.

Is there some special routing I need to do so that people that VPN in to see this subnet? (For test purposes the ASA is located behind the firewall and connected directly to the sous-reseau.0 so I know this isn't the firewall and everything else on that subnet can see our lab).

Thanks for helping on the new guy.

Shawn

Shawn-

Your sous-reseaux.0 &.64 is considered to be "interesting traffic" (by an ACL) and they are not NAT had sent through the VPN tunnel. You must add the sous-reseau.128 two the ACL that says no NAT and that specifies traffic interesting. If you encounter some snags, post a sanitized config and we will be able to give a more detailed response.

HTH

Unable to connect to server vpn behind ASA 5510 with windows clients

Hi all

I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.

This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.

Within the ASDM:

(1) Server Public created for Protocol 1723

(2) Public created for the GRE protocol Server

3) created two public servers have the same public and private addresses

(4) the foregoing has created config Public Private static route in the section NAT firewall

(5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE

When you try to connect, I get the following entry in the debug log.

6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)

but nothing else.

The server shows not attempting a connection so I think I'm missing something on the firewall now.

Also inside interface there is a temporary rule:

Source: no

Destination: any

Service: IP

Action: enabled

This should allow all outbound traffic only as far as I know...

Any help would be greatly appreciated.

Chris

Hi Chris,

ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.

1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.

is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.

Ufuk Güler

Review of the ASA 5510 Config

Hi all, I'm about to replace an existing a new ASA 5510 firewall. The environment is pretty simple, just an external and internal interface. I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems. I am concerned mainly with my NAT statements. Nothing in the following config (sterilized) seems out of place? Thank you!!

------------------------------------------------------------

ASA 4,0000 Version 5

!

ciscoasa hostname

enable the encrypted password xxxxxxxxxx

XXXXXXXXXX encrypted passwd

names of

!

interface Ethernet0/0

nameif outside

security-level 0

IP 40.100.2.2 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

IP 10.30.0.100 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

boot system Disk0: / asa844-5 - k8.bin

passive FTP mode

permit same-security-traffic inter-interface

network of the 10.10.0.78 object

Home 10.10.0.78

Nospam description

network of the 10.10.0.39 object

Home 10.10.0.39

Description exch

network of the 55.100.20.109 object

Home 55.100.20.109

Description mail.oursite.com

network of the 10.10.0.156 object

Home 10.10.0.156

Description

www.oursite.com-Internal

network of the 55.100.20.101 object

Home 55.100.20.101

Description

www.oursite.com-External

network of the 10.10.0.155 object

Home 10.10.0.155

Ftp description

network of the 10.10.0.190 object

Home 10.10.0.190

farm www Description

network of the 10.10.0.191 object

Home 10.10.0.191

farm svc Description

network of the 10.10.0.28 object

Home 10.10.0.28

Vpn description

network of the 10.10.0.57 object

Home 10.10.0.57

Description cust.oursite.com

network of the 10.10.0.66 object

Home 10.10.0.66

Description spoint.oursite.com

network of the 55.100.20.102 object

Home 55.100.20.102

Description cust.oursite.com

network of the 55.100.20.103 object

Home 55.100.20.103

Ftp description

network of the 55.100.20.104 object

Home 55.100.20.104

Vpn description

network of the 55.100.20.105 object

Home 55.100.20.105

app www description

network of the 55.100.20.106 object

Home 55.100.20.106

app svc description

network of the 55.100.20.107 object

Home 55.100.20.107

Description spoint.oursite.com

network of the 55.100.20.108 object

Home 55.100.20.108

Description exchange.oursite.com

ICMP-type of object-group DM_INLINE_ICMP_1

response to echo ICMP-object

ICMP-object has exceeded the time

ICMP-unreachable object

Exchange_Inbound tcp service object-group

EQ port 587 object

port-object eq 993

port-object eq www

EQ object of the https port

port-object eq imap4

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

object-group service DM_INLINE_SERVICE_1

will the service object

the purpose of the tcp destination eq pptp service

the DM_INLINE_NETWORK_1 object-group network

network-object, object 10.10.0.190

network-object, object 10.10.0.191

the DM_INLINE_NETWORK_2 object-group network

network-object, object 10.10.0.156

network-object, object 10.10.0.57

DM_INLINE_TCP_2 tcp service object-group

port-object eq www

EQ object of the https port

object-group service sharepoint tcp

port-object eq 9255

port-object eq www

EQ object of the https port

outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group

outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp

outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group

outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1

outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28

outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2

outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-649 - 103.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78

NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39

NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109

NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156

NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57

NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155

NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28

NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190

NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191

NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1

Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 management

http 10.10.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Telnet timeout 5

SSH 10.10.0.0 255.255.255.0 inside

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

source of NTP server outside xxxxxxxxxx

WebVPN

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:40cee3a773d380834b10195ffc63a02f

: end

Hello

You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.

The ACL configuration is fine, Nat is fine, so you should have problems,

Kind regards

Julio

Allow specific access through the Interfaces ASA 5510

Hi all

In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

I have an ASA 5510:

WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

Connected to the port E0/0 is a 2811 router

Connected to the port E0/1 is the (external) Internet

Connected to the port E0/2 is a 2821

(I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

I think it is best that I put the links to the files of text here.

Thank you!

You must remove the following statements on the two routers:
-# ip nat inside source... overload
-for each # ip nat inside/outside interface, if they have configured.

Remove ads rip of the networks that are not directly connected:
-2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
-2811: 199.195.xxx.0
-ASA: 128.0.0.0

No way should be added to the routers, since he is the one by default, put in scene to ASA.

Check the tables of routing on routers and the ASA.

On ASA:

-Remove:
object-group network # PAT - SOURCE
# nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

-create objects of the networks behind the LAN router and enable dynamic NAT:
network object #.
subnet
NAT (inside, outside) dynamic interface

-review remains NAT rules.

-to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

-Disable rip on the outside interface.

Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

Thank you!

Jeremy

Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

And it is also on my site, with a tar of scripts to:

http://www.LHB-consulting.com/pages/apps/index.html

Good luck.

-Lisa

ASA 5510 Configuration. How to set up 2 outside the interface.

Hello

I have Cisco ASA 5510 and the desktop, I want to create a new route to another (external) router to my ISP.

The workstation I can Ping ASA E0/2 interface but I cannot ping the router ISP B inside and outside of the interface.

I based my setup on the existing configuration. which so far is working

interface Ethernet0/0
Outside of the interface description
nameif outside
security-level 0
IP 122.55.71.138 address 255.255.255.2
!
interface Ethernet0/1
Inside the interface description
nameif inside
security-level 100
IP 10.34.63.252 255.255.240.0
!
interface Ethernet0/2
Outside of the interface description
nameif outside
security-level 0
IP 121.97.64.178 255.255.255.240
!

Global 1 interface (outside)

global (outside) 2 interface (I created this for E0/2)
NAT (inside) 0 access-list sheep

NAT (inside) 1 10.34.48.11 255.255.255.255 (work: router ISP inside and outside interface E0/0)

NAT (inside) 2 10.34.48.32 255.255.255.255 (work: E0/2 router ISP on the inside interface only but cant outside ping).

Route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (work)

Route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (the new Road Test)

Router ISP, that a job can ping and I can access the internet

interface FastEthernet0/0
Description Connection to ASA5510
IP 122.55.71.139 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
the interface S0/0
IP 111.54.29.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 122.55.71.139 111.54.29.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0

FAI 2

interface FastEthernet0/0 (SAA can ping this interface)
Description Connection to ASA5510
IP 121.97.64.179 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
interface E0/0 (ASA Can not ping this interface)
IP 121.97.69.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 121.97.64.179 121.97.69.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 E0/0

CABLES

ASA to router ISP B (straight cable)

Router ISP in the UDI (straight cable)

Hope you could give some advice and the solution for this kind of problem please

Hello

Are you able to ping the router IP of the interface of the device of the ASA? If so, try a trace of package on the device of the SAA for traffic to the IP address of the router.

Thank you and best regards,

Maryse Amrodia

IPSEC with the router and asa 5510

Hi all

I have problems connecting ipsec l2l. I have set up a router and asa 5510 make ipsec between them, but it seems to fail on the phase 1. I already check and I am 100% sure that is the key. You can a few shed light on the issue, I have. Here's the output debug I get the two system.

Thank you

Hello

Isakmp policy match on both devices? What version of ios is running on the router and the asa5510

Thank you

All necessary licenses on ASA 5510 for old Cisco VPN Client

We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with? No matter what special config that needs to be done on the 5510?

Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).

You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.

ASA 5510 - level security Interface

I have an ASA 5510 (8.2.1 code). I'll implement the separat IPSec tunnels two remote networks, but each remote connection to an ASA respective interface.

Question: I know that the e0/0 ('outside') security level of the interface is 0. However, only the second interface e0/2 ("out2") security level must be set to 0 as well?

Thank you

Jim

Yes you can, simply apply the respective crypto map to the interface. You might want to do e0/2 and e0/3 the same level of security (if your security policy allows) and same-security-traffic permit inter-interface. Which allows communication between the various interfaces that have the same level of security. You can ignore the NAT mess.

Cisco ASA 5510 config with SSM

I was tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (that I never did, only routers and switches) and I have a few questions. I'm inside the ASDM and I am trying to configure my external interface... The 5510 provided with a map of the SSM, and I assumed it would be my external interface, but I guess I'm wrong because it is not an option when running through the wizard. I know what the SSM card for, I do not understand why there is not an external interface. Whence this connect (just for my LAN?)?

Currently, I have implemented the management interface to our ip and the subnet and connected through that. I see the management interface and eth0 - eth 3.

It's as simple as it can get, I just need the external interface to our public ip address, configure access rules to match my sonicwall.

Also on the version, its operation ASA 8.2.1. Should I upgrade to 8.3.1? What is the ED after the version (not familiar with it).

Thank you!

These rules on the SAA are default rules, that is to say whatever it is initiated from the inside is allowed, but anything launched from outside is allowed in. Sorry, but I'm not familiar with SonicWall at all to give you advice on the rules, you will need installation. But what if all you have is an external interface and inside then will need you a nat.pat to ensure that internal addresses can go out and access list to restrict these internal if necessary networks. If you have incoming traffic is according to mail, web server, etc, then you will again be a nat and an access list to allow traffic.

The document attached (you can ignore the router configs) should hopefully give you a better idea of how incoming transport works and how to apply access lists to the interface.

Let me know if it helps.

Limited Cisco ASA 5510 IPSEC

Hi guys

There are IPsec deadline for ASA 5510?

There are users complain on connected, they cannot access any server on the local network. but now it works fine

.PNG

Hello

What do you mean by limit? The number of IPSEC sessions is limited to 250, if I remember correctly.

To limit access to internal resources, there is not.

These users complain using the same IPSEC vpn as others? Is that your exemption of crypto and nat that allows all internal resources?

Thank you

PS: Please do not forget to rate and score as correct answer if this answered your question

Cisco ASA 5510 - IOS upgrade 7.0 failing. Not found Flash BIOS

Hello everyone

I have a Cisco ASA 5510 in a lab with none of the configurations environment what so ever.

Objective: upgrade the IOS current version 7.0 (8) to 7.1.1 (possibly go to 8.2 until memory upgrade on the SAA: 256 MB to 1 GB and then move to the latest version of 8.2 IOS).

Output to see the attached Version.

Output Flash attached show.

asa711 - k8.bin is the file that has been copied from a TFTP server to flash.

The following commands have been executed in order to update the IOS

ciscoasa (config) # boot flash system: / asa711 - k8.bin
INFO: Conversion of flash: / asa711 - k8.bin to disk0: / asa711 - k8.bin
ciscoasa (config) #.
ciscoasa (config) # end
ciscoasa # write memory
Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd
2713 bytes copied in 1,450 dry (2713 bytes/s)
[OK]
ciscoasa # reload

PROBLEM: the device ASA goes in an infinite loop (guard restart). This is the message on the console:

The system boot, please wait...

CISCO SYSTEMS
Embedded BIOS Version 1.0 (11) 15:11:51.82 5 08/28/08
Memory: 631ko
Memory: 256 MB
PCI device table.
Bus Dev Func VendID DevID class Irq
00 00 00 8086 2578 host Bridge
00 01 00 8086 2579 PCI to PCI bridge
00 03 00 8086 PCI bridge to PCI 257 b
00 1 00 8086 PCI bridge to PCI 25AE
1 d 00 00 8086 25A 9 Serial Bus 11
1 00 01 8086 25AA Bus series 10 d
1 d 00 04 8086 25AB system
1 d 00 05 8086 25AC IRQ controller
1 d 00 07 8086 25AD Bus series 9
1E 00 00 8086 PCI bridge to 244th PCI
1F 00 00 8086 25A 1 ISA Bridge
1F 00 02 8086 25 IDE controller has 3 11
1F 00 03 8086 25A 4 Bus series 5
1F 00 05 8086 25A 6 Audio 5
02 01 00 8086 1075 Ethernet 11
03 01 00 177 D 0003 encrypt/decrypt 9
03 02 00 8086 1079 Ethernet 9
03 02 01 8086 1079 Ethernet 9
03 03 00 8086 1079 Ethernet 9
03 03 01 8086 1079 Ethernet 9
04 02 00 8086 1209 Ethernet 11
04 03 00 8086 1209 Ethernet 5
Evaluate the BIOS Options...
Launch of the BIOS Extension installation ROMMON
Cisco Systems ROMMON Version (1.0 (11) 5) #0: Thu Aug 28 15:23:50 CDT 2008
Platform ASA5510
Use BREAK or ESC to interrupt the boot.
Use the SPACE to start boot immediately.
Start the program boot...
Startup configuration file contains 1 entry.

Load disk0: / asa711 - k8.bin... The starting...

256 MB OF RAM
Total of SSMs found: 0
Total cards network found: 7
mcwa i82557 Ethernet to irq 11 MAC: 0024.974a.65af
mcwa i82557 Ethernet to the irq 5 MAC: 0000.0001.0001
Not found BIOS flash.
Reset...

The only way for me to do things to normal is if I BREAK the sequence starting with ESC and go into ROMMON mode. I then issue a start command for the SAA to start with 7.0 (8) default IOS Image.

Please can someone explain what is the problem here?

Apologies if I'm missing something obvious that I'm not an expert of the SAA.

Looks like that the ASA is hitting a field notice: fn62378. The FN, it's because of the incompatible version of hardware and software. Please upgrade to version 7.1.2 instead of 7.1.1. If you plan to spend in 8.2. So instead of going 7.1.2 you could go to 7.2.5 (recommanded), then 8.2.5

http://www.Cisco.com/c/en/us/support/docs/field-notices/620/fn62378.html

It will be useful.

Kind regards

Akshay Rouanet

Remember messages useful rate.

Chrombook L2TP/IPSec for ASA 5510

Hello

I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.

Run a debug crypto isakmp 5 I see the following logs (ip changed...)

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

1.1.1.1 = address remote chromebook NAT

2.2.2.2 = ASA 5510 acting as distance termintaion access point

3.3.3.3 = Chromebook private address

I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address. Not sure if this is the cause or how to solve this problem, if it is.

Can someone advise please

Thank you

Ryan

7.2 is old code. You can re - test with 9.0.x or 9.1.x.

https://support.Google.com/Chromebook/answer/1282338?hl=en

NAT issue ASA 5510

Similar Questions

.PNG

Maybe you are looking for