PIX515E: Cannot ping interfaces
Hi all
I ' v has just got a new PIX 515E, 6 interfaces, Version 6.3 (5).
I can't focus on any task with my PIX because the simplest operation is impossible: I cannot ping inside interface or PIX any host belonging to e same subnet. Interface is up and running, connected directly to a switch, icmp is to allow the inside...
Please, could someone of you give me a help?
Concerning
Alberto Brivio
Make sure the PIX is not a license to "failover". You will not be able to ping to this type of box until you activate failover.
Tags: Cisco Security
Similar Questions
-
ASA 5540 - cannot ping inside the interface
Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.
In the ASDM, I see messages like this:
ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.
This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.
interface Vlanx
IP x.x.x.x 255.255.255.0
IP broadcast directed to 199
IP accounting output-packets
IP pim sparse - dense mode
route IP cache flow
load-interval 30
Has anyone experiences the problem like this before? Thanks in advance for any help.
Can you post the output of the following on the ASA:-
display the route
And the output of your base layer diverter: -.
show ip route<>
HTH >
-
Cisco ezvpn ASAs cannot ping each other inside interfaces
I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA.
I found the following links that describes a scenario similar to mine, but nothing on one of them helped me.
http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-pingI joined sanitized versions of these two configs. Any help is appreciated.
Hi Adam
The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem.
Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'.
something like:
nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same. Cordially Véronique -
Cannot ping ASA inside the interface via VPN
Hello
I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?
Thanks for your suggestions.
Remi
Hello
You must have the 'inside access management' command configured on the SAA.
If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem
-Jouni
-
Hello
I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX.
I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall.
Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping.
Here's my nat and global declarations:
# Sh nat Pix1
NAT (inside) 1 10.0.0.0 255.0.0.0 0 0
NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0
Pix1 # global HS
Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x
Global 1 6x.xxx.xxx.6x (outside)
Global interface (dmz) 1
Here's an abbreviated ICMP trace:
Pix1 debug icmp trace #.
ICMP trace on
WARNING: This can cause problems on busy networks
Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89
length 63 = 40
2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219
GTH = 40
4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475
GTH = 40
6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475
ngth = 40
8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731
GTH = 40
9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
Thanks in advance for your help.
Doug.
ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside!
See: Handling ICMP Pings with the PIX firewall
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The PIX and the traceroute command
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
examples:
Traveroute
Microsoft:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
access-list 101 permit icmp any host YourPublicIP echo-reply
UNIX:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
ICMP command example
ICMP deny everything outside
ICMP allow any response of echo outdoors
ICMP allow any response echo inside
permit ICMP echo host 192.168.1.30 inside
permit ICMP echo host 192.168.1.31 inside
permit ICMP echo host 192.168.1.20 inside
permit ICMP echo host 192.168.1.40 inside
permit ICMP echo host 192.168.1.100 inside
sincerely
Patrick
-
Cannot ping Lan devices in Vlan
Hello
I looked for a solution to this for the week without success. I came across a Cisco C3560, which is used because of its ability of poe to power some Deskphones Voip. While the works of great poe, machines connected to the switch can only communicate with each other and don't can't ping or otherwise access any device connected directly to the router of the network.
The Cisco switch is configured with a vlan and a default gateway, but nothing comes out by behind the switch. On connected devices can ping by default gateway (192.168.0.1 - a tp-link router), receive a lease dhcp from the router said successfully and can connect to the internet, but on the local network, nothing works. (unable to connect to the printer connetced directly to the router or other computers connected directly to the router.
Any advice? I am new to cisco switches, don't know what I'm doing here. I'm just trying to get devices that are connected directly to the switch to communicate with devices connected directly to the router.
Switch#show runBuilding configuration...
Current configuration : 1528 bytes!version 12.2service configno service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Switch!enable secret 5 {}{}{}{}{}{}{}{}{}{}{}{}!no aaa new-modelclock timezone UTC 2system mtu routing 1500ip subnet-zero!!!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!interface FastEthernet0/1!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24 switchport mode access!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1 ip address 192.168.0.26 255.255.255.0 no ip route-cache!ip default-gateway 192.168.0.1ip classlessip default-network 192.168.0.0ip http server!access-list 1 permit any log!control-plane!!line con 0line vty 0 4 password XXXXXXXXX login length 0line vty 5 15 password XXXXXXXX login length 0!end
Switch#show interface
Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 001e.bd27.c4c0 (bia 001e.bd27.c4c0) Internet address is 192.168.0.26/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 3 packets/sec 138534 packets input, 9472693 bytes, 0 no buffer Received 0 broadcasts (68 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 30296 packets output, 2248820 bytes, 0 underruns 0 output errors, 1 interface resets 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/2 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c484 (bia 001e.bd27.c484) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:56, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 46000 bits/sec, 37 packets/sec 5 minute output rate 582000 bits/sec, 71 packets/sec 1941044 packets input, 327622438 bytes, 0 no buffer Received 38375 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 30699 multicast, 0 pause input 0 input packets with dribble condition detected 3224783 packets output, 2069682884 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out FastEthernet0/4 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c486 (bia 001e.bd27.c486) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 129069 packets input, 64947010 bytes, 0 no buffer Received 9953 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9759 multicast, 0 pause input 0 input packets with dribble condition detected 600269 packets output, 45540585 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/6 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c488 (bia 001e.bd27.c488) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:50, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 32693 packets input, 4244428 bytes, 0 no buffer Received 9942 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9759 multicast, 0 pause input 0 input packets with dribble condition detected 588460 packets output, 45003331 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/8 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c48a (bia 001e.bd27.c48a) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:30, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 32694 packets input, 4243413 bytes, 0 no buffer Received 9934 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9757 multicast, 0 pause input 0 input packets with dribble condition detected 588485 packets output, 45009466 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/12 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c48e (bia 001e.bd27.c48e) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:28, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 32742 packets input, 4252075 bytes, 0 no buffer Received 9947 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9763 multicast, 0 pause input 0 input packets with dribble condition detected 588497 packets output, 45019272 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/13 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c48f (bia 001e.bd27.c48f) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:13, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 148160 packets input, 73818106 bytes, 0 no buffer Received 9973 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9760 multicast, 0 pause input 0 input packets with dribble condition detected 599666 packets output, 49045070 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/14 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c490 (bia 001e.bd27.c490) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:05, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 129165 packets input, 68409495 bytes, 0 no buffer Received 9982 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9773 multicast, 0 pause input 0 input packets with dribble condition detected 600283 packets output, 45551497 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/18 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c494 (bia 001e.bd27.c494) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:49, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 21000 bits/sec, 18 packets/sec 5 minute output rate 13000 bits/sec, 16 packets/sec 606386 packets input, 88151136 bytes, 0 no buffer Received 159883 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 55198 multicast, 0 pause input 0 input packets with dribble condition detected 941617 packets output, 308269004 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/20 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c496 (bia 001e.bd27.c496) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:54, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 515813 packets input, 87006769 bytes, 0 no buffer Received 21466 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 19952 multicast, 0 pause input 0 input packets with dribble condition detected 1858112 packets output, 1700009146 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
FastEthernet0/24 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c49a (bia 001e.bd27.c49a) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 546556 packets output, 41182636 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 001e.bd27.c481 (bia 001e.bd27.c481) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 556000 bits/sec, 83 packets/sec 5 minute output rate 76000 bits/sec, 63 packets/sec 4457827 packets input, 3961330567 bytes, 0 no buffer Received 15028 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 11213 multicast, 0 pause input 0 input packets with dribble condition detected 3822373 packets output, 728132696 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
Switch#show vlan
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Gi0/1, Gi0/21002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------1 enet 100001 1500 - - - - - 0 01002 fddi 101002 1500 - - - - - 0 01003 tr 101003 1500 - - - - - 0 01004 fdnet 101004 1500 - - - ieee - 0 01005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs------------------------------------------------------------------------------
Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------
Hello
first thing, please edit your post and remove your remote vty lines access password
never send passwords on a public forum for the just in case production equipment
line vty 0 4
password xxxxxx***********************
Your question
What is the configuration of the router as a switch which seems to work correctly you're saying and I configured its doing its job, don't forget you said that you cannot route no between the router and the router switch should take care of this, whats the vlan ports on the router are on is - what the same subnet do they get an ip address in the same subnet off dhcp as devices of switching, if they do, and you cannot ping them to the same subnet theres something upward on the side of the router it would treat for layer 3 routing ip traffic
the ping to the router devices connected to the cisco switch and can the device on the router cannot ping devices switches
If you move a device out of the router and attach it to the doe sit switch still work ok, reach the talk of the internet to other devices on the switch?
As there is a layer 2 switch you don't need this command you have your entry door you can remove it.. .IP default-network 192.168.0.0
-
some help me
(Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance
Note - I can ping PC but not the same subnet ip on ASA2 L3
PC---> > ASA1 - ASA2<>
Hi Matt,
Let me answer your question in two points:
- You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.
For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside
- Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.
We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.
-
cannot ping between remote vpn site?
vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well. I can ping from central office for two remote sites, but I cannot ping between these two vpn sites? Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next? Help, please...
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
!
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0
!
extended OUTSIDE allowed a whole icmp access list
HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
!
destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
!
address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
card crypto VPN-card 50 peers set *. *.56.250
card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
VPN-card interface card crypto outside
!
internal strategy group to DISTANCE-NETEXTENSION
Remote CONTROL-NETEXTENSION group policy attributes
value of DNS server *. *. *. *
VPN-idle-timeout no
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value REMOTE-NET2
value by default-field *.org
allow to NEM
!
remote access of type tunnel-group to DISTANCE-NETEXTENSION
Global DISTANCE-NETEXTENSION-attributes tunnel-group
authentication-server-group (inside) LOCAL
Group Policy - by default-remote CONTROL-NETEXTENSION
IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
IKEv1 pre-shared-key *.
tunnel-group *. *.56.250 type ipsec-l2l
tunnel-group *. *.56.250 ipsec-attributes
IKEv1 pre-shared-key *.
!!
ASA - 5510 # display route. include the 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA - 5510 # display route. include the 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA-5510.!
Username: Laporte-don't Index: 10
Assigned IP: 192.168.46.0 public IP address: *. *.65.201
Protocol: IKEv1 IPsecOverNatT
License: Another VPN
Encryption: 3DES hash: SHA1
TX Bytes: bytes 11667685 Rx: 1604235
Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
Opening time: 08:19:12 IS Thursday, February 12, 2015
Duration: 6 h: 53 m: 29 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no
!
ASA - 5510 # display l2l vpn-sessiondbSession type: LAN-to-LAN
Connection: *. *.56.250
Index: 6 IP Addr: *. *.56.250
Protocol: IPsec IKEv1
Encryption: AES256 3DES hash: SHA1
TX Bytes: bytes 2931026707 Rx: 256715895
Connect time: 02:00:41 GMT Thursday, February 12, 2015
Duration: 13: 00: 10:00Hi Rico,
You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.
example:
Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
public static SITE SITE-B-Bdestination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
SITE static-SITE aHope this helps
Thank you
Rizwan James
-
Cannot ping ASA remote on an L2L
I have an ASA5520, and about 10 of 5505. Site running all at the Sites. The tunnels are in place and everything worked fine. Well on the side room, I cannot ping the ASA remote, but I can ping all devices behind it. On the remote side I ping the 5520 and everything else on my network I encouraged. When I look at the newspaper of the ASDM on the 5520, that there is no evidence related to the ping for the 5505. I don't see where it blocks the ICMP on the 5505. It just says:
"6 August 14, 2008 05:40:49 302020 10.0.3.69 192.168.1.101 built outgoing ICMP connection for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.
and
"6 August 14, 2008 05:40:49 302021 10.0.3.69 192.168.1.101 connection disassembly ICMP for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.
It is a normal traffic for a S2S I guess. While I am trying to get this to work I have it configured,.
ICMP allow any inside
"ICMP allow all outside.
Any suggestions?
If you try to ping inside the interface through the tunnel, try to add...
management-access inside
-
Cannot ping hosts on the same vlan on the 2 switches.
Hey guys so I create my own network in Packet Tracer 6.3. While the hosts can ping others on the same switch 2960 and VLAN, they are unable to ping a host on another switch in the same VLAN. For example. Josh PC on S1 (192.168.10.10) cannot ping PC Doge on S2 (192.168.10.13). I'm sure that they are on the same subnet, so I thing it is a problem of junction...
S1:
S1 #show ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet0/1 unassigned YES manual up up
FastEthernet0/2 unassigned YES manual up up
FastEthernet0/3 unassigned YES manual up up
FastEthernet0/4 unassigned YES manual up up
FastEthernet0/5 unassigned YES manual administratively down down
FastEthernet0/6 unassigned YES manual administratively down down
FastEthernet0/7 unassigned YES manual administratively down down
FastEthernet0/8 unassigned YES manual administratively down down
FastEthernet0/9 unassigned YES manual administratively down down
FastEthernet0/10 unassigned YES manual administratively down down
FastEthernet0/11 unassigned YES manual administratively down down
FastEthernet0/12 unassigned YES manual administratively down down
FastEthernet0/13 unassigned YES manual administratively down down
FastEthernet0/14 unassigned YES manual administratively down down
FastEthernet0/15 unassigned YES manual administratively down down
FastEthernet0/16 unassigned YES manual administratively down down
FastEthernet0/17 unassigned YES manual administratively down down
FastEthernet0/18 unassigned YES manual administratively down down
FastEthernet0/19 unassigned YES manual administratively down down
FastEthernet0/20 unassigned YES manual administratively down down
FastEthernet0/21 unassigned YES manual administratively down down
FastEthernet0/22 unassigned YES manual administratively down down
FastEthernet0/23 unassigned YES manual administratively down down
FastEthernet0/24 unassigned YES manual administratively down down
GigabitEthernet0/1 unassigned YES manual down down
GigabitEthernet0/2 unassigned YES manual down down
Vlan1 unassigned YES manual administratively down down
Vlan2 unassigned YES manual downwards upwards
Vlan10 unassigned YES manual up up
S1 #show interface f0/1 switchport
Name: Fa0/1
Switchport: enabled
Administrative mode: trunk
Operational mode: trunk
Encapsulation of administrative circuits: dot1q
Operational Trunking encapsulation: dot1q
Trunking negotiation: Off
The VIRTUAL LAN access mode: (default) 1
Native mode VLAN Trunking: 2 (native)
The voice of VLAN: no
Private-vlan host association Directors: no
Mapping of private - vlan management: no
Private-vlan trunk administration VLAN native: no
Private - vlan administration trunk encapsulation: dot1q
Private-vlan trunk administration VLAN normal: no
Private-vlan trunk administration private VLAN: no
Private-vlan operational: no
VLAN Trunking enabled: ALL
Pruning VLANS enabled: 2-1001
Capture Mode disabled
Capture VLAN allowed: ALL
Protected: false
The unit trust: no
S1 #show vlan br
Ports of status for the name of VLAN
---- -------------------------------- --------- -------------------------------
1 by default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
FA0/13, Fa0/14, Fa0/15, Fa0/16
FA0/17, Fa0/18, Fa0/19, Fa0/20
FA0/21, Fa0/22, Fa0/23 and Fa0/24
Gig0/1, Gig0/2
2 active native
5 active
10 active VLAN0010 Fa0/2, Fa0/3, Fa0/4
active by default fddi 1002
assets of token-ring-default 1003
1004 fddinet - default active
1005 trnet - default active
Trunk interface #show S1
VLAN Mode Encapsulation native port State
FA0/1 on 802. 1 trunking q 2
Port VLAN allowed on trunk
5,10,20 FA0/1
Port VLAN authorized and active in the field of management
FA0/1 5,10
VLAN port extending on transmission State and no tree pruned
FA0/1 5,10
S1 #show mac-address-table
Mac address table
-------------------------------------------
VLAN Mac Address Type Ports
---- ----------- -------- -----
5 00d0.d37a.ed01 DYNAMICS Fa0/1
S2:
S2 #show ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet0/1 unassigned YES manual up up
FastEthernet0/2 unassigned YES manual up up
FastEthernet0/3 unassigned YES manual up up
FastEthernet0/4 unassigned YES manual up up
FastEthernet0/5 unassigned YES manual administratively down down
FastEthernet0/6 unassigned YES manual administratively down down
FastEthernet0/7 unassigned YES manual administratively down down
FastEthernet0/8 unassigned YES manual administratively down down
FastEthernet0/9 unassigned YES manual administratively down down
FastEthernet0/10 unassigned YES manual administratively down down
FastEthernet0/11 unassigned YES manual administratively down down
FastEthernet0/12 unassigned YES manual administratively down down
FastEthernet0/13 unassigned YES manual administratively down down
FastEthernet0/14 unassigned YES manual administratively down down
FastEthernet0/15 unassigned YES manual administratively down down
FastEthernet0/16 unassigned YES manual administratively down down
FastEthernet0/17 unassigned YES manual administratively down down
FastEthernet0/18 unassigned YES manual administratively down down
FastEthernet0/19 unassigned YES manual administratively down down
FastEthernet0/20 unassigned YES manual administratively down down
FastEthernet0/21 unassigned YES manual administratively down down
FastEthernet0/22 unassigned YES manual administratively down down
FastEthernet0/23 unassigned YES manual administratively down down
FastEthernet0/24 unassigned YES manual administratively down down
GigabitEthernet0/1 unassigned YES manual down down
GigabitEthernet0/2 unassigned YES manual down down
Vlan1 unassigned YES manual administratively down down
Vlan2 unassigned YES manual downwards upwards
Vlan5 unassigned YES manual up up
Vlan10 unassigned YES manual up up
Vlan20 unassigned YES manual up up
Vlan99 unassigned YES manual administratively down down
S2 #show interface f0/1 switchport
Name: Fa0/1
Switchport: enabled
Administrative mode: trunk
Operational mode: trunk
Encapsulation of administrative circuits: dot1q
Operational Trunking encapsulation: dot1q
Trunking negotiation: on
The VIRTUAL LAN access mode: (default) 1
Native mode VLAN Trunking: 2 (native)
The voice of VLAN: no
Private-vlan host association Directors: no
Mapping of private - vlan management: no
Private-vlan trunk administration VLAN native: no
Private - vlan administration trunk encapsulation: dot1q
Private-vlan trunk administration VLAN normal: no
Private-vlan trunk administration private VLAN: no
Private-vlan operational: no
VLAN Trunking enabled: ALL
Pruning VLANS enabled: 2-1001
Capture Mode disabled
Capture VLAN allowed: ALL
Protected: false
The unit trust: no
S2 #show vlan br
Ports of status for the name of VLAN
---- -------------------------------- --------- -------------------------------
1 by default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
FA0/13, Fa0/14, Fa0/15, Fa0/16
FA0/17, Fa0/18, Fa0/19, Fa0/20
FA0/21, Fa0/22, Fa0/23 and Fa0/24
Gig0/1, Gig0/2
2 active native
5 active
10 VLAN0010 active Fa0/4
20 VLAN0020 active Fa0/2, Fa0/3
active by default fddi 1002
assets of token-ring-default 1003
1004 fddinet - default active
1005 trnet - default active
S2 #show mac-address-table
Mac address table
-------------------------------------------
VLAN Mac Address Type Ports
---- ----------- -------- -----
2 0030.f2c1.94e5 STATIC Fa0/1
2 0060.5c83.3401 STATIC Fa0/1
10 0002.4ae9.6964 STATIC Fa0/4
10 0060.5c83.3401 STATIC Fa0/1
20 0009.7c9a.a134 STATIC Fa0/2
----------------------------------------------------------------------------------
Let me know what I missed here. All connections are made with a straight through cable.
See you soon
Josh
Try to remove the S2 switchport port-security:
interface FastEthernet0/1 no switchport port-security
-
Peer AnyConnect VPN cannot ping, RDP each other
I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1). I have a remote access VPN set up and remote access users are able to connect and access to network resources. I can ping the VPN peers between the Remote LAN. My problem counterparts VPN cannot ping (RDP, CDR) between them. Ping a VPN peer of reveals another the following error in the log of the SAA.
Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.
Here's my ASA running-config:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain dental.local
activate 9ddwXcOYB3k84G8Q encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS server-group DefaultDNS
192.168.1.128 server name
domain dental.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the RAVPN object
10.10.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.10.0_28 object
subnet 10.10.10.0 255.255.255.240
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access note VPN Customer local LAN access
Local_LAN_Access list standard access allowed host 0.0.0.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
Note VpnPeers access list allow peer vpn ping on the other
permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers
pager lines 24
Enable logging
asdm of logging of information
logging of information letter
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of information
record level of 1 600 6 rate-limit
Outside 1500 MTU
Within 1500 MTU
mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source all electricity static destination RAVPN RAVPN
NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the RAVPN object
dynamic NAT (all, outside) interface
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpoint crypto ca-CA-SERVER ROOM
LOCAL-CA-SERVER key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
billvpnkey key pair
Proxy-loc-transmitter
Configure CRL
crypto ca server
CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl
name of the issuer CN = ciscoasa
SMTP address [email protected] / * /
crypto certificate chain ca-CA-SERVER ROOM
certificate ca 01
* hidden *.
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate 10bdec50
* hidden *.
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.1 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.50 - 192.168.1.99 inside
dhcpd allow inside
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image
SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml
enable SVC
tunnel-group-list activate
internal-password enable
chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Dental.local value by default-field
WebVPN
SVC value vpngina modules
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Dental.local value by default-field
attributes of Group Policy DfltGrpPolicy
Server DNS 192.168.1.128 value
VPN - 4 concurrent connections
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
value of group-lock RAVPN
value of Split-tunnel-network-list Local_LAN_Access
Dental.local value by default-field
WebVPN
the value of the URL - list DentalMarks
SVC value vpngina modules
SVC value dellstudio type user profiles
SVC request to enable default webvpn
chip-tunnel enable SmartTunnelList
wketchel1 5c5OoeNtCiX6lGih encrypted password username
username wketchel1 attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel
username wketchel attributes
VPN-group-policy DfltGrpPolicy
WebVPN
modules of SVC no
SVC value DellStudioClientProfile type user profiles
jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username
jenniferk username attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
attributes global-tunnel-group DefaultRAGroup
address pool VPNPool
LOCAL authority-server-group
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address pool VPNPool
LOCAL authority-server-group
tunnel-group RAVPN webvpn-attributes
enable RAVPN group-alias
IPSec-attributes tunnel-group RAVPN
pre-shared key *.
tunnel-group RAVPN ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group WebSSLVPN remote access
tunnel-group WebSSLVPN webvpn-attributes
enable WebSSLVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
173.194.64.108 SMTP server
context of prompt hostname
HPM topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: end
Hello
Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.
I suggest the following changes
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
PAT-SOURCE network object-group
object-network 192.168.1.0 255.255.255.0
object-network 10.10.10.0 255.255.255.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
The above should allow
- Dynamic PAT for LAN and VPN users
- NAT0 for traffic between the VPN and LAN
- NAT0 for traffic between the VPN users
You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.
no static source nat (inside, everything) all electricity static destination RAVPN RAVPN
No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
No network obj_any object
No network object RAVPN
In case you do not want to change the settings a lot you might be right by adding this
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.
-Jouni
-
ASA VPN cannot ping ip local pool
Hello
We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...
Thanks in advance
Keith
Hi Keith,
I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)
Can you add "same-security-traffic intra-interface permits" and try again?
Federico.
-
Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any!
Sheep allowed 10 route map
corresponds to the IP 199!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map routeHTH
Herbert
-
VPN - cannot ping the next hop
Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)
What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.
Here is my design of the network and the config below:
Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)
Router Cisco 881
AAA new-model
!
AAA of authentication ppp default local
!
VPDN enable
!
!
VPDN-group VPDN PPTP
!
accept-dialin
Pptp Protocol
virtual-model 1
!
interface FastEthernet0
Description link to switch
switchport access vlan 5
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 70
no ip address
!
interface FastEthernet4
Description INTERNET WAN PORT
IP [IP EXTERNAL address]
NAT outside IP
IP virtual-reassembly in
full duplex
Speed 100
card crypto VPN1
!
interface Vlan1
no ip address
!
interface Vlan5
Description $ES_LAN$
IP 192.168.5.1 255.255.255.248
no ip redirection
no ip unreachable
IP nat inside
IP virtual-reassembly in
!
interface Vlan70
IP [IP EXTERNAL address]
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
!
!
interface virtual-Template1
IP unnumbered FastEthernet4
encapsulation ppp
peer default ip address pool defaultpool
Ms-chap PPP chap authentication protocol
!
IP local pool defaultpool 192.168.10.200 192.168.10.210
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
!
overload of IP nat inside source list no. - NAT interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]
Route IP 192.168.0.0 255.255.0.0 192.168.5.2
!
No. - NAT extended IP access list
deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
IP 192.168.0.0 allow 0.0.255.255 everything
VLAN70 extended IP access list
ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255
permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp
permit tcp [IP EXTERNAL] 0.0.0.15 any eq www
permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15
permit tcp [IP EXTERNAL] 0.0.0.15 any eq field
permits any udp [IP EXTERNAL] 0.0.0.15 eq field
list of IP - VPN access scope
IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255
Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255
WAN extended IP access list
!
Layer 3 switch - Dell Powerconnect 6224
!
IP routing
IP route 0.0.0.0 0.0.0.0 192.168.5.1
interface vlan 5
name "to connect to the Cisco router.
Routing
IP 192.168.5.2 255.255.255.248
output
!
interface vlan 10
"internal network" name
Routing
IP 192.168.10.1 255.255.255.0
output
!
interface ethernet 1/g12
switchport mode acesss vlan 5
output
!
interface ethernet 1/g29
switchport mode access vlan 10
output
!
Hi Samuel,.
I went through your configuration and picked up a few problematic lines...
First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.
The cleaner for this is,
Create a new interface of back of loop with a new subnet
!
loopback interface 0
192.168.99.1 IP address 255.255.255.0
!
New vpn set up, pool
!
IP local pool defaultpool 192.168.99.200 192.168.99.210
!
Change your template to point the new loopback interface,
!
interface virtual-Template1
IP unnumbered loopback0
encapsulation ppp
peer default ip address pool defaultpool
Ms-chap PPP chap authentication protocol
!
All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.
PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)
I hope this helps.
Please don't forget to rate/brand of useful messages
Shamal
-
Cannot ping computers on the subnet remote site vpn while to set up
Hi all
I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.
the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip
Here is my scenario:
LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant
LAN1: 192.168.x.0/24
LAN2: 172.25.88.0/24
remote_machine_ip: 172.25.87.30
LAN1 can ping to ASA5505 inside interface (172.25.88.1)
but cannot ping ordinateur_distant (172.25.87.30)
Inside of the interface ASA5505 can ping ordinateur_distant
LAN2 can ASA5510 ping inside the machines on LAN1 and interface
Is there something I missed?
Thanks much for the reply
I don't think it's something you really want to do.
If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.
So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1
But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.
If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.
http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858
Kind regards
Maybe you are looking for
-
storage used iCloud inconsistency.
Hello I have 1 to plan storage iCloud. I downloaded pictures 100 GB and 400 GB of videos in the Photos app iCloud. There is no file in the items removed from iCloud. In the Photos on my MacBook Pro when I right click on all the pictures, select Get I
-
Hi, I recently bought a workstation Z620 and migrated hard drive of my Dell using Acronis Image 2013. It worked very well, but I seem to have lost a few pilots, all under other devices in Device Manager. They are: device Base system device Base sys
-
Question about the connection of the laptop to stereo to get a good sound
I'm trying to get an output good phono from my laptop to a stereo. The s-video output a sound, when it is so I could divide the s-video cable in two phono which can then be connected to my sound system.
-
More big HDD in a Qosmio G30-134?
My G30-134 has two 120 GB HARD drives. I would change one or both for a larger size.Is this possible?Can I change one, or is it better to have two identical HARD drives?Is there a maximum capacity that I can use?Every 2.5 ' readers are located?
-
Open ports on a 3620 Tower expansion slot.
I want to add an expansion card for a new 3620 Tower. I can get the box open to access the chassis very well, but how does this black plastic on the expansion slot cover. Looks like it is designed to facilitate the pop open all the slots at the sam