problem of ICMP on 515E
Internet---R1--pix---R2--3512---LAN.
We are able to ping from lan (high level) to the Internet, but the host outside (low leverage), and muy r1 could nt ping, or inside pix or lan.
my access list is configured to allow icmp from outside the local network traffic.
Here is my pix inmput:
6.3 (4) version IX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security50 ethernet2
nameif ethernet3 dmz2 security10
activate the encrypted password
encrypted passwd
hostname Pix515
domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 102 permit icmp any any echo response
access-list 102 permit icmp any any source-quench
access-list 102 permit everything all unreachable icmp
access-list 102 permit icmp any one time exceed
access-list 102 permit icmp any echo host 192.168.1.2
pager lines 24
opening of session
Record being buffered memory errors
recording of debug trap
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
dmz2 MTU 1500
outdoor IP 192.168.1.1 255.255.255.0
IP address inside 172.16.1.1 255.255.255.0
172.16.128.1 dmz IP address 255.255.255.0
No dmz2 ip address
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz
no failover ip address dmz2
history of PDM activate
ARP timeout 7200
Global 1 192.168.1.50 - 192.168.1.253 (outside)
Global 1 192.168.1.254 (outside)
NAT (inside) 1 10.0.0.0 255.255.255.0 0 0
Access-group 102 in external interface
Route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
Route inside 10.0.0.0 255.255.255.0 172.16.1.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Ganymede + Protocol Ganymede + AAA-server
AAA-server Ganymede + max-failed-attempts 3
AAA-server Ganymede + deadtime 10
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
lifetime seconds crypto ipsec security association 2700
Telnet 172.16.1.2 255.255.255.255 inside
Telnet 192.168.1.2 255.255.255.255 inside
Telnet 10.0.0.2 255.255.255.255 inside
Telnet 10.0.0.3 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd lease 3000
dhcpd ping_timeout 750
field of dhcpd
dhcpd outside auto_config
Terminal width 80
Cryptochecksum: end
Pix515 #.
Thanks in advance
GIS
Federico post should help you set up static. Also when I meant "outside to inside you will need a public IP address" I meant the Internet.
Tags: Cisco Security
Similar Questions
-
PIX 515E configuration problems
I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only
-I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.
-J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.
Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?
Thanks for your replies.
Hello
Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.
Jay
-
515E eth0 and eth1 not see each and other networks
I feel like a n00b here, but I am having trouble with something that should be simple, so note the following question as one asked with a sheepish smile...
Problem: I have a 515e Setup to authenticate on a DSL modem which provides me with a public IP address on the the 515e ethernet0. Of the 515e I ping the outside world.
I ethernet1 see an internal network 192.168.50.0, who answered the 515e as well.
Computers inside the 515e cannot see through to the outside, ping or whatever it is.
I guess I have configured my nat or bad overall, but from the documents that I read, they all assumed that you have more than one outside the IP to work with. I just need to get everyone inside and get them using the single IP address on the external interface. I'll also to the implementation of several VPN through this interface, is it not wise to use one for all?
Here is my config:
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
activate the password * encrypted
passwd * encrypted
hostname YRPCI
domain yearroundpool.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
name Bluff_Outside x.x.x.x
acl_out permit tcp 192.168.50.0 access list 255.255.255.0 any
access-list acl_out permit icmp any one
ip access list acl_out permit a whole
access-list acl_in allow icmp a whole
inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside
outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside
pager lines 24
interface ethernet0 car
Auto interface ethernet1
Automatic stop of interface ethernet2
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
IP address outside pppoe setroute
IP address inside 192.168.50.1 255.255.255.0
intf2 IP address 127.0.0.1 255.255.255.255
alarm action IP verification of information
alarm action attack IP audit
location of PDM 192.168.50.0 255.255.255.255 inside
location of PDM Bluff_Outside 255.255.255.255 outside
history of PDM activate
ARP timeout 14400
Global 200 (external) interface
Global (inside) 192.168.50.8 - 192.168.50.254 100
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
Access-group acl_inbound in interface outside
acl_outbound access to the interface inside group
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 h323:05:00
IP 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
enable floodguard
No sysopt route dnat
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
outside_map 9 ipsec-isakmp crypto map
card crypto outside_map 9 match address outside_cryptomap_9
peer set card crypto outside_map 9 64.53.71.8
card crypto outside_map 9 game of transformation-ESP-DES-SHA
outside_map interface card crypto outside
SSH timeout 5
VPDN group pppoex request dialout pppoe
VPDN group pppoex localname *.
VPDN group ppp authentication pap pppoex
VPDN username * password *.
Thank you for your time in advance.
Dave
Hello
Indeed there is something wrong with your nat/global config:
remove these lines:
Global 200 (external) interface
Global (inside) 192.168.50.8 - 192.168.50.254 100
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
and replace them with these lines:
Global 200 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 200 0.0.0.0 0.0.0.0 0 0
"Nat (inside) 0" part of the VPN configuration.
What matters now are the "nat (outside) 200' and ' global (outside) 200" orders. "."
You should always have a pair of nat/global with the same id (= 200 in this case). All the inside addresses (0.0.0.0 0.0.0.0) will be the translation of the ip address of the external interface of the pix.
This will allow outside access all insiders of the Interior of the addresses (except icmp!).
If you want internal hosts to have full access to the outside, you can remove the access list «acl_out»
Kind regards
Tom
-
Hello.
I¨ve I have a linksys (Sisco) to E3000 router, but some problem with ICMP. I know because I can't access the ports I open LAN pos. as part of the NAT I run an FTP server and a windows Server 2008 with my own Web home page.
Anyone who knows how to set up on the router. Cannot find this setting even with the ping on that function. It should be possible to start/stop.
Best regards, BBJ
Try the "Filter Internet NAT Redirection" option.
If this does not work for you there is no way to test the port shipments inside your LAN simply because you can not send a packet to the WAN port on back. Especially packets coming from the side of the router LAN of don't go through NAT...
You can only try general port checking tools, based on the web in the internet.
-
PIX 515 E (PIX OS 7.0.1) / website problem
I have a problem with a PIX 515E with PIX OS 7.0.1
Internet access works very well, but there are sites, we open can´t sometimes or are very slow. I test the same websites on a dedicated Internet connection and then luckily problems.
I disabled http inspect and inspect the dns on the PIX, but the result was the same.
I have test it on a WebProxy and a direct connection to the Internet.
Can someone tell me a soltuion to this problem?
Thank you
D.
This may be due to problem of Cisco:
PIX / ASA 7.0 question: the Clients HTTP cannot navigate to certain Web Sites
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
Hope this is useful
-
do not access my home network via antconnect
I am able to connect through the anyconnect client and get an ip address, but I am not able to access my administration (internal network)
Administration = 10.18.1.120
VPN pool = 172.16.10.0/28
10.17.13.120 outside
This is my config
ASA 1.0000 Version 2
!
!
interface GigabitEthernet0/0
nameif administration
security-level 100
IP 10.18.1.120 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP 10.17.13.120 255.255.0.0
!
interface GigabitEthernet0/2
nameif admin-out13
security-level 0
IP 10.13.1.120 255.255.0.0
!
interface GigabitEthernet0/3
nameif VOIP
security-level 0
IP 10.90.100.120 255.255.0.0
!
passive FTP mode
network of the NETWORK_OBJ_172.16.10.0_29 object
subnet 172.16.10.0 255.255.255.248
network of the Admin_Email_Server object
Home 10.18.4.120
e-mail Description admin server
network of the Admin_Srv_Farm object
10.18.4.0 subnet 255.255.255.0
Description subenet where the admin servers are hosted
ICMP-type of object-group ICMP_Group
alternate address ICMP-object
ICMP-object-conversion error
echo ICMP-object
response to echo ICMP-object
ICMP-object information-response
ICMP-object-request for information
ICMP object-mask-reply
Mask-request ICMP-object
ICMP-object mobile-redirect
ICMP-object-parameter problem
redirect ICMP-object
ICMP-object-announcement of router
ICMP-object-solicitation of router
Object-ICMP source-quench
ICMP-object has exceeded the time
ICMP-object-response to timestamp
Timestamp-request ICMP-object
Object-ICMP traceroute
ICMP-unreachable object
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
pager lines 24
Enable logging
asdm of logging of information
management of MTU 1500
administration of MTU 1500
Outside 1500 MTU
Admin-out13 MTU 1500
ip_phones MTU 1500
local pool ADMIN_VPN_POOL 172.16.10.1 - 172.16.10.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 66114.bin
don't allow no asdm history
ARP timeout 14400
NAT (administration, outside) static source any any static destination NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 non-proxy-arp-search to itinerary
public static NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 destination NAT (outside directors) static source Admin_Srv_Farm Admin_Srv_Farm
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 10.18.0.0 255.255.0.0 administration
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = admin-pare-fire
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 10.90.100.1 - 10.90.100.100 ip_phones
dhcpd 4.2.2.2 dns 8.8.8.8 interface ip_phones
dhcpd lease 1800 interface ip_phones
dhcpd field uz.ac.zw interface ip_phones
dhcpd option 3 ip 10.90.1.254 interface ip_phones
ip_phones enable dhcpd
!
!
maximum session 1000 TLS-proxy
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
AnyConnect profiles ITADMIN_VPN_client_profile disk0: / ITADMIN_VPN_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_ITADMIN_VPN group strategy
attributes of Group Policy GroupPolicy_ITADMIN_VPN
WINS server no
value of 10.18.4.120 DNS server 10.50.7.178
client ssl-VPN-tunnel-Protocol ikev2
uz.AC.ZW value by default-field
WebVPN
AnyConnect value ITADMIN_VPN_client_profile type user profiles
webster nwgth7HVlZ/qiWnP password encrypted username
webster username attributes
type of remote access service
username admin password encrypted xxxxxxxxxxx privilege 15
username user2 encrypted password privilege 15 xxxxxxxxxxx
attributes of user user2 name
type of remote access service
type tunnel-group ITADMIN_VPN remote access
attributes global-tunnel-group ITADMIN_VPN
address ADMIN_VPN_POOL pool
Group Policy - by default-GroupPolicy_ITADMIN_VPN
tunnel-group ITADMIN_VPN webvpn-attributes
enable ITADMIN_VPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
class class by default
Statistical accounting of user
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c9820a69d5b4fb9e3f7cce253f2450e4After the addition of administration management-access command, please check if you are able to ping to the administration interface (ip = 10.18.1.120) of the remote user's machine. In addition, run this command on the ASA.
Packet-trace entry administration icmp
8 0 detailed Once you run this copy please order the output and the share here. Please see links to the ip address of the host, sitting behind the administration interface that you think that the ip address of the internal host should be able to ping from outside. Assigned ip address is the ip address that is assigned to the pool anyconnect client.
Share the details here and we will be able to understand the question.
Thank you
Vishnu
-
ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN
We have configured a site 5, site to site VPN scenario. Last week, we have upgraded 2 devices ASA 5505 to 8.4.2. Before the upgrade, our monitoring software would ping the inside interface from remote devices to confirm VPN tunnels were established, as well as the addresses of remote devices and the outside of the ASA. While we were on 8.2, remote equipment successfully ping the inside interface. After that we went to 8.4.2 we can do a ping to this interface. We looked at the newspapers and we see the ICMP traffic that is listed in the newspaper, but the remote equipment does not receive back icmp traffic. We can ping successfully from local hardware interface inside and the external interface of remote devices successfully. In addition, we can ping material behind the two devices in both directions successfully.
We are unable to remotely manage the device through the VPN tunnel
Net is:
ASA #1 inside 10.168.107.1 (running ASA 8.2)
ASA #2 inside 10.168.101.1 (running ASA 8,4)
Server 1 (behind the ASA #1) 10.168.107.34
Server 2 (behind the ASA #2) 10.168.101.14
Can ping server 1 Server 2
Can ping server 1 to 1 of the SAA
Can ping server 2-ASA 2
Can ping server 2 to server 1
Can ping server 2 ASA 1
Can ping ASA 2 ASA 1
can not ping ASA 1 and 2 of the ASA
can not ping server 1 and 2 of the ASA
cannot access the ASA 2 https for management interface, nor can the ASDM software
Here is the config on ASA (attached) 2.
Any thoughts would be appreciated.
Hey Joseph,.
Most likely, you hit this bug:
CSCtr16184 Details of bug
To-the-box traffic switches vpn hosts after upgrade to 8.4.2. Symptom:
After the upgrade of the ASA to 8.4.2 all management traffic to employment (including the)
ICMP/telnet/ssh/ASDM) hosts via the VPN (L2L or remote access VPN) can
fail the IP access address to the administration. Conditionsof :
1. the problem occurs if ASA is on 8.4.2. Not been seen on 8.4.1.
2. the user directly logged in the face of internal interfaces no problem with
ICMP/telnet/ssh/AMPS in their respective interfaces. Workaround:
The problem goes back to a Manual NAT statement that straddles the
address IP-access to the administration. The NAT must have both the
source areas and destination. Add the keyword "research route" at the end of
the statement by NAT solves the problem. Ex:
IP address access to the administration Interface of the ASA is 192.168.1.1. ! Statement by NAT overlapping:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
VPN-vpn-obj static obj! New declaration:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
public static obj - vpn vpn-obj-research routeHTH,
Raga
-
Site to site VPN works only on Cisco 881
I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:
destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
192.168.2.0I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.
My question is how I can get internet on vlan2 and who can I solve the connection to site to site.
Here's the running configuration:
Building configuration...
Current configuration: 12698 bytes
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is reserved for administrators of control systems.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is limited to the PALL access only.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------Unplug IMMEDIATELY if you are not an authorized user
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
endThank you.
It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.
Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.
- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...
Disable any ZBF just in case.
David Castro,
Kind regards
-
Cannot Ping Throught Site to Site host
The two ends are ASA 5510. The IPsec tunnel is running.
Show crypto isakmp
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 50.240.120.233
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Show crypto ipsec
#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
I can't do a ping on my side (10.1.20.0/24), but only to the "inside" on the SAA interface remote (10.2.20.1). I can't ping other computers on the remote subnet. The remote subnet is not able to ping anything on my side.
Here is the config on my side
: Saved
:
ASA Version 8.2(1)
!
hostname asa
names
name 72.xxx.xxx.xxx Telepacific_Gateway
name 184.188.50.225 Cox_Gateway
name 10.1.20.32 VPN
name 10.2.20.0 Jacksonville-Subnet
!
interface Ethernet0/0
description Telepacific 4Mb Internet
nameif WAN_TelePacific
security-level 0
ip address 72.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
description Cox 10Mb Fiber Internet
speed 100
duplex full
nameif WAN_Cox
security-level 0
ip address 184.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/2
nameif VOIP
security-level 49
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 50
ip address 10.1.20.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup WAN_TelePacific
dns domain-lookup WAN_Cox
dns server-group DefaultDNS
name-server 209.242.128.100
name-server 209.242.128.101
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0
access-list ragroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0
access-list WAN_Cox_1_cryptomap extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0
access-list WAN_access_in extended permit icmp any any
access-list WAN_Cox_access_in extended permit icmp any any
access-list WAN_Cox_access_in extended permit udp VPN 255.255.255.224 10.1.20.0 255.255.255.0
access-list WAN_Cox_access_in extended permit tcp VPN 255.255.255.224 10.1.20.0 255.255.255.0
access-list inside_nat_outbound_1 extended permit ip any any
access-list inside_nat_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 VPN 255.255.255.224
pager lines 24
logging enable
logging asdm informational
logging mail critical
mtu WAN_TelePacific 1500
mtu WAN_Cox 1500
mtu VOIP 1500
mtu inside 1500
mtu management 1500
ip local pool RA VPN-10.1.20.49 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any WAN_TelePacific
asdm history enable
arp timeout 14400
global (WAN_TelePacific) 101 interface
global (WAN_Cox) 102 interface
global (inside) 103 interface
nat (WAN_Cox) 103 VPN 255.255.255.224 outside
nat (VOIP) 102 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 102 access-list inside_nat_outbound
nat (inside) 101 access-list inside_nat_outbound_1
nat (management) 102 0.0.0.0 0.0.0.0
access-group WAN_access_in in interface WAN_TelePacific
access-group WAN_Cox_access_in in interface WAN_Cox
route WAN_Cox 0.0.0.0 0.0.0.0 Cox_Gateway 1 track 3
route WAN_TelePacific 0.0.0.0 0.0.0.0 Telepacific_Gateway 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map CISCOMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD_Group_author protocol ldap
aaa-server AD_Group_author (inside) host 10.1.20.10
server-port 389
ldap-base-dn DC=,DC=LOCAL
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=VPN,CN=Users,DC=,DC=local
server-type microsoft
ldap-attribute-map CISCOMAP
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 WAN_TelePacific
http 0.0.0.0 0.0.0.0 WAN_Cox
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sla monitor 100
type echo protocol ipIcmpEcho Telepacific_Gateway interface WAN_Cox
num-packets 20
sla monitor schedule 100 life forever start-time now
sla monitor 101
type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox
sla monitor schedule 101 life forever start-time now
sla monitor 102
type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox
sla monitor schedule 102 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN_TelePacific
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto map WAN_Cox_map 1 match address WAN_Cox_1_cryptomap
crypto map WAN_Cox_map 1 set pfs
crypto map WAN_Cox_map 1 set peer 50.240.120.233
crypto map WAN_Cox_map 1 set transform-set ESP-3DES-SHA
crypto map WAN_Cox_map 1 set nat-t-disable
crypto map WAN_Cox_map interface WAN_Cox
crypto ca trustpoint vpn_ssl_cert
fqdn asa
subject-name CN=asa
no client-types
crl configure
crypto isakmp enable WAN_Cox
crypto isakmp enable inside
crypto isakmp enable management
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 100 reachability
!
track 2 rtr 101 reachability
!
track 3 rtr 102 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 10.1.20.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 5
management-access inside
dhcpd address 10.1.10.51-10.1.10.254 VOIP
dhcpd dns 216.70.224.17 8.8.8.8 interface VOIP
dhcpd enable VOIP
!
dhcpd address 10.1.20.100-10.1.20.254 inside
dhcpd dns 216.70.224.17 8.8.8.8 interface inside
dhcpd wins 10.1.20.10 1.1.20.11 interface inside
dhcpd domain local interface inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.1.20.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.1.20.10 255.255.255.255
threat-detection scanning-threat shun except ip-address 10.1.20.12 255.255.255.255
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.20.10 source inside prefer
webvpn
enable WAN_Cox
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
svc enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.1.20.10
dns-server value 10.1.20.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value local
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
address-pools value RA
group-policy ragroup internal
group-policy ragroup attributes
wins-server value 10.1.20.1
dns-server value 10.1.20.1
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ragroup_splitTunnelAcl
default-domain value
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner none
wins-server value 10.1.20.10
dns-server value 10.1.20.10
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ragroup_splitTunnelAcl
default-domain value local
webvpn
svc ask none default svc
tunnel-group DefaultRAGroup general-attributes
address-pool RA
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool RA
authentication-server-group AD_Group_author LOCAL
authorization-server-group AD_Group_author
authorization-required
username-from-certificate use-entire-name
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication ms-chap-v2
tunnel-group ZRemote type remote-access
tunnel-group ZRemote general-attributes
address-pool RA
authentication-server-group AD_Group_author LOCAL
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool RA
authentication-server-group AD_Group_author LOCAL
default-group-policy ALLOWACCESS
tunnel-group 50.240.xxx.xxx type ipsec-l2l
tunnel-group 50.240.xxx.xxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.1.20.14
prompt hostname context
Cryptochecksum:053e7f169dcfa526b030f5d647cd78e8
: end
This ASA configuration seems correct to me.
Please check the configuration of nat exempt on remote Terminal.
If possible, download the config of the remote terminal as well.
Kind regards
NGO
-
I configured a PIX 515E, OS 7.0 (1) f? PAT r dynamic of the inside of the network to the external ip address of the PIX. I also configured for icmp access lists from inside to outside and inside. All traffic (www, dns, ftp, etc.) works very well except ping. Whenever I do a ping from host inside to any address outside, I get the following error messages:
6. August 24, 2006 11:10:52 | 609002: duration of disassembly-outside local host: 193.222.224.104 0:00:10
6. August 24, 2006 11:10:52 | 302021: connection of disassembly ICMP for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0
6. August 24, 2006 11:10:50 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993
4. August 24, 2006 11:10:50 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:50 | 302020: ICMP connection built for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0
6. August 24, 2006 11:10:48 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992
4. August 24, 2006 11:10:48 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:48 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993
6. August 24, 2006 11:10:46 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991
4. August 24, 2006 11:10:46 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:46 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992
6. August 24, 2006 11:10:44 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990
4. August 24, 2006 11:10:44 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:44 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991
4. August 24, 2006 11:10:42 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".
6. August 24, 2006 11:10:42 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990
6. August 24, 2006 11:10:42 | 609001: built outside local host: 193.222.224.104
What could be the problem?
Thank you, Meg
It's only to predict the responses of echo at all on the external interface. If you do the following ACL on the outside, it should work...
outside_access_in list extended access permit icmp any any echo response
-
515E Cisco configuration problem
I made a simple configuration for a Cisco 515E on Oct, this year. A small office use it for surfing the net.
Now, they want to set up a web site for themselves. So, I did a static nat for their Web server:
public static x.x.29.198 (Interior, exterior) 192.168.1.1 mask subnet 255.255.255.255 0 0
But then, I found a problem. Although I can ping any Web site successfully for the internal Lan, but I don't ping IP global to the web server (x.x.29.198), and I can't ping external IP address of the firewall (x.x.29.194) too.
On the other hand, I ping the x.x.29.198 (or 194) from the Internet and I can ping the 192.168.1.1 of the internal Lan.The web service also seems very good.
There can someone tell me how to solve this problem? Thank you.
Hello
This isn't a problem and everything works fine. Since the internal local area network, you won't be able to ping the global address of the web server or the PIX outside interface. The ASA PIX won't will not allow this.
Hope that helps.
-
problems after Pix 515e of 6.34 to 7.12
Recently upgrade a PIX 515e of 6.34 to 7.12. Everything seemed to work well, but having a problem of access to certain web sites. Basically, allow us all IP from the "inside" network traffic Log errors are:
609001: built outide:199.230.128.100 local-home
106015: TCP (no relation) to deny djm/1646 199.230.128.100/80 flags ACK on the interface inside
609002: dismantling of the local-host ouside: 199.230.128.100 duration 0:00:00
Config is attached...
We also find that the problems on the same platform. Have removed the inspection of HTTP the default control as a temporary workaround rule:
Policy-map global_policy
class inspection_default
don't inspect http
Still looking for a solution...
-
C1 - (out) (in)-pix - r1 - internet
This is all a test network with a computer inside the pix. From this computer, I can ping the inside interface of the pix, but when the pix, I cannot ping the computer.
After several tries, I realized that I could solve this problem by changing my ip to 192.168.1.250 inside (after the passage of the outside) and by changing the computer to be on the same subnet. I tried other subnets like 192.168.2.x 192.168.3.x, 192.168.5.x, 10.10.x.x, but all have the same problem as the original.
initial Setup:
6.3 (4) version PIX
interface ethernet0 car
Auto interface ethernet1
Automatic stop of interface ethernet2
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 intf2 interieure4
activate the encrypted password
encrypted passwd
hostname testpix
domain test.pix
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
pingout list access permit icmp any any echo response
access-list pingout allow icmp all once exceed
pingout list all permitted access all unreachable icmp
pager lines 22
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
192.168.1.250 outside IP address 255.255.255.0
IP address inside 192.168.0.250 255.255.255.0
No intf2 ip address
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address intf2
location of PDM 192.168.0.1 255.255.255.255 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Access-group pingout in interface outside
Route outside 0.0.0.0 0.0.0.0 192.168.1.11 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.0.1 255.255.255.255 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet timeout 5
SSH timeout 5
Console timeout 0
Terminal width 80
Cryptochecksum
testpix #.
Thanks for the help.
Run a firewall on your computer? Like Win XP built in firewall (SP2)... If it is on and if you do not explicitly allow ICMP on the firewall, ping the computer to any device will work, but not vice versa.
HTH
-
PIX 515E failover restart problems
Thursday, November 23, we went from the PIX cluster to version 7.1 (2) 6.2 (2) with the default memory (64 MB) in each PIX. The Active PIX then suffered what appeared to be leaking memory (attributed to process ARP Thread). This continued for a few days? with the result that we force reloaded the Active PIX every 8 hours to ensure the continuity of the service. Monday 27 after a reload? It has been noticed that the Active PIX leaked is more memory per process threads ARP? the same day, we went from the cluster PIX to 128 MB of memory. Then, we have had failovers active / standby every 2 hours? that seems to be attributed to missed? Hello? in the e-mail of failover? We decided then to configure LAN failover on the PIX cluster. In the process of activation of this secondary feature PIX (which was the current asset) crashed
You have any explanation as to why these events took place.
Hi Carlton,
I can tell you that maybe the method you used to upgrade starts the chain of problems. I used for the migration of these products and I've never met before. In general I WINS configurations, program a service stop and I leave the unit of failover working alone while I do the upgrade of the unit the ex-active. After the upgrade, I had loaded the software configuration I saved before and made the customizations.
For the PIX without restrictions, is real memory of 128 MB required. For the restricted permission, you can use the default of 64 MB.
After that, you can place the active unit instead of the recovery. You improve the unit of failover so and connect again in active, already in production and restart the synchronization.
For all my clients, it worked.
It will be useful. If Yes, please rate.
Kind regards
Rafael Lanna
-
ASA VPN Site to Site (WITH the NAT) ICMP problem
Hi all!
I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)
It works with this configuration, with the exception of the ICMP.
This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)
Is there a way to do this?
Thank you all!
Marco
------------------------------------------------------------------------------------
ASA Version 8.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.1.0 network-remote control
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.200.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 10.0.0.2 255.255.255.0
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 0
192.168.123.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
the DM_INLINE_NETWORK_1 object-group network
object-network 151.1.1.0 255.255.255.0
object-network 192.168.200.0 255.255.255.0
outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
dmz_access_in list extended access permit icmp any one
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
notifications of logging asdm
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all dmz
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 5 192.168.123.229
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.200.0 255.255.255.0
NAT (outside) 5 VPN_NAT list of outdoor access
Access-group outside_access_in in interface outside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 0.0.0.0 0.0.0.0 inside
remote control-network http 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set peer 10.0.0.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
------------------------------------------------------------------------------------Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
Maybe you are looking for
-
Major problems mouse, left click acting as a click right, very annoying!
Hey guys I have a very annoying problem. I read about it online as other people seem to have made the experience, but there is no real definitive answer. On rare occasions, my mouse will be funny. When you press the left button, it will act as the ri
-
Interconnection of fabric as FC switch
Hello can we use a 6120 as a FC switch interconnection, so do the CF normal zoning stuff and connect directly to some CF storage to the FC expansion ports, or do we need run the interconnection in NPV mode and connect it to a switch taking NPIV. Kind
-
2 5508 a mobility-group autonomous migration
Hey everybody, for some reason, our wlan controllers were built up to be independent instead of beeing a mobility group. I would like to change that in order to be able to use all the features of the AH. Let me describe our scenario: two WLCs 5508 ru
-
Hi, I have a Dell computer that I bought last spring and I bought lightroom Photoshop the same spring (2014) and have been using it since. He works very well every time. The last time I opened my Lightroom for som editin of photos was late September
-
Javascript break when thrown app.alert
Hey everybody,So I'm pretty new to Javascript, so be patient.I created a form with several combo boxes that I validate when using final, click on send it via the email button that I created.Very simply on the mouse upward javascript code that runs:va