problem of ICMP on 515E

Similar Questions

• PIX 515E configuration problems

  I have a UR PIX 515 (6.3.2 os) that works really well, so I copy the configuration on my new PIX 515E-R (os 6.3.2). The PIX 2 have exactly the same configuration. But when I use the PIX 515E-R, I have some problems with the PIX 515E r only

  -I can't access the Internet, but I can ping the router Internet of my PIX 515E. The problem, in my view, must be with the Internet router, not on my external interface.

  -J' have a similar problem with my DMZ. I can ping to the DMZ, a frame relay router interface, but I can't pass this router.

  Is it possible that PIX 515E-R is not compatible with the router? and not the PIX 515 HEART?

  Thanks for your replies.

  Hello

  Just a thought, try clearing the PRA of table on the router and see what happens. Let me know if it helps.

  Jay

• 515E eth0 and eth1 not see each and other networks

  I feel like a n00b here, but I am having trouble with something that should be simple, so note the following question as one asked with a sheepish smile...

  Problem: I have a 515e Setup to authenticate on a DSL modem which provides me with a public IP address on the the 515e ethernet0. Of the 515e I ping the outside world.

  I ethernet1 see an internal network 192.168.50.0, who answered the 515e as well.

  Computers inside the 515e cannot see through to the outside, ping or whatever it is.

  I guess I have configured my nat or bad overall, but from the documents that I read, they all assumed that you have more than one outside the IP to work with. I just need to get everyone inside and get them using the single IP address on the external interface. I'll also to the implementation of several VPN through this interface, is it not wise to use one for all?

  Here is my config:

  6.2 (2) version PIX

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif ethernet2 security10 intf2

  activate the password * encrypted

  passwd * encrypted

  hostname YRPCI

  domain yearroundpool.com

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  names of

  name Bluff_Outside x.x.x.x

  acl_out permit tcp 192.168.50.0 access list 255.255.255.0 any

  access-list acl_out permit icmp any one

  ip access list acl_out permit a whole

  access-list acl_in allow icmp a whole

  inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

  outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

  pager lines 24

  interface ethernet0 car

  Auto interface ethernet1

  Automatic stop of interface ethernet2

  Outside 1500 MTU

  Within 1500 MTU

  intf2 MTU 1500

  IP address outside pppoe setroute

  IP address inside 192.168.50.1 255.255.255.0

  intf2 IP address 127.0.0.1 255.255.255.255

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 192.168.50.0 255.255.255.255 inside

  location of PDM Bluff_Outside 255.255.255.255 outside

  history of PDM activate

  ARP timeout 14400

  Global 200 (external) interface

  Global (inside) 192.168.50.8 - 192.168.50.254 100

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 0 0.0.0.0 0.0.0.0 0 0

  Access-group acl_inbound in interface outside

  acl_outbound access to the interface inside group

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 h323:05:00

  IP 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  enable floodguard

  No sysopt route dnat

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  outside_map 9 ipsec-isakmp crypto map

  card crypto outside_map 9 match address outside_cryptomap_9

  peer set card crypto outside_map 9 64.53.71.8

  card crypto outside_map 9 game of transformation-ESP-DES-SHA

  outside_map interface card crypto outside

  SSH timeout 5

  VPDN group pppoex request dialout pppoe

  VPDN group pppoex localname *.

  VPDN group ppp authentication pap pppoex

  VPDN username * password *.

  Thank you for your time in advance.

  Dave

  Hello

  Indeed there is something wrong with your nat/global config:

  remove these lines:

  Global 200 (external) interface

  Global (inside) 192.168.50.8 - 192.168.50.254 100

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 0 0.0.0.0 0.0.0.0 0 0

  and replace them with these lines:

  Global 200 (external) interface

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 200 0.0.0.0 0.0.0.0 0 0

  "Nat (inside) 0" part of the VPN configuration.

  What matters now are the "nat (outside) 200' and ' global (outside) 200" orders. "."

  You should always have a pair of nat/global with the same id (= 200 in this case). All the inside addresses (0.0.0.0 0.0.0.0) will be the translation of the ip address of the external interface of the pix.

  This will allow outside access all insiders of the Interior of the addresses (except icmp!).

  If you want internal hosts to have full access to the outside, you can remove the access list «acl_out»

  Kind regards

  Tom

• How to open ICMP?

  Hello.

  I¨ve I have a linksys (Sisco) to E3000 router, but some problem with ICMP. I know because I can't access the ports I open LAN pos. as part of the NAT I run an FTP server and a windows Server 2008 with my own Web home page.

  Anyone who knows how to set up on the router. Cannot find this setting even with the ping on that function. It should be possible to start/stop.

  Best regards, BBJ

  Try the "Filter Internet NAT Redirection" option.

  If this does not work for you there is no way to test the port shipments inside your LAN simply because you can not send a packet to the WAN port on back. Especially packets coming from the side of the router LAN of don't go through NAT...

  You can only try general port checking tools, based on the web in the internet.

• PIX 515 E (PIX OS 7.0.1) / website problem

  I have a problem with a PIX 515E with PIX OS 7.0.1

  Internet access works very well, but there are sites, we open can´t sometimes or are very slow. I test the same websites on a dedicated Internet connection and then luckily problems.

  I disabled http inspect and inspect the dns on the PIX, but the result was the same.

  I have test it on a WebProxy and a direct connection to the Internet.

  Can someone tell me a soltuion to this problem?

  Thank you

  D.

  This may be due to problem of Cisco:

  PIX / ASA 7.0 question: the Clients HTTP cannot navigate to certain Web Sites

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

  Hope this is useful

• do not access my home network via antconnect

  I am able to connect through the anyconnect client and get an ip address, but I am not able to access my administration (internal network)

  Administration = 10.18.1.120

  VPN pool = 172.16.10.0/28

  10.17.13.120 outside

  This is my config

  ASA 1.0000 Version 2
  !
  !
  interface GigabitEthernet0/0
  nameif administration
  security-level 100
  IP 10.18.1.120 255.255.0.0
  !
  interface GigabitEthernet0/1
  nameif outside
  security-level 0
  IP 10.17.13.120 255.255.0.0
  !
  interface GigabitEthernet0/2
  nameif admin-out13
  security-level 0
  IP 10.13.1.120 255.255.0.0
  !
  interface GigabitEthernet0/3
  nameif VOIP
  security-level 0
  IP 10.90.100.120 255.255.0.0
  !
  passive FTP mode
  network of the NETWORK_OBJ_172.16.10.0_29 object
  subnet 172.16.10.0 255.255.255.248
  network of the Admin_Email_Server object
  Home 10.18.4.120
  e-mail Description admin server
  network of the Admin_Srv_Farm object
  10.18.4.0 subnet 255.255.255.0
  Description subenet where the admin servers are hosted
  ICMP-type of object-group ICMP_Group
  alternate address ICMP-object
  ICMP-object-conversion error
  echo ICMP-object
  response to echo ICMP-object
  ICMP-object information-response
  ICMP-object-request for information
  ICMP object-mask-reply
  Mask-request ICMP-object
  ICMP-object mobile-redirect
  ICMP-object-parameter problem
  redirect ICMP-object
  ICMP-object-announcement of router
  ICMP-object-solicitation of router
  Object-ICMP source-quench
  ICMP-object has exceeded the time
  ICMP-object-response to timestamp
  Timestamp-request ICMP-object
  Object-ICMP traceroute
  ICMP-unreachable object
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  pager lines 24
  Enable logging
  asdm of logging of information
  management of MTU 1500
  administration of MTU 1500
  Outside 1500 MTU
  Admin-out13 MTU 1500
  ip_phones MTU 1500
  local pool ADMIN_VPN_POOL 172.16.10.1 - 172.16.10.10 255.255.255.0 IP mask
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 66114.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (administration, outside) static source any any static destination NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 non-proxy-arp-search to itinerary
  public static NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 destination NAT (outside directors) static source Admin_Srv_Farm Admin_Srv_Farm
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  LOCAL AAA authentication serial console
  AAA authentication LOCAL telnet console
  the ssh LOCAL console AAA authentication
  Enable http server
  http 10.18.0.0 255.255.0.0 administration
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  Crypto ca trustpoint ASDM_TrustPoint0
  registration auto
  name of the object CN = admin-pare-fire
  Configure CRL
  string encryption ca ASDM_TrustPoint0 certificates
   
  Crypto ikev2 activate out of service the customer port 443
  Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd address 10.90.100.1 - 10.90.100.100 ip_phones
  dhcpd 4.2.2.2 dns 8.8.8.8 interface ip_phones
  dhcpd lease 1800 interface ip_phones
  dhcpd field uz.ac.zw interface ip_phones
  dhcpd option 3 ip 10.90.1.254 interface ip_phones
  ip_phones enable dhcpd
  !
  !
  maximum session 1000 TLS-proxy
  !
  a basic threat threat detection
  threat detection statistics
  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
  SSL-trust outside ASDM_TrustPoint0 point
  WebVPN
  allow outside
  AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  AnyConnect profiles ITADMIN_VPN_client_profile disk0: / ITADMIN_VPN_client_profile.xml
  AnyConnect enable
  tunnel-group-list activate
  internal GroupPolicy_ITADMIN_VPN group strategy
  attributes of Group Policy GroupPolicy_ITADMIN_VPN
  WINS server no
  value of 10.18.4.120 DNS server 10.50.7.178
  client ssl-VPN-tunnel-Protocol ikev2
  uz.AC.ZW value by default-field
  WebVPN
  AnyConnect value ITADMIN_VPN_client_profile type user profiles
  webster nwgth7HVlZ/qiWnP password encrypted username
  webster username attributes
  type of remote access service
  username admin password encrypted xxxxxxxxxxx privilege 15
  username user2 encrypted password privilege 15 xxxxxxxxxxx
  attributes of user user2 name
  type of remote access service
  type tunnel-group ITADMIN_VPN remote access
  attributes global-tunnel-group ITADMIN_VPN
  address ADMIN_VPN_POOL pool
  Group Policy - by default-GroupPolicy_ITADMIN_VPN
  tunnel-group ITADMIN_VPN webvpn-attributes
  enable ITADMIN_VPN group-alias
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  class class by default
  Statistical accounting of user
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:c9820a69d5b4fb9e3f7cce253f2450e4

  After the addition of administration management-access command, please check if you are able to ping to the administration interface (ip = 10.18.1.120) of the remote user's machine. In addition, run this command on the ASA.

  Packet-trace entry administration icmp 8 0 detailed

  Once you run this copy please order the output and the share here. Please see links to the ip address of the host, sitting behind the administration interface that you think that the ip address of the internal host should be able to ping from outside. Assigned ip address is the ip address that is assigned to the pool anyconnect client.

  Share the details here and we will be able to understand the question.

  Thank you

  Vishnu

• ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN

  We have configured a site 5, site to site VPN scenario.   Last week, we have upgraded 2 devices ASA 5505 to 8.4.2.   Before the upgrade, our monitoring software would ping the inside interface from remote devices to confirm VPN tunnels were established, as well as the addresses of remote devices and the outside of the ASA.   While we were on 8.2, remote equipment successfully ping the inside interface.   After that we went to 8.4.2 we can do a ping to this interface.   We looked at the newspapers and we see the ICMP traffic that is listed in the newspaper, but the remote equipment does not receive back icmp traffic.   We can ping successfully from local hardware interface inside and the external interface of remote devices successfully.  In addition, we can ping material behind the two devices in both directions successfully.

  We are unable to remotely manage the device through the VPN tunnel

  Net is:

  ASA #1 inside 10.168.107.1 (running ASA 8.2)

  ASA #2 inside 10.168.101.1 (running ASA 8,4)

  Server 1 (behind the ASA #1) 10.168.107.34

  Server 2 (behind the ASA #2) 10.168.101.14

  Can ping server 1 Server 2

  Can ping server 1 to 1 of the SAA

  Can ping server 2-ASA 2

  Can ping server 2 to server 1

  Can ping server 2 ASA 1

  Can ping ASA 2 ASA 1

  can not ping ASA 1 and 2 of the ASA

  can not ping server 1 and 2 of the ASA

  cannot access the ASA 2 https for management interface, nor can the ASDM software

  Here is the config on ASA (attached) 2.

  Any thoughts would be appreciated.

  Hey Joseph,.

  Most likely, you hit this bug:

  CSCtr16184            Details of bug

  To-the-box traffic switches vpn hosts after upgrade to 8.4.2.

  Symptom: After the upgrade of the ASA to 8.4.2 all management traffic to employment (including the) ICMP/telnet/ssh/ASDM) hosts via the VPN (L2L or remote access VPN) can fail the IP access address to the administration. Conditionsof : 1. the problem occurs if ASA is on 8.4.2. Not been seen on 8.4.1. 2. the user directly logged in the face of internal interfaces no problem with ICMP/telnet/ssh/AMPS in their respective interfaces. Workaround: The problem goes back to a Manual NAT statement that straddles the address IP-access to the administration. The NAT must have both the source areas and destination. Add the keyword "research route" at the end of the statement by NAT solves the problem. Ex: IP address access to the administration Interface of the ASA is 192.168.1.1. ! Statement by NAT overlapping: NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor) VPN-vpn-obj static obj! New declaration: NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor) public static obj - vpn vpn-obj-research route

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

  HTH,

  Raga

• Site to site VPN works only on Cisco 881

  I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:

  destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
  192.168.2.0

  I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.

  My question is how I can get internet on vlan2 and who can I solve the connection to site to site.

  Here's the running configuration:

  Building configuration...

  Current configuration: 12698 bytes
  !
  version 15.3
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname Cisco_881
  !
  boot-start-marker
  boot-end-marker
  !
  AQM-registry-fnf
  !
  logging buffered 51200 warnings
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authorization exec default local
  AAA authorization network default local
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint TP-self-signed-1151531093
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1151531093
  revocation checking no
  rsakeypair TP-self-signed-1151531093
  !
  Crypto pki trustpoint TP-self-signed-2011286623
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2011286623
  revocation checking no
  rsakeypair TP-self-signed-2011286623
  !
  !
  TP-self-signed-1151531093 crypto pki certificate chain
  certificate self-signed 01
  3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
  34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
  33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
  0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
  FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
  A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
  0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
  551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
  03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
  2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
  BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
  22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
  3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
  EB31DB3F A9BA6D70 65B70D19 D00158
  quit smoking
  TP-self-signed-2011286623 crypto pki certificate chain
  no ip source route
  !
  !
  !
  !

  !
  DHCP excluded-address IP 10.10.10.1
  DHCP excluded-address IP 192.168.5.1 192.168.5.49
  DHCP excluded-address IP 192.168.5.150 192.168.5.254
  !
  DHCP IP CCP-pool
  import all
  Network 10.10.10.0 255.255.255.248
  default router 10.10.10.1
  Rental 2 0
  !
  IP dhcp Internet pool
  network 192.168.5.0 255.255.255.0
  router by default - 192.168.5.254
  DNS-Server 64.59.135.133 64.59.128.120
  lease 6 0
  !
  !
  !
  no ip domain search
  "yourdomain.com" of the IP domain name
  name of the IP-Server 64.59.135.133
  name of the IP-Server 64.59.128.120
  IP cef
  No ipv6 cef
  !
  !
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  !
  udi pid C881-K9 sn FTX18438503 standard license
  !
  !
  Archives
  The config log
  hidekeys
  username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
  username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
  username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
  !
  !
  !
  !
  !
  no passive ftp ip
  !
  !
  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 208.98.212.xx
  !
  Configuration group crypto isakmp MPE client
  key *.
  pool VPN_IP_POOL
  ACL 100
  include-local-lan
  10 Max-users
  netmask 255.255.255.0
  banner ^ practive entered the field

  This area is reserved for administrators of control systems.

  If you are here by mistake, please disconnect immediately.

  You have full access to 192.168.125.0 / 0.0.0.255

  Support on continue to start your session.              ^ C
  !
  Configuration group customer crypto isakmp PALL
  key *.
  pool VPN_IP_POOL_PALL
  ACL 101
  include-local-lan
  Max - 1 users
  netmask 255.255.255.0
  banner ^ practive entered the field

  This area is limited to the PALL access only.

  If you are here by mistake, please disconnect immediately.

  You have full access to 192.168.125.0 / 0.0.0.255

  Support on continue to start your session.            ^ C
  ISAKMP crypto profile vpn_isakmp_profile
  game of identity EMT group
  client authentication list default
  Default ISAKMP authorization list
  client configuration address respond
  virtual-model 1
  ISAKMP crypto profile vpn_isakmp_profile_2
  match of group identity PALL
  client authentication list default
  Default ISAKMP authorization list
  client configuration address respond
  virtual-model 2
  !
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
  tunnel mode
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  tunnel mode
  !
  Profile of crypto ipsec VPN_PROFILE_MPE
  Set the security association idle time 3600
  game of transformation-VPN_TRANSFORM
  vpn_isakmp_profile Set isakmp-profile
  !
  Profile of crypto ipsec VPN_PROFILE_PALL
  Set the security association idle time 1800
  game of transformation-VPN_TRANSFORM
  vpn_isakmp_profile_2 Set isakmp-profile
  !
  !
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to208.98.212.xx
  the value of 208.98.212.xx peer
  game of transformation-ESP-3DES-SHA
  match address 102
  !
  !
  !
  !
  !
  !
  interface Loopback0
  IP 192.168.40.254 255.255.255.0
  !
  interface FastEthernet0
  no ip address
  !
  interface FastEthernet1
  no ip address
  !
  interface FastEthernet2
  switchport access vlan 2
  no ip address
  !
  interface FastEthernet3
  switchport access vlan 2
  no ip address
  !
  interface FastEthernet4
  IP address 208.98.213.xx 255.255.255.224
  IP access-group 111 to
  NAT outside IP
  IP virtual-reassembly in
  automatic duplex
  automatic speed
  map SDM_CMAP_1 crypto
  !
  type of interface virtual-Template1 tunnel
  IP unnumbered Loopback0
  ipv4 ipsec tunnel mode
  Tunnel VPN_PROFILE_MPE ipsec protection profile
  !
  tunnel type of interface virtual-Template2
  IP unnumbered Loopback0
  ipv4 ipsec tunnel mode
  Tunnel VPN_PROFILE_PALL ipsec protection profile
  !
  interface Vlan1
  Description of control network
  IP 192.168.125.254 255.255.255.0
  IP access-group CONTROL_IN in
  IP access-group out CONTROL_OUT
  IP nat inside
  IP virtual-reassembly in
  IP tcp adjust-mss 1452
  !
  interface Vlan2
  Description Internet network
  IP 192.168.5.254 255.255.255.0
  IP access-group INTERNET_IN in
  IP access-group out INTERNET_OUT
  IP nat inside
  IP virtual-reassembly in
  !
  local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
  local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
  IP forward-Protocol ND
  IP http server
  23 class IP http access
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  !
  !
  IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
  IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
  IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
  !
  CONTROL_IN extended IP access list
  Note the access control
  Note the category CCP_ACL = 17
  allow any host 192.168.125.254 eq non500-isakmp udp
  allow any host 192.168.125.254 eq isakmp udp
  allow any host 192.168.125.254 esp
  allow any host 192.168.125.254 ahp
  IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
  Note the VPN access
  IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
  Note Access VNC
  permit tcp host 192.168.125.2 eq 25000 one
  Comment by e-mail to WIN911
  permit tcp host 192.168.125.2 any eq smtp
  Note DNS traffic
  permit udp host 192.168.125.2 host 64.59.135.133 eq field
  permit udp host 192.168.125.2 host 64.59.128.120 eq field
  Note Everything Else block
  refuse an entire ip
  CONTROL_OUT extended IP access list
  Note the access control
  IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
  Note the VPN access
  ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
  Note Access VNC
  allow any host 192.168.125.2 eq 25000 tcp
  Comment by e-mail to WIN911
  allow any host 192.168.125.2 eq smtp tcp
  Note DNS responses
  allowed from any host domain eq 192.168.125.2 udp
  Note deny all other traffic
  refuse an entire ip
  INTERNET_IN extended IP access list
  Note Access VNC on VLAN
  allow any host 192.168.125.2 eq 25000 tcp
  Note block all other controls and VPN
  deny ip any 192.168.125.0 0.0.0.255
  deny ip any 192.168.40.0 0.0.0.255
  Note leave all other traffic
  allow an ip
  INTERNET_OUT extended IP access list
  Note a complete outbound Internet access
  allow an ip
  WAN_IN extended IP access list
  allow an ip host 207.229.14.xx
  Note PERMIT ESTABLISHED TCP connections
  allow any tcp smtp created everything eq
  Note ALLOW of DOMAIN CONNECTIONS
  permit udp host 64.59.135.133 eq field all
  permit udp host 64.59.128.120 eq field all
  Note ALLOW ICMP WARNING RETURNS
  allow all all unreachable icmp
  permit any any icmp parameter problem
  allow icmp all a package-too-big
  allow a whole icmp administratively prohibited
  permit icmp any any source-quench
  allow icmp all once exceed
  refuse a whole icmp
  allow an ip
  !
  auto discovering IP sla
  not run cdp
  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 103
  !
  access-list 1 remark out to WAN routing
  Note CCP_ACL the access list 1 = 16 category
  access-list 1 permit 192.168.125.2
  access-list 1 permit 192.168.5.0 0.0.0.255
  Note access-list 23 SSH and HTTP access permissions
  access-list 23 permit 192.168.125.0 0.0.0.255
  access-list 23 permit 192.168.40.0 0.0.0.255
  access-list 23 allow one
  Note access-list 100 VPN traffic
  access-list 100 permit ip 192.168.125.0 0.0.0.255 any
  access-list 100 permit ip 192.168.40.0 0.0.0.255 any
  Note access-list 101 for PALL VPN traffic
  access-list 101 permit ip 192.168.125.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 4
  Note access-list 102 IPSec rule
  access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
  Note access-list 103 CCP_ACL category = 2
  Note access-list 103 IPSec rule
  access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
  access-list 103 allow ip 192.168.5.0 0.0.0.255 any
  access-list 103 allow the host ip 192.168.125.2 all
  Note access-list 111 CCP_ACL category = 17
  access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
  access-list 111 permit udp any host 208.98.213.xx eq isakmp
  access-list 111 allow esp any host 208.98.213.xx
  access-list 111 allow ahp any host 208.98.213.xx
  Note access-list 111 IPSec rule
  access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
  Note access-list 111 IPSec rule
  access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
  access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
  access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
  access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
  access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
  access-list 111 permit icmp any host 208.92.13.xx
  access-list 111 permit tcp any host 208.92.13.xx eq 25000
  access-list 111 permit tcp any host 208.92.13.xx eq 22
  access-list 111 permit tcp any host 208.92.13.xx eq telnet
  access-list 111 permit tcp any host 208.92.13.xx eq www
  !
  !
  !
  control plan
  !
  !
  !
  MGCP behavior considered range tgcp only
  MGCP comedia-role behavior no
  disable the behavior MGCP comedia-check-media-src
  disable the behavior of MGCP comedia-sdp-force
  !
  profile MGCP default
  !
  !
  !
  !
  exec banner ^ C
  % Warning of password expiration.
  -----------------------------------------------------------------------

  Unplug IMMEDIATELY if you are not an authorized user
  ^ C
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  access-class 23 in
  password *.
  transport input telnet ssh
  transportation out all
  line vty 5 15
  access-class 160 in
  password *.
  transport of entry all
  transportation out all
  !
  max-task-time 5000 Planner
  Scheduler allocate 20000 1000
  !
  end

  Thank you.

  It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.

  Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.

  - http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...

  Disable any ZBF just in case.

  David Castro,

  Kind regards

• Cannot Ping Throught Site to Site host

  The two ends are ASA 5510.   The IPsec tunnel is running.

  Show crypto isakmp

  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 50.240.120.233
  Type    : L2L             Role    : initiator
  Rekey   : no              State   : MM_ACTIVE
  

  Show crypto ipsec

  #pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
  #pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0
  

  I can't do a ping on my side (10.1.20.0/24), but only to the "inside" on the SAA interface remote (10.2.20.1).  I can't ping other computers on the remote subnet.  The remote subnet is not able to ping anything on my side.

  Here is the config on my side

  : Saved
  :
  ASA Version 8.2(1)
  !
  hostname asa
  names
  name 72.xxx.xxx.xxx Telepacific_Gateway
  name 184.188.50.225 Cox_Gateway
  name 10.1.20.32 VPN
  name 10.2.20.0 Jacksonville-Subnet
  !
  interface Ethernet0/0
  description Telepacific 4Mb Internet
  nameif WAN_TelePacific
  security-level 0
  ip address 72.xxx.xxx.xxx 255.255.255.248
  !
  interface Ethernet0/1
  description Cox 10Mb Fiber Internet
  speed 100
  duplex full
  nameif WAN_Cox
  security-level 0
  ip address 184.xxx.xxx.xxx 255.255.255.248
  !
  interface Ethernet0/2
  nameif VOIP
  security-level 49
  ip address 10.1.10.1 255.255.255.0
  !
  interface Ethernet0/3
  nameif inside
  security-level 50
  ip address 10.1.20.1 255.255.255.0
  !
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  !
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup WAN_TelePacific
  dns domain-lookup WAN_Cox
  dns server-group DefaultDNS
  name-server 209.242.128.100
  name-server 209.242.128.101
  name-server 8.8.8.8
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group icmp-type ICMP
  icmp-object alternate-address
  icmp-object conversion-error
  icmp-object echo
  icmp-object echo-reply
  icmp-object information-reply
  icmp-object information-request
  icmp-object mask-reply
  icmp-object mask-request
  icmp-object mobile-redirect
  icmp-object parameter-problem
  icmp-object redirect
  icmp-object router-advertisement
  icmp-object router-solicitation
  icmp-object source-quench
  icmp-object time-exceeded
  icmp-object timestamp-reply
  icmp-object timestamp-request
  icmp-object traceroute
  icmp-object unreachable
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0
  access-list ragroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0
  access-list WAN_Cox_1_cryptomap extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0
  access-list WAN_access_in extended permit icmp any any
  access-list WAN_Cox_access_in extended permit icmp any any
  access-list WAN_Cox_access_in extended permit udp VPN 255.255.255.224 10.1.20.0 255.255.255.0
  access-list WAN_Cox_access_in extended permit tcp VPN 255.255.255.224 10.1.20.0 255.255.255.0
  access-list inside_nat_outbound_1 extended permit ip any any
  access-list inside_nat_outbound extended permit ip any any
  access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 VPN 255.255.255.224
  pager lines 24
  logging enable
  logging asdm informational
  logging mail critical
  mtu WAN_TelePacific 1500
  mtu WAN_Cox 1500
  mtu VOIP 1500
  mtu inside 1500
  mtu management 1500
  ip local pool RA VPN-10.1.20.49 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any WAN_TelePacific
  asdm history enable
  arp timeout 14400
  global (WAN_TelePacific) 101 interface
  global (WAN_Cox) 102 interface
  global (inside) 103 interface
  nat (WAN_Cox) 103 VPN 255.255.255.224 outside
  nat (VOIP) 102 0.0.0.0 0.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 102 access-list inside_nat_outbound
  nat (inside) 101 access-list inside_nat_outbound_1
  nat (management) 102 0.0.0.0 0.0.0.0
  access-group WAN_access_in in interface WAN_TelePacific
  access-group WAN_Cox_access_in in interface WAN_Cox
  route WAN_Cox 0.0.0.0 0.0.0.0 Cox_Gateway 1 track 3
  route WAN_TelePacific 0.0.0.0 0.0.0.0 Telepacific_Gateway 254
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server AD_Group_author protocol ldap
  aaa-server AD_Group_author (inside) host 10.1.20.10
  server-port 389
  ldap-base-dn DC=,DC=LOCAL
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn CN=VPN,CN=Users,DC=,DC=local
  server-type microsoft
  ldap-attribute-map CISCOMAP
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 10.1.20.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 WAN_TelePacific
  http 0.0.0.0 0.0.0.0 WAN_Cox
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp inside
  sla monitor 100
  type echo protocol ipIcmpEcho Telepacific_Gateway interface WAN_Cox
  num-packets 20
  sla monitor schedule 100 life forever start-time now
  sla monitor 101
  type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox
  sla monitor schedule 101 life forever start-time now
  sla monitor 102
  type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox
  sla monitor schedule 102 life forever start-time now
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map WAN_map interface WAN_TelePacific
  crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map management_map interface management
  crypto map WAN_Cox_map 1 match address WAN_Cox_1_cryptomap
  crypto map WAN_Cox_map 1 set pfs
  crypto map WAN_Cox_map 1 set peer 50.240.120.233
  crypto map WAN_Cox_map 1 set transform-set ESP-3DES-SHA
  crypto map WAN_Cox_map 1 set nat-t-disable
  crypto map WAN_Cox_map interface WAN_Cox
  crypto ca trustpoint vpn_ssl_cert
  fqdn asa
  subject-name CN=asa
  no client-types
  crl configure
  crypto isakmp enable WAN_Cox
  crypto isakmp enable inside
  crypto isakmp enable management
  crypto isakmp policy 10
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  !
  track 1 rtr 100 reachability
  !
  track 2 rtr 101 reachability
  !
  track 3 rtr 102 reachability
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  telnet timeout 5
  ssh 10.1.20.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 5
  management-access inside
  dhcpd address 10.1.10.51-10.1.10.254 VOIP
  dhcpd dns 216.70.224.17 8.8.8.8 interface VOIP
  dhcpd enable VOIP
  !
  dhcpd address 10.1.20.100-10.1.20.254 inside
  dhcpd dns 216.70.224.17 8.8.8.8 interface inside
  dhcpd wins 10.1.20.10 1.1.20.11 interface inside
  dhcpd domain local interface inside
  !
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  !
  threat-detection basic-threat
  threat-detection scanning-threat shun except ip-address 10.1.20.0 255.255.255.0
  threat-detection scanning-threat shun except ip-address 10.1.20.10 255.255.255.255
  threat-detection scanning-threat shun except ip-address 10.1.20.12 255.255.255.255
  threat-detection scanning-threat shun duration 3600
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 10.1.20.10 source inside prefer
  webvpn
  enable WAN_Cox
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
  svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
  svc enable
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
  vpn-simultaneous-logins 0
  vpn-tunnel-protocol IPSec svc
  webvpn
  svc ask none default svc
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  wins-server value 10.1.20.10
  dns-server value 10.1.20.10
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
  default-domain value local
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec
  address-pools value RA
  group-policy ragroup internal
  group-policy ragroup attributes
  wins-server value 10.1.20.1
  dns-server value 10.1.20.1
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ragroup_splitTunnelAcl
  default-domain value
  group-policy ALLOWACCESS internal
  group-policy ALLOWACCESS attributes
  banner none
  wins-server value 10.1.20.10
  dns-server value 10.1.20.10
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value ragroup_splitTunnelAcl
  default-domain value local
  webvpn
  svc ask none default svc
  tunnel-group DefaultRAGroup general-attributes
  address-pool RA
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool RA
  authentication-server-group AD_Group_author LOCAL
  authorization-server-group AD_Group_author
  authorization-required
  username-from-certificate use-entire-name
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group ZRemote type remote-access
  tunnel-group ZRemote general-attributes
  address-pool RA
  authentication-server-group AD_Group_author LOCAL
  tunnel-group TunnelGroup1 type remote-access
  tunnel-group TunnelGroup1 general-attributes
  address-pool RA
  authentication-server-group AD_Group_author LOCAL
  default-group-policy ALLOWACCESS
  tunnel-group 50.240.xxx.xxx type ipsec-l2l
  tunnel-group 50.240.xxx.xxx ipsec-attributes
  pre-shared-key *
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  !
  service-policy global_policy global
  smtp-server 10.1.20.14
  prompt hostname context
  Cryptochecksum:053e7f169dcfa526b030f5d647cd78e8
  : end
  

  This ASA configuration seems correct to me.

  Please check the configuration of nat exempt on remote Terminal.

  If possible, download the config of the remote terminal as well.

  Kind regards

  NGO

• Problem of NAT with PIX 515E

  I configured a PIX 515E, OS 7.0 (1) f? PAT r dynamic of the inside of the network to the external ip address of the PIX. I also configured for icmp access lists from inside to outside and inside. All traffic (www, dns, ftp, etc.) works very well except ping. Whenever I do a ping from host inside to any address outside, I get the following error messages:

  6. August 24, 2006 11:10:52 | 609002: duration of disassembly-outside local host: 193.222.224.104 0:00:10

  6. August 24, 2006 11:10:52 | 302021: connection of disassembly ICMP for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0

  6. August 24, 2006 11:10:50 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993

  4. August 24, 2006 11:10:50 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

  6. August 24, 2006 11:10:50 | 302020: ICMP connection built for faddr gaddr laddr 8994/FDFR001 212.203.90.59/9 193.222.224.104/0

  6. August 24, 2006 11:10:48 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992

  4. August 24, 2006 11:10:48 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

  6. August 24, 2006 11:10:48 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/8 laddr FDFR001/8993

  6. August 24, 2006 11:10:46 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991

  4. August 24, 2006 11:10:46 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

  6. August 24, 2006 11:10:46 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/7 laddr FDFR001/8992

  6. August 24, 2006 11:10:44 | 302021: connection of disassembly ICMP for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990

  4. August 24, 2006 11:10:44 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

  6. August 24, 2006 11:10:44 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/6 laddr FDFR001/8991

  4. August 24, 2006 11:10:42 | 106023: Deny icmp src, dst outside: 193.222.224.104 inside: 212.203.90.59 (type 0, code 0) by access-group "outside_access_in".

  6. August 24, 2006 11:10:42 | 302020: ICMP connection built for faddr 193.222.224.104/0 gaddr 212.203.90.59/5 laddr FDFR001/8990

  6. August 24, 2006 11:10:42 | 609001: built outside local host: 193.222.224.104

  What could be the problem?

  Thank you, Meg

  It's only to predict the responses of echo at all on the external interface. If you do the following ACL on the outside, it should work...

  outside_access_in list extended access permit icmp any any echo response

• 515E Cisco configuration problem

  I made a simple configuration for a Cisco 515E on Oct, this year. A small office use it for surfing the net.

  Now, they want to set up a web site for themselves. So, I did a static nat for their Web server:

  public static x.x.29.198 (Interior, exterior) 192.168.1.1 mask subnet 255.255.255.255 0 0

  But then, I found a problem. Although I can ping any Web site successfully for the internal Lan, but I don't ping IP global to the web server (x.x.29.198), and I can't ping external IP address of the firewall (x.x.29.194) too.

  On the other hand, I ping the x.x.29.198 (or 194) from the Internet and I can ping the 192.168.1.1 of the internal Lan.The web service also seems very good.

  There can someone tell me how to solve this problem? Thank you.

  Hello

  This isn't a problem and everything works fine. Since the internal local area network, you won't be able to ping the global address of the web server or the PIX outside interface. The ASA PIX won't will not allow this.

  Hope that helps.

• problems after Pix 515e of 6.34 to 7.12

  Recently upgrade a PIX 515e of 6.34 to 7.12. Everything seemed to work well, but having a problem of access to certain web sites. Basically, allow us all IP from the "inside" network traffic Log errors are:

  609001: built outide:199.230.128.100 local-home

  106015: TCP (no relation) to deny djm/1646 199.230.128.100/80 flags ACK on the interface inside

  609002: dismantling of the local-host ouside: 199.230.128.100 duration 0:00:00

  Config is attached...

  We also find that the problems on the same platform. Have removed the inspection of HTTP the default control as a temporary workaround rule:

  Policy-map global_policy

  class inspection_default

  don't inspect http

  Still looking for a solution...

• ICMP problem with pix515

  C1 - (out) (in)-pix - r1 - internet

  This is all a test network with a computer inside the pix. From this computer, I can ping the inside interface of the pix, but when the pix, I cannot ping the computer.

  After several tries, I realized that I could solve this problem by changing my ip to 192.168.1.250 inside (after the passage of the outside) and by changing the computer to be on the same subnet. I tried other subnets like 192.168.2.x 192.168.3.x, 192.168.5.x, 10.10.x.x, but all have the same problem as the original.

  initial Setup:

  6.3 (4) version PIX

  interface ethernet0 car

  Auto interface ethernet1

  Automatic stop of interface ethernet2

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif ethernet2 intf2 interieure4

  activate the encrypted password

  encrypted passwd

  hostname testpix

  domain test.pix

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  pingout list access permit icmp any any echo response

  access-list pingout allow icmp all once exceed

  pingout list all permitted access all unreachable icmp

  pager lines 22

  Outside 1500 MTU

  Within 1500 MTU

  intf2 MTU 1500

  192.168.1.250 outside IP address 255.255.255.0

  IP address inside 192.168.0.250 255.255.255.0

  No intf2 ip address

  alarm action IP verification of information

  alarm action attack IP audit

  no failover

  failover timeout 0:00:00

  failover poll 15

  No IP failover outdoors

  No IP failover inside

  no failover ip address intf2

  location of PDM 192.168.0.1 255.255.255.255 inside

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Access-group pingout in interface outside

  Route outside 0.0.0.0 0.0.0.0 192.168.1.11 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.0.1 255.255.255.255 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  Terminal width 80

  Cryptochecksum

  testpix #.

  Thanks for the help.

  Run a firewall on your computer? Like Win XP built in firewall (SP2)... If it is on and if you do not explicitly allow ICMP on the firewall, ping the computer to any device will work, but not vice versa.

  HTH

• PIX 515E failover restart problems

  Thursday, November 23, we went from the PIX cluster to version 7.1 (2) 6.2 (2) with the default memory (64 MB) in each PIX. The Active PIX then suffered what appeared to be leaking memory (attributed to process ARP Thread). This continued for a few days? with the result that we force reloaded the Active PIX every 8 hours to ensure the continuity of the service. Monday 27 after a reload? It has been noticed that the Active PIX leaked is more memory per process threads ARP? the same day, we went from the cluster PIX to 128 MB of memory. Then, we have had failovers active / standby every 2 hours? that seems to be attributed to missed? Hello? in the e-mail of failover? We decided then to configure LAN failover on the PIX cluster. In the process of activation of this secondary feature PIX (which was the current asset) crashed

  You have any explanation as to why these events took place.

  Hi Carlton,

  I can tell you that maybe the method you used to upgrade starts the chain of problems. I used for the migration of these products and I've never met before. In general I WINS configurations, program a service stop and I leave the unit of failover working alone while I do the upgrade of the unit the ex-active. After the upgrade, I had loaded the software configuration I saved before and made the customizations.

  For the PIX without restrictions, is real memory of 128 MB required. For the restricted permission, you can use the default of 64 MB.

  After that, you can place the active unit instead of the recovery. You improve the unit of failover so and connect again in active, already in production and restart the synchronization.

  For all my clients, it worked.

  It will be useful. If Yes, please rate.

  Kind regards

  Rafael Lanna

• ASA VPN Site to Site (WITH the NAT) ICMP problem

  Hi all!

  I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)

  It works with this configuration, with the exception of the ICMP.

  This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)

  Is there a way to do this?

  Thank you all!

  Marco

  ------------------------------------------------------------------------------------

  ASA Version 8.2 (2)
  !
  ciscoasa hostname
  domain default.domain.invalid
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  name 192.168.1.0 network-remote control
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.200.199 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  the IP 10.0.0.2 255.255.255.0
  !
  interface Vlan3
  prior to interface Vlan1
  nameif dmz
  security-level 0
  192.168.123.1 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  switchport access vlan 3
  !
  passive FTP mode
  DNS server-group DefaultDNS
  domain default.domain.invalid
  the DM_INLINE_NETWORK_1 object-group network
  object-network 151.1.1.0 255.255.255.0
  object-network 192.168.200.0 255.255.255.0
  outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
  inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
  VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
  dmz_access_in list extended access permit icmp any one
  outside_access_in list extended access permit icmp any one
  pager lines 24
  Enable logging
  notifications of logging asdm
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 dmz
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all dmz
  ASDM image disk0: / asdm - 625.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  Global (dmz) 5 192.168.123.229
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 192.168.200.0 255.255.255.0
  NAT (outside) 5 VPN_NAT list of outdoor access
  Access-group outside_access_in in interface outside
  Access-group dmz_access_in in dmz interface
  Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
  Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 0.0.0.0 0.0.0.0 inside
  remote control-network http 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  card crypto outside_map 1 set peer 10.0.0.1
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  tunnel-group 10.0.0.1 type ipsec-l2l
  tunnel-group 10.0.0.1 ipsec-attributes
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  ------------------------------------------------------------------------------------

  Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml