Rookie of the ASA 5505 - cannot ping remote site or vice versa

Similar Questions

• Configure the ASa 5505 of remote site by using ASDM

  I would like to be able to administer the ASA 5505 from another site, which is connected via a LAN of Ipsec site-to-site.

  How to activate this feature?

  Hello

  You can remotely administer an ASA using the public IP address (via the Internet), or through the tunnel to the private IP address.

  You can reach the private IP address by activating the command:

  management-access inside

  You can access the ASA by IP address private via CLI or GUI.

  Federico.

• SCP behind the ASA 5505 may not help ping an internet address,.

  There must be a problem of ACL configuration.  How to configure the ASA 5505 so that computers

  behind an internet can ping 4.2.2.2 such IP address or www.google.com.

  Thank you

  David

  If you have no ACLs on the external interface, please use the following command to allow ICMP through the ASA.

  fixup protocol icmp.

  So try and ping. Let me know if this helps.

  Also, please give us a little more in detail so that we can understand and help you better

  See you soon,.

  Nash.

• How can I get the engine working in the ASA 5505 Crypto

  I bought a brand new ASA 5505 to connect to the Cisco 3640 and I can not yet set up the tunnel. I have tried to change the set of transformation to just but know luck. I recently put a VPN using DMVPN and Cisco 501 in a site-to-site, but it has been wondering what happens.

  The router (3640 executes code 12.4) seems ok and I don't think I have a problem with the router with Cisco 501 great work.

  This is a laboratory environment.

  This is the function defined on the ASA 5505

  The devices allowed for this platform:

  The maximum physical Interfaces: 8

  VLAN: 3, restricted DMZ

  Internal guests: 10

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Peer VPN: 10

  WebVPN peers: 2

  Double ISP: disabled

  Junction ports VLAN: 0

  AnyConnect for Mobile: disabled

  AnyConnect for Linksys phone: disabled

  Assessment of Advanced endpoint: disabled

  This platform includes a basic license.

  This is a ping from 10.3.4.10 to 10.1.1.1. He said nothing about IPSEC or ISAKMP.

  That's what I get when I do the: show crypto ipsec his

  ASA5505 (config) # show crypto ipsec his

  There is no ipsec security associations

  ASA5505 (config) # show crypto isakmp his

  There is no isakmp sas

  Debug crypto isakmp 10

  entry packets within the icmp 10.3.4.10 8 0 10.1.1.1 detail

  I have worked on it for a week and don't really know if I have a bad ASA5505. Since the normal stuff like browsing the Internet works and I can ping to the outside and inside, I don't know what to think. See attachments.

  "Do what you asked has worked.

  Nice to hear that your problem is solved.

  "My question is can I use the transform-set ESP-3DES-SHA instead of MD5?"

  Of course you can.

  Kind regards.

  Please do not forget to note the useful messages and check "Solved my problem", if the post has solved your problem.

• It takes up to 4 minutes for the player switch between library and Rip, and vice versa.

  I run Media Player 11 on my XP machine with spare 120G on the C: memory and 3G - recently, it takes up to 4 minutes for the player switch between library and Rip, and vice versa. I have re-installed twice but no change. No new software has been installed before this time.

  Hello Absno69,

  Thank you for your message.  You mentioned that there were no new software installed before that happens.  Were there any hardware changes or updates?  If this isn't the case, we will perform a system restore to a point that you know that your system is working effectively.  Click HERE for the system restore instructions.
  Please let us know if it did or did not help to solve your problem.
  See you soon

  Engineer Jason Microsoft Support answers visit our Microsoft answers feedback Forum and let us know what you think.

• cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

  some help me

  (Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

  Note - I can ping PC but not the same subnet ip on ASA2 L3

  PC---> > ASA1 - ASA2<>

  Hi Matt,

  Let me answer your question in two points:

  • You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.

  For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside

  • Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.

  We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

• ASA 5540 - cannot ping inside the interface

  Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

  In the ASDM, I see messages like this:

  ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

  This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

  interface Vlanx

  IP x.x.x.x 255.255.255.0

  IP broadcast directed to 199

  IP accounting output-packets

  IP pim sparse - dense mode

  route IP cache flow

  load-interval 30

  Has anyone experiences the problem like this before? Thanks in advance for any help.

  Can you post the output of the following on the ASA:-

  display the route

  And the output of your base layer diverter: -.

  show ip route<>

  HTH >

• Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

  Hello!

  I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

  ASA Version 9.1 (1)

  !

  ASA host name

  domain xxx.xx

  names of

  local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

  !

  interface GigabitEthernet0/0

  nameif inside

  security-level 100

  192.168.11.1 IP address 255.255.255.0

  !

  interface GigabitEthernet0/1

  Description Interface_to_VPN

  nameif outside

  security-level 0

  IP 111.222.333.444 255.255.255.240

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  management only

  nameif management

  security-level 100

  192.168.5.1 IP address 255.255.255.0

  !

  passive FTP mode

  DNS server-group DefaultDNS

  www.ww domain name

  permit same-security-traffic intra-interface

  the object of the LAN network

  subnet 192.168.11.0 255.255.255.0

  LAN description

  network of the SSLVPN_POOL object

  255.255.255.0 subnet 192.168.12.0

  VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  management of MTU 1500

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 711.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

  Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  list of URLS no

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  LOCAL AAA authorization exec

  Enable http server

  http 192.168.5.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec pmtu aging infinite - the security association

  Crypto ca trustpoint ASDM_TrustPoint5

  Terminal registration

  E-mail [email protected] / * /

  name of the object CN = ASA

  address-IP 111.222.333.444

  Configure CRL

  Crypto ca trustpoint ASDM_TrustPoint6

  Terminal registration

  domain name full vpn.domain.com

  E-mail [email protected] / * /

  name of the object CN = vpn.domain.com

  address-IP 111.222.333.444

  pair of keys sslvpn

  Configure CRL

  trustpool crypto ca policy

  string encryption ca ASDM_TrustPoint6 certificates

  Telnet timeout 5

  SSH 192.168.11.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  No ipv6-vpn-addr-assign aaa

  no local ipv6-vpn-addr-assign

  192.168.5.2 management - dhcpd addresses 192.168.5.254

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL-trust outside ASDM_TrustPoint6 point

  WebVPN

  allow outside

  CSD image disk0:/csd_3.5.2008-k9.pkg

  AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

  internal VPN_CLIENT_POLICY group policy

  VPN_CLIENT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - 5 concurrent connections

  VPN-session-timeout 480

  client ssl-VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  myComp.local value by default-field

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  time to generate a new key 30 AnyConnect ssl

  AnyConnect ssl generate a new method ssl key

  AnyConnect client of dpd-interval 30

  dpd-interval gateway AnyConnect 30

  AnyConnect dtls lzs compression

  AnyConnect modules value vpngina

  value of customization DfltCustomization

  internal IT_POLICY group policy

  IT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - connections 3

  VPN-session-timeout 120

  Protocol-tunnel-VPN-client ssl clientless ssl

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  field default value societe.com

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  AnyConnect dtls lzs compression

  value of customization DfltCustomization

  username vpnuser password PA$ encrypted $WORD

  vpnuser username attributes

  VPN-group-policy VPN_CLIENT_POLICY

  type of remote access service

  Username vpnuser2 password PA$ encrypted $W

  username vpnuser2 attributes

  type of remote access service

  username admin password ADMINPA$ $ encrypted privilege 15

  VPN Tunnel-group type remote access

  General-attributes of VPN Tunnel-group

  address VPN_CLIENT_POOL pool

  Group Policy - by default-VPN_CLIENT_POLICY

  VPN Tunnel-group webvpn-attributes

  the aaa authentication certificate

  enable VPN_to_R group-alias

  type tunnel-group IT_PROFILE remote access

  attributes global-tunnel-group IT_PROFILE

  address VPN_CLIENT_POOL pool

  Group Policy - by default-IT_POLICY

  tunnel-group IT_PROFILE webvpn-attributes

  the aaa authentication certificate

  enable IT Group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  : end

  Help me please! Thank you!

  Hello

  Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

  Thank you

  swap

• Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

  Hello

  I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

  Config

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  ciscoasa hostname

  activate the 5QB4svsHoIHxXpF password / encrypted

  names of

  xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

  xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

  xxx.xxx.xxx.xxx name Mail_Server

  xxx.xxx.xxx.xxx IncomingIP name

  xxx.xxx.xxx.xxx SAP name

  xxx.xxx.xxx.xxx Web server name

  xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

  isa_server_outside name 192.168.2.2

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  address IP IncomingIP 255.255.255.248

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.253 255.255.255.0

  management only

  !

  passwd 123

  passive FTP mode

  clock timezone IS 2

  clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

  TCP_8081 tcp service object-group

  EQ port 8081 object

  DM_INLINE_TCP_1 tcp service object-group

  EQ port 3389 object

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  EQ smtp port object

  EQ Port pop3 object

  port-object eq 3200

  port-object eq 3300

  port-object eq 3600

  port-object eq 3299

  port-object eq 3390

  EQ port 50000 object

  port-object eq 3396

  port-object eq 3397

  port-object eq 3398

  port-object eq imap4

  EQ port 587 object

  port-object eq 993

  port-object eq 8000

  EQ port 8443 object

  port-object eq telnet

  port-object eq 3901

  purpose of group TCP_8081

  EQ port 1433 object

  port-object eq 3391

  port-object eq 3399

  EQ object of port 8080

  EQ port 3128 object

  port-object eq 3900

  port-object eq 3902

  port-object eq 7777

  port-object eq 3392

  port-object eq 3393

  port-object eq 3394

  Equalizer object port 3395

  port-object eq 92

  port-object eq 91

  port-object eq 3206

  port-object eq 8001

  EQ port 8181 object

  object-port 7778 eq

  port-object eq 8180

  port-object 22222 eq

  port-object eq 11001

  port-object eq 11002

  port-object eq 1555

  port-object eq 2223

  port-object eq 2224

  object-group service RDP - tcp

  EQ port 3389 object

  3901 tcp service object-group

  3901 description

  port-object eq 3901

  object-group service tcp 50000

  50000 description

  EQ port 50000 object

  Enable_Transparent_Tunneling_UDP udp service object-group

  port-object eq 4500

  access-list connection to SAP Note inside_access_in

  inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

  access-list inside_access_in note outgoing VPN - PPTP

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

  access-list inside_access_in note outgoing VPN - GRE

  inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

  Comment from inside_access_in-list of access VPN - GRE

  inside_access_in list extended access will permit a full

  access-list inside_access_in note outgoing VPN - Client IKE

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

  Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access udp allowed any any eq field

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access permit tcp any any eq field

  Note to inside_access_in to access list carried forward Ports

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

  access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

  outside_access_in of access allowed any ip an extended list

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access will permit a full

  outside_access_in list extended access allowed grateful if any host Mail_Server

  outside_access_in list extended access permit tcp any host Mail_Server eq pptp

  outside_access_in list extended access allow esp a whole

  outside_access_in ah allowed extended access list a whole

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

  list of access allowed standard VPN 192.168.2.0 255.255.255.0

  corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 603.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global (outside) 2 Mail_Server netmask 255.0.0.0

  Global 1 interface (outside)

  Global interface (2 inside)

  NAT (inside) 0-list of access corp_vpn

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

  public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

  static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

  static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

  static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

  static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

  static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

  public static 192.168.2.0 (inside, outside) - corp_vpn access list

  Access-group outside_access_in in interface outside

  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.2.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp - esp-md5-hmac transet

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic dynmap 10 set pfs

  Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

  cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

  cryptomap interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  Telnet 192.168.2.0 255.255.255.0 inside

  Telnet 192.168.1.0 255.255.255.0 management

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

  dhcpd domain.local domain inside interface

  !

  a basic threat threat detection

  host of statistical threat detection

  Statistics-list of access threat detection

  Management Server TFTP 192.168.1.123.

  internal group mypolicy strategy

  mypolicy group policy attributes

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value VPN

  Pseudo vpdn password 123

  vpdn username attributes

  VPN-group-policy mypolicy

  type of remote access service

  type mypolicy tunnel-group remote access

  tunnel-group mypolicy General attributes

  address-pool

  strategy-group-by default mypolicy

  tunnel-group mypolicy ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

  : end

  Thank you very much.

  Hello

  You probably need

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  inspect the icmp error

  Your Tunnel of Split and NAT0 configurations seem to.

  -Jouni

• Site to Site VPN - cannot ping remote subnet

  Hi all.

  I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

  Any suggestions?

  I'm also an instant learn the ASAs, so I'm not an expert.  I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

  Thanks in advance.

  5505 lack the command:

  management-access inside

  Federico.

• Inside the server can't ping remote vpn client

  My simple vpn client can accumulate the tunnel vpn with my Office ASA5510 success and my vpn client can ping the internal server. But my internal server cannot ping the remote vpn client. Even the firewall vpn client windows is disable.

  1. in-house server can ping Internet through ASA.

  2 internal server cannot ping vpn client.

  3 Vpn client can ping the internal server.

  Why interal Server ping vpn client? ASA only does support vpn in direction to go?

  Thank you.

  Hello

  Enable inspect ICMP, this should work for you.

  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the icmp
  inspect the icmp error

  inspect the icmp

  

  To configure the ICMP inspection engine, use the command of icmp inspection in class configuration mode. Class configuration mode is accessible from policy map configuration mode.

  inspect the icmp

  HTH

  Sandy

• How can I get voice and data to work with the ASA 5505?

  Here's the issue I'm having.   Can I get a Cisco 7940 to work behind one site to another configured ASA 5505 and I can also get data to work behind it.  However, when I try to create a separate Vlan for voice and data, it does not work.  Our voice VLANs on our remote sites are 172.30 and data are 172.31, when I put the inside interface with 172.31 data will work and when I on it 172.30 voice will work.  I upgraded to a security more license and tried vlan3 created as voice.  I have the data to the top and work but I can't get vlan3 to work.   Any help would be greatly appreciated.  Thank you

  Here is my current config:

  hostname TESTvpn
  activate the password xxxxx

  passwd xxxxx

  username admin password xxxxx privilege 15

  name Corp_LAN 10.0.0.0
  name 192.168.64.0 Corp_Voice
  name 172.31.155.0 TESTvpn

  object-group network SunVoyager
  host of the object-Network 64.70.8.160
  host of the object-Network 64.70.8.242

  the Corp_Networks object-group network
  network-object Corp_LAN 255.0.0.0
  object-network Corp_Voice 255.255.255.0

  interface vlan2
  nameif outside
  security-level 0
  IP address dhcp setroute
  No tap

  interface vlan1
  nameif inside
  security-level 100
  IP 172.31.155.1 255.255.255.0
  No tap

  interface vlan3
  nameif Corp_Voice
  security-level 100
  IP 172.30.155.1 255.255.255.0
  No tap

  output
  interface Ethernet0/0
  switchport access vlan 2
  No tap

  interface Ethernet0/7
  switchport access vlan 3
  No tap

  output

  dhcpd allow inside
  dhcpd address 172.31.155.10 - 172.31.155.30 inside
  dhcpd dns 10.10.10.7 10.10.10.44 interface inside
  dhcpd sun.ins area inside interface
  dhcpd allow inside

  enable Corp_Voice dhcpd
  dhcpd address 172.30.155.10 - 172.30.155.30 Corp_Voice
  dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
  dhcpd interface of sun.ins of the Corp_Voice domain
  enable Corp_Voice dhcpd
  dhcpd option 150 ip 192.168.64.4 192.168.64.3

  Enable logging
  exploitation forest buffer-size 10000
  monitor debug logging
  logging buffered information
  asdm of logging of information

  outside_access_in list extended access allow all unreachable icmp
  outside_access_in list extended access permit icmp any any echo response
  outside_access_in list extended access permit icmp any one time exceed
  access extensive list ip 172.31.155.0 inside_access_in allow 255.255.255.0 any
  inside_access_in list extended access allow icmp 172.31.155.0 255.255.255.0 any
  Access extensive list ip 172.30.155.0 Corp_Voice_access_in allow 255.255.255.0 any
  Corp_Voice_access_in list extended access allow icmp 172.30.155.0 255.255.255.0 any

  VPN access list extended deny ip 172.31.155.0 255.255.255.0 object-group SunVoyager
  extended VPN ip 172.31.155.0 access list allow 255.255.255.0 any

  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Access-group Corp_Voice_access_in in the Corp_Voice interface

  Global 1 interface (outside)
  NAT (inside) 0-list of access VPN
  NAT (inside) 1 172.31.155.0 255.255.255.0

  Enable http server
  http 172.31.155.0 255.255.255.0 inside
  http 172.30.155.0 255.255.255.0 Corp_Voice
  http 192.168.64.0 255.255.255.0 Corp_Voice
  http 10.0.0.0 255.0.0.0 inside
  http 65.170.136.64 255.255.255.224 outside
  SSH 10.0.0.0 255.0.0.0 inside
  SSH 172.31.155.0 255.255.255.0 inside
  SSH 65.170.136.64 255.255.255.224 outside
  SSH timeout 20

  management-access inside

  dhcpd outside auto_config

  Crypto ipsec transform-set esp-3des esp-md5-hmac VPN
  crypto map outside_map 1 is the VPN address
  peer set card crypto outside_map 1 66.170.136.65
  card crypto outside_map 1 the value transform-set VPN
  outside_map interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  lifetime 28800

  tunnel-group 66.170.136.65 type ipsec-l2l
  IPSec-attributes tunnel-group 66.170.136.65
  pre-shared-key xxxxx

  output
  int eth 0/1
  close
  No tap
  int eth 0/2
  close
  No tap
  int eth 0/3
  close
  No tap
  int eth 0/4
  close
  No tap
  int eth 0/5
  close
  No tap
  int eth 0/6
  close
  No tap
  int eth 0/7
  close
  No tap

  Peter,

  Note that access list names are case-sensitive, so you've actually done something different from what I proposed.

  Please do:

  no nat (Corp_Voice) 0-list of access vpn

  No list of vpn access extended permitted ip TESTvpn 255.255.255.0 everything
  IP 172.30.155.0 255.255.255.0 extended vpn access do not allow any list all

  extended VPN ip 172.30.155.0 access list allow 255.255.255.0 any

  NAT (Corp_Voice) 0-list of access VPN

  In the case where you did deliberately, for example to separate the 2 acl: note that acl VPN (upper case) is also used in the encryption card, where you cannot add a second LCD.

  So if you want to separate you, you will need 3 access lists:

  list of access data-vpn ip TESTvpn 255.255.255.0 allow one

  voice-vpn ip 172.30.155.0 access list allow 255.255.255.0 any

  access-list all - vpn ip TESTvpn 255.255.255.0 allow one

  access-list all - vpn ip 172.30.155.0 allow 255.255.255.0 any

  NAT (inside) 0-list of access vpn data

  NAT (Corp_Voice) - access list 0 voice-vpn

  outside_map 1 match address all vpn crypto card

  Don't know if this was also clearly to my previous message, I recommend you to replace the "all" (in each of the ACL lines) to something more specific (i.e. a remote network, or group of objects that contain the remote networks).

  HTH

  Herbert

• ASA 5505 VPN Ping problems

  Hi all

  First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.

  The main problem is that when ping devices internal when you are connected to the results are very inconsistent.

  Ping 192.168.15.102 with 32 bytes of data:

  Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128

  Request timed out.

  Request timed out.

  Request timed out.

  We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?

  Here is a dump of the configuration:

  Output of the command: "show config".

  : Saved

  : Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013

  !

  ASA Version 8.2 (5)

  !

  hostname VPN_Test

  activate the encrypted password of D37rIydCZ/bnf1uj

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  192.168.15.0 - internal network name

  DDNS update method DDNS_Update

  DDNS both

  maximum interval 0 4 0 0

  !

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  Description VLAN internal guests

  nameif inside

  security-level 100

  DDNS update hostname 0.0.0.0

  DDNS update DDNS_Update

  DHCP client updated dns server time

  192.168.15.1 IP address 255.255.255.0

  !

  interface Vlan2

  Description of VLAN external to the internet

  nameif outside

  security-level 0

  address IP xx.xx.xx.xx 255.255.255.248

  !

  passive FTP mode

  clock timezone CST - 6

  clock to summer time recurring CDT

  DNS server-group DefaultDNS

  Server name 216.221.96.37

  Name-Server 8.8.8.8

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  outside_access_in list extended access permit icmp any one

  outside_access_in list extended access deny interface icmp outside interface inside

  access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all

  Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0

  inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192

  Note to inside_access_in to access list blocking Internet traffic

  access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all

  Note to inside_access_in to access list blocking Internet traffic

  inside_access_in extended access list allow interface ip inside the interface inside

  inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192

  Note to inside_access_in to access list blocking Internet traffic

  access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool

  inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow any response of echo outdoors

  ICMP allow all outside

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

  NAT (inside) 1 192.168.15.192 255.255.255.192

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  inside_access_ipv6_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  255.255.255.0 inside internal network http

  http yy.yy.yy.yy 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Sysopt connection timewait

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd outside auto_config

  !

  dhcpd address 192.168.15.200 - 192.168.15.250 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  NTP server 192.168.15.101 source inside

  prefer NTP server 192.168.15.100 source inside

  WebVPN

  internal remote group strategy

  Group remote attributes policy

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Remote_splitTunnelAcl

  username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz

  username StockUser attributes

  Strategy-Group-VPN remote

  tunnel-group type remote access remotely

  tunnel-group remote General attributes

  address pool VPN_IP_Pool

  Group Policy - by default-remote control

  tunnel-group remote ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

  Hi Graham,

  My first question is do you have a site to site VPN and VPN remote access client.

  After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.

  And if I understand you are able to connect VPN client, but you not able to access internal resources properly.

  I recommend tey and make the following changes.

  First remove the following configuration:

  NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

  NAT (inside) 1 192.168.15.192 255.255.255.192

  You don't need the 1st one and I do not understand the reason for the second

  Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.

  If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.

  Try the changes described above and let me know in case if you have any problem.

  Thank you

  Jeet Kumar

• Installation of ASA EasyVPN - cannot ping loopback on router CME

  Hello

  I don't know if it is a problem of firewall or something on my router, so I thought I would start here.  I have an ASA 5505 at home that I use as a client for the purpose of connecting a Cisco IP phone to a CME No. 2851 router EasyVPN.  At the office, I have an ASA 5510, which acts as the EasyVPN server.  The CME router loopback address is 10.1.254.254, and the router's ethernet interfaces are 10.2.100.50 and 10.1.100.1.  The customer EasyVPN receives an address 192.168.100.1 the EasyVPN server.

  In my house, if I connect a computer to my ASA 5505 VPN is based and I can ping all my hosts interns (at the office), and I can ping both interfaces of the router.  If I try to ping the router loopback address I get nothing.   If I start the router and work my way to the EasyVPN (ASA 5510) Server I can ping the loopback address of the router to the power switch and then the ASA5510. I think it's a problem of firewall because of the capture, I install both inside the ASA interfaces:

  If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo on the ASA5505 responses, and I see them on the ASA5510 - successfully running through the VPN tunnel.

  If I ping 10.1.254.254, I see the echo to the ASA5505 request, but I don't see anything on the ASA5510.

  I checked my nat_exemption on the ASA5510 and I have an entry like this:

  nat_exemption list of allowed ip extended access any 192.168.100.0 255.255.255.128

  I can provide more if necessary configs, but anybody have any ideas where I'm wrong?

  Thanks in advance,

  Brandon

  Brandon,

  I would like to start showing us "crypto ipsec to show its" on your home 5505.

  Then the station we would need:

  --------

  See the establishment of performance-crypto

  See running nat setting

  See the global race

  See the static race

  See the tunnel-group race

  ---------

  Ideally I would allow newspapers on informqtional level on headboard and ASA local.

  Run the ping command and check:

  -------

  Show logg. I have 10.1.254.254

  -------

  We are looking for connections being built or any "deny" messages.

  Marcin

• ASA VPN cannot ping ip local pool

  Hello

  We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

  Thanks in advance

  Keith

  Hi Keith,

  I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

  Can you add "same-security-traffic intra-interface permits" and try again?

  Federico.