Setting up a DMZ on ASA 5505
I have a Cisco ASA 5505 that I am trying to set up a web server on a demilitarized zone. I have the DMZ interface works, but I'm not able to get access to the server connected to the DMZ interface. I have been looking for a week now on google, but have not met the installation...
I have the following interfaces (do not use real ips)...
WAN - 123.123.100.1
LAN - 192.168.0.1
Port DMZ - 172.16.8.1 - 7
Web server - 172.16.8.2 connected on port 7
ASA version 8.2 (5)
I'm looking to have access to the Web from the inside via RDP server and access the external clients, more than 80. It must also communicate with a DB server located in another facility through a VPN.
Any help would be appreciated. I was pulling my hair out on this one.
Thank you
Mike
Generally speaking, inside the DMZ is allowed by default. If you have any access list applied on your inside interface you would need to add the entry to the DMZ address of the RADIUS server on tcp/3389 (rdp).
Incoming outside traffic would need a static NAT and access list.
Web server to a remote site via VPN would need the addresses of remote DMZ network defined in reference to the access list of the cryptomap used by the VPN. You also usually have a NAT exemption for that traffic.
All of them are of common use cases for an ASA. If you can share a version sanitized for your running configuration, we might be able to see what's missing.
Tags: Cisco Security
Similar Questions
-
ASA 5505 VPN easy &; 3rd / DMZ interface
We have many new and very small remote sites that need to connect via an ASA5505 via easy VPN. Works without a problem and we have the configuration and the process nailed.
The challenge that I received today involve non standard remote sites, where I need to set up a third interface an ASA 5505 and allow it to go directly to the Internet and do not go through the VPN. Configuration of the third interface, assignment and configuration of the ACLS / NAT (PAT) are towards the front.
The challenge I face and have not been able to find a direct response to is if it is possible to have the easy process of extension of VPN traffic avoidance. Currently, traffic is down the tunnel which is not what I want.
I'm afraid I'll have to build conventional site-to-site VPN configurations which is not a huge problem, if it breaks all the methods of maintenance/operations, process, and I have to spend time training of the support team how to detect the differences. Either yes I can build if someone else needs the support, which means different is a problem.
Thank you
What version of the software you run ASA?
I found this in the configuration guide that suggests that only the highest security level interface is encrypted by the easy VPN tunnel, if you run ASA version 7.2.3 and above:
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/ezvpn505.html#wp1025408
So, if your DMZ does not have the same level of security as your inside interface, DMZ traffic does not pass through the tunnel.
Also, do you have split tunnel configured on the easy VPN server for this easy VPN clients group?
-
ASA 5505 DMZ for the guest wireless access
Hello
Here is my delima:
I'm deploying an Apple Airport Extreme BaseStation with Airport Express 7 "repeaters" throughout my network/building. Apple only allows only two wireless networks, public and private. Your selection of only can 192.168.x.x, 172.13.x.x or 10.10.x.x for each subnet. NO tagging VLAN.
It wasn't my decision... Apple CEO hs fever.
So Im stuck on how to implement this without VLAN. The comments/public subnet needs to be isolated outside access. While the private subnet requires access to both.
Any suggestion would be greatly apprecaited.
What will the Security Plus license allow me to do?
Security over the license allows the use of circuits for the ASA 5505. It also increases the maximum number of VLANS configurable at 20. Allows active failover / standby and increases the number of authorized IPsec VPN tunnels.
The problem with the basic license is that you can have 3 VLAN configured and the 3rd VLAN is a VLAN 'restricted '. This means that you can not pass traffic to or from inside VLAN on the 3rd VLAN (or DMZ VLAN if you prefer to call it that.) So this VLAN DMZ won't be able to communicate with the internet.
So, if your private wireless network and the local network will be on the same subnet your public wireless network can be in VLAN 3. If this isn't the case, you will need to get the security over the license.
--
Please do not forget to rate and choose a good answer -
Problem setting out by ASA 5505 VPN
While inside a network secured by an ASA 5505, I can't establish a PPTP VPN on. The ASA will connect the following:
09-2009 20:50:09 creating 305006 24.13.209.125 regular translation failed for the internal protocol 47 src: 192.168.132.108 dst outside:xxx.xxx.xxx.125
I looked at the msg of error in line, but for some reason, I'm just not understand what he says. How can I fix it? Let me know if you have any questions... Thank you guys!
Colombia-British
Hello
Enable pptp inspection
pixfirewall (config) #policy - map global_policy
pixfirewall(config-pmap) #class inspection_default
pixfirewall (config-pmap-c) #inspect pptp
Go to this link for the use of pptp/gre info background detail under various codes.
Concerning
-
How can I get the engine working in the ASA 5505 Crypto
I bought a brand new ASA 5505 to connect to the Cisco 3640 and I can not yet set up the tunnel. I have tried to change the set of transformation to just but know luck. I recently put a VPN using DMVPN and Cisco 501 in a site-to-site, but it has been wondering what happens.
The router (3640 executes code 12.4) seems ok and I don't think I have a problem with the router with Cisco 501 great work.
This is a laboratory environment.
This is the function defined on the ASA 5505
The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 3, restricted DMZ
Internal guests: 10
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
Peer VPN: 10
WebVPN peers: 2
Double ISP: disabled
Junction ports VLAN: 0
AnyConnect for Mobile: disabled
AnyConnect for Linksys phone: disabled
Assessment of Advanced endpoint: disabled
This platform includes a basic license.
This is a ping from 10.3.4.10 to 10.1.1.1. He said nothing about IPSEC or ISAKMP.
That's what I get when I do the: show crypto ipsec his
ASA5505 (config) # show crypto ipsec his
There is no ipsec security associations
ASA5505 (config) # show crypto isakmp his
There is no isakmp sas
Debug crypto isakmp 10
entry packets within the icmp 10.3.4.10 8 0 10.1.1.1 detail
I have worked on it for a week and don't really know if I have a bad ASA5505. Since the normal stuff like browsing the Internet works and I can ping to the outside and inside, I don't know what to think. See attachments.
"Do what you asked has worked.
Nice to hear that your problem is solved.
"My question is can I use the transform-set ESP-3DES-SHA instead of MD5?"
Of course you can.
Kind regards.
Please do not forget to note the useful messages and check "Solved my problem", if the post has solved your problem.
-
VPN site-to-site between ASA 5505 and 2911
Hi all
I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.
2911 config:
!
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 2911
!
boot-start-marker
Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin
boot-end-marker
!
!
Min-length 10 Security passwords
logging buffered 51200 warnings
!
No aaa new-model
!
!
min-threshold queue spd IPv6 62
Max-threshold queue spd IPv6 63
No ipv6 cef
the 5 IP auth-proxy max-login-attempts
max-login-attempts of the IP 5 admission
!
!
!
DHCP excluded-address IP 192.168.10.1 192.168.10.99
DHCP excluded-address IP 192.168.22.1 192.168.22.99
DHCP excluded-address IP 192.168.33.1 192.168.33.99
DHCP excluded-address IP 192.168.44.1 192.168.44.99
DHCP excluded-address IP 192.168.55.1 192.168.55.99
192.168.10.240 IP dhcp excluded-address 192.168.10.254
DHCP excluded-address IP 192.168.22.240 192.168.22.254
DHCP excluded-address IP 192.168.33.240 192.168.33.254
DHCP excluded-address IP 192.168.44.240 192.168.44.254
DHCP excluded-address IP 192.168.55.240 192.168.55.254
!
desktop IP dhcp pool
import all
network 192.168.33.0 255.255.255.0
router by default - 192.168.33.254
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
wi - fi IP dhcp pool
import all
network 192.168.44.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.44.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
DMZ IP dhcp pool
import all
network 192.168.55.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.55.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
IP dhcp pool voip
import all
network 192.168.22.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.22.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
IP dhcp pool servers
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.254
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
!
IP domain name of domain
name-server IP 192.168.10.10
IP cef
connection-for block 180 tent 3-180
Timeout 10
VLAN ifdescr detail
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-3956567439
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3956567439
revocation checking no
rsakeypair TP-self-signed-3956567439
!
!
TP-self-signed-3956567439 crypto pki certificate chain
certificate self-signed 01 nvram:IOS - Self-Sig #1.cer
license udi pid sn CISCO2911/K9
!
!
the FULL_NET object-group network
full range of the network Description
192.168.10.0 255.255.255.0
192.168.11.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
object-group network limited
description without servers and router network
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
VTP version 2
password username admin privilege 0 password 7
!
redundancy
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 10
BA aes 256
sha512 hash
preshared authentication
ISAKMP crypto key admin address b.b.b.b
invalid-spi-recovery crypto ISAKMP
!
!
Crypto ipsec transform-set esp - aes esp-sha-hmac SET
!
!
!
10 map ipsec-isakmp crypto map
the value of b.b.b.b peer
Set transform-set
match address 160
!
!
!
!
!
Interface Port - Channel 1
no ip address
waiting-150 to
!
Interface Port - channel1.1
encapsulation dot1Q 1 native
IP 192.168.11.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.10
encapsulation dot1Q 10
IP address 192.168.10.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.22
encapsulation dot1Q 22
IP 192.168.22.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.33
encapsulation dot1Q 33
IP 192.168.33.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.44
encapsulation dot1Q 44
IP 192.168.44.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.55
encapsulation dot1Q 55
IP 192.168.55.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
no ip address
automatic duplex
automatic speed
channel-group 1
!
interface GigabitEthernet0/2
Description $ES_LAN$
no ip address
automatic duplex
automatic speed
channel-group 1
!
interface GigabitEthernet0/0/0
IP address a.a.a.a 255.255.255.224
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
crypto map
!
IP forward-Protocol ND
!
no ip address of the http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0
IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
NAT_INTERNET extended IP access list
refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255
refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255
permit ip FULL_NET object-group everything
!
access-list 1 permit 192.168.44.100
access-list 23 allow 192.168.10.7
access-list 23 permit 192.168.44.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
!
!
!
control plan
!
!
!
Line con 0
password password 7
opening of session
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
local connection
entry ssh transport
line vty 5 15
access-class 23 in
privilege level 15
local connection
entry ssh transport
!
Scheduler allocate 20000 1000
!
end
The ASA config:
: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1 no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable
ASA:
# show crypto ipsec his
There is no ipsec security associations
# show crypto isakmp his
There are no SAs IKEv1
There are no SAs IKEv2
2911:
#show crypto ipsec his
Interface: GigabitEthernet0/0/0
Tag crypto map: map, addr a.a.a.a local
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors of #send 4, #recv errors 0
local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
-Other - arrival ah sas:
-More-
-More - CFP sas on arrival:
-More-
-More - outgoing esp sas:
-More-
-More - out ah sas:
-More-
-More - out CFP sas:
Thanks for your time,
Nick
Please add
map Office 2 set transform-set OFFICE ikev1 crypto
If it is not helpful, please enable debug crypto ipsec 255 and paste here.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
-
How much of VLAN asa 5505 security plus support
Hello guys. I have asa 5505 Adaptive Security more. and I have only 3 VLAN. outside, inside, restricted DMZ.
If it works well, but I want to connect my inside another private network, so please can someone help me out here. or I have to buy a license.
and how can I activate the license key
Thank you very much
Here is the explanation since I have no idea about your topology.
The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 3, restricted DMZ
Inside guests:10
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
Peer VPN: 10
WebVPN peers: 2
Double ISP: disabled
Junction ports VLAN: 0
This platform includes a basic license.
Here is an example of the license feature set more security:
The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 20, unrestricted DMZ
The hosts on the inside: unlimited
Failover: Active / standby
VPN - A: enabled
VPN-3DES-AES: enabled
VPN peer: 25
WebVPN peers: 2
Two Internet service providers: enabled
VLAN Trunk Ports: 8This platform includes an ASA 5505 Security Plus license.
No explanation for DMZ limited.
- Only 10 of the hosts in the DMZ and LAN combined may contacted outside interface at any time.
- Only 2 VLAN fully functional (inside and outside generally) are allowed. The 3rd VLAN, usually a demilitarized zone can only be activated with the command 'no attacking vlan n'that prevents connections to one of the other VLANS, usually inside
Just in case where if you have basic servers then put inside dmz connections do not allow. If you have more security then should not be any problem. As you mentioned on the IP ranges vlan if all belong to the inside and then connecting with outside shouldn't be a problem.
Thank you
Ajay
-
ASA 5505 problem getting started
Hello
New on the firewall:
I set the ASA to factory default using the default configuration. Then, I plugged my PC on port 7 and Comcast modem into port 0 and got a 192.168.1.2 ip address of my PC. In addition, configured the dhcp protocol to give the dns addresses. Changed the address of the external interface to my static address has been assigned, but still cannot ping the outside interface or Google from PC. Oh, also, between the bulkhead firewall I can ping the address of the gateway-Comcast but no further.
Where should I start to get this thing working?
Thank you, Pat.
Hello
To be honest, I have not tried.
I also have an ASA 5505 with Base license at home but I have no need of a DMZ in my network so I have not tried.
You can always make a list of your INSIDE interface access and manage traffic with it. Its the most frequent way atleast.
You could basically make following simple configurations
Note to INTERIOR-IN access list block inside the DMZ traffic
access list for the INTERIOR-IN deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Note to access the INSIDE-IN list allow other traffic
access list for the INTERIOR-IN permit ip 192.168.1.0 255.255.255.0 any
group-access INTERIOR-IN in the interface inside
The foregoing indicates the following things:
- INTERIOR-IN is the name of the access list
- Lines of comments in the list to just provide a brief description of the rule below
- You can insert these comments (or lines to permit/deny) in different locations using the 'line' after the name of the access list
- For example ' Access-list INTERIOR-IN line 1 note ' add a comment line at the top of the list.
- On the CLI, the line numbers are visible when you issue the 'show access-list '. 'show access-list of execution' will not show line numbers
- The line deny stipulates that all TCP/UDP traffic from INSIDE network to the DMZ network range range is denied at the entrance to the interface of the firewall to the inside
- The line permit allows all traffic from INSIDE network to any other network range. (Essentially allow all traffic to the OUTSIDE interface that all traffic to the DMZ has been refused right on the previous line in the access list.
- The Access-group line attaches to the access list named INTERIOR-IN to the interface inside
- The parameter and indicates the direction of the access list is applied
- In this case its traffic that enters the inside interface
-Jouni
-
Internet VERY slow connection on SD2008 connected to ASA 5505
I recently bought a SD2008 (2008/11/28) to replace an older Linksys 10/100 switch for my home network. This switch connects to an ASA 5505 to go to the internet. I have improved since most of my pc have 10/100/1000 and the new NAS I purchased also connects to 1000 so I wanted to speed internally.
The cries of network domestic now
BUT...
Get out to the internet has now slowed to crawl of a lily "slowski". I used to get 16-18Mbps using the 10/100 switch. Now, I'm lucky to get 1 MB/s dl speed.
Any suggestions would be greatly appreciated.
Too bad. I found the answer on a completely different thread that actually worked. I've linked the SD2008 to the ASA 5505 with a crossover cable, set the port speed/duplex AUTO/AUTO, restarted the ASA, and everything was back to normal.
So much for the detection of cut MDI/MDI-X auto...
Hope this helps someone else.
-
Cisco ASA 5505 VPN Site to Site
Hi all
First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..
I'd appreciate any help that can be directed to this problem please. Slowly losing my mind
Please see details below:
Two ADMS are 7.1
IOS
ASA 1
Nadia
:
ASA Version 9.0 (1)
!
hostname PAYBACK
activate the encrypted password of HSMurh79NVmatjY0
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
link Trunk Description of SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 92.51.193.158 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
address 192.168.20.1 255.255.255.0
!
Vlan30 interface
nameif printers
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
192.168.40.1 IP address 255.255.255.0
!
connection line banner welcome to the Payback loyalty systems
boot system Disk0: / asa901 - k8.bin
passive FTP mode
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
domain-lookup DNS servers
DNS lookup domain printers
DNS domain-lookup wireless
DNS server-group DefaultDNS
Server name 83.147.160.2
Server name 83.147.160.130
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
ftp_server network object
network of the Internal_Report_Server object
Home 192.168.20.21
Description address internal automated report server
network of the Report_Server object
Home 89.234.126.9
Description of server automated reports
service object RDP
service destination tcp 3389 eq
Description RDP to the server
network of the Host_QA_Server object
Home 89.234.126.10
Description QA host external address
network of the Internal_Host_QA object
Home 192.168.20.22
host of computer virtual Description for QA
network of the Internal_QA_Web_Server object
Home 192.168.20.23
Description Web Server in the QA environment
network of the Web_Server_QA_VM object
Home 89.234.126.11
Server Web Description in the QA environment
service object SQL_Server
destination eq 1433 tcp service
network of the Demo_Server object
Home 89.234.126.12
Description server set up for the product demo
network of the Internal_Demo_Server object
Home 192.168.20.24
Internal description of the demo server IP address
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_26 object
255.255.255.192 subnet 192.168.50.0
network of the NETWORK_OBJ_192.168.0.0_16 object
Subnet 192.168.0.0 255.255.0.0
service object MSSQL
destination eq 1434 tcp service
MSSQL port description
VPN network object
192.168.50.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_24 object
192.168.50.0 subnet 255.255.255.0
service object TS
tcp destination eq 4400 service
service of the TS_Return object
tcp source eq 4400 service
network of the External_QA_3 object
Home 89.234.126.13
network of the Internal_QA_3 object
Home 192.168.20.25
network of the Dev_WebServer object
Home 192.168.20.27
network of the External_Dev_Web object
Home 89.234.126.14
network of the CIX_Subnet object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_84.39.233.50 object
Home 84.39.233.50
network of the NETWORK_OBJ_92.51.193.158 object
Home 92.51.193.158
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
the tcp destination eq ftp service object
the purpose of the tcp destination eq netbios-ssn service
the purpose of the tcp destination eq smtp service
service-object TS
the Payback_Internal object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
service-object TS
service-object, object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object RDP
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
object-group service DM_INLINE_SERVICE_5
purpose purpose of the MSSQL service
service-object RDP
service-object TS
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_6
service-object TS
service-object, object TS_Return
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
Note to outside_access_in to access list that this rule allows Internet the interal server.
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-list of FTP access
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list of SMTP access
Note to outside_access_in to access list Net Bios
Comment from outside_access_in-SQL access list
Comment from outside_access_in-list to access TS - 4400
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server
access host access-list outside_access_in note rule internal QA
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www
Notice on the outside_access_in of the access-list access to the internal Web server:
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server
Note to outside_access_in to access list rule allowing access to the demo server
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list to access MSSQL
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
Note to outside_access_in access to the development Web server access list
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
AnyConnect_Client_Local_Print deny any4 any4 ip extended access list
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137
AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns
Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0
permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
information recording console
asdm of logging of information
address record
the journaling recipient
level alerts
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
MTU 1500 printers
MTU 1500 wireless
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (wireless, outdoors) source Dynamics one interface
NAT (servers, outside) no matter what source dynamic interface
NAT (servers, external) static source Internal_Report_Server Report_Server
NAT (servers, external) static source Internal_Host_QA Host_QA_Server
NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM
NAT (servers, external) static source Internal_Demo_Server Demo_Server
NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
NAT (servers, external) static source Internal_QA_3 External_QA_3
NAT (servers, external) static source Dev_WebServer External_Dev_Web
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1ASA 2
ASA Version 9.0 (1)
!
Payback-CIX hostname
activate the encrypted password of HSMurh79NVmatjY0
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
Description this port connects to the local network VIRTUAL 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
IP 84.39.233.50 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
banner welcome to Payback loyalty - CIX connection line
passive FTP mode
summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group defaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the host-CIX-1 object
host 192.168.100.2
Description This is the VM server host machine
network object host-External_CIX-1
Home 84.39.233.51
Description This is the external IP address of the server the server VM host
service object RDP
source between 1-65535 destination eq 3389 tcp service
network of the Payback_Office object
Home 92.51.193.158
service object MSQL
destination eq 1433 tcp service
network of the Development_OLTP object
Home 192.168.100.10
Description for Eiresoft VM
network of the External_Development_OLTP object
Home 84.39.233.52
Description This is the external IP address for the virtual machine for Eiresoft
network of the Eiresoft object
Home 146.66.160.70
Contractor s/n description
network of the External_TMC_Web object
Home 84.39.233.53
Description Public address to the TMC Web server
network of the TMC_Webserver object
Home 192.168.100.19
Internal description address TMC Webserver
network of the External_TMC_OLTP object
Home 84.39.233.54
External targets OLTP IP description
network of the TMC_OLTP object
Home 192.168.100.18
description of the interal target IP address
network of the External_OLTP_Failover object
Home 84.39.233.55
IP failover of the OLTP Public description
network of the OLTP_Failover object
Home 192.168.100.60
Server failover OLTP description
network of the servers object
subnet 192.168.20.0 255.255.255.0
being Wired network
192.168.10.0 subnet 255.255.255.0
the subject wireless network
192.168.40.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the Eiresoft_2nd object
Home 137.117.217.29
Description 2nd Eiresoft IP
network of the Dev_Test_Webserver object
Home 192.168.100.12
Description address internal to the Test Server Web Dev
network of the External_Dev_Test_Webserver object
Home 84.39.233.56
Description This is the PB Dev Test Webserver
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_2
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_3
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_4
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_5
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_6
service-object MSQL
service-object RDP
the Payback_Intrernal object-group network
object-network servers
Wired network-object
wireless network object
object-group service DM_INLINE_SERVICE_7
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_8
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_9
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_10
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_11
service-object RDP
the tcp destination eq ftp service object
outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1
Note to access list OLTP Development Office of recovery outside_access_in
outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group
Comment from outside_access_in-access Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group
Note to outside_access_in access to OLTP for target recovery Office Access list
outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group
Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server
outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group
Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft
outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group
Note to outside_access_in access from the 2nd IP Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group
outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source CIX-host-1 External_CIX-host-1
NAT (inside, outside) static source Development_OLTP External_Development_OLTP
NAT (inside, outside) static source TMC_Webserver External_TMC_Web
NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP
NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover
NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 92.51.193.156 255.255.255.252 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHello
There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.
All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.
Here are a few suggestions on what to change
ASA1
Minimal changes
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.
Other suggestions
These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.
PAT-SOURCE network object-group
source networks internal PAT Description
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
no nat (wireless, outdoors) source Dynamics one interface
no nat (servers, outside) no matter what source dynamic interface
The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.
Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.
network of the SERVERS object
subnet 192.168.20.0 255.255.255.0
network of the VPN-POOL object
192.168.50.0 subnet 255.255.255.0
NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL
no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
ASA2
Minimal changes
the object of the LAN network
255.255.255.0 subnet 192.168.100.0
being REMOTE-LAN network
192.168.10.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM.
Other suggestions
PAT-SOURCE network object-group
object-network 192.168.100.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.
Hope this makes any sense and has helped
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
I can't boot on my Cisco ASA 5505
Hello;
I am facing a problem with my cisco ASA 5505 firewall. When I connect my cable to console the firewall to start setting firewall load and stop until the copyright. ICN can't access to the firewall to view the configuration. I start also with Rommon but I am facing the same problem. Does anyone have an idea of this problem and can help me?
Please, it's so urgencly!
Hello
What version of software is on the asa and the amount of memory is on the device?
Thank you
John
-
ASA 5505 VPN established, cannot access inside the network
Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.
After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.
Here is my config:
ASA Version 8.2 (5)
!
hostname asa01
domain kevinasa01.net
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan5
No nameif
security-level 50
IP 172.16.1.1 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
domain kevinasa01.net
permit same-security-traffic intra-interface
Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.254.0 255.255.255.0
NAT (inside) 0 access-list sheep - in
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Remote_Kevin group strategy
attributes of Group Policy Remote_Kevin
value of server DNS 192.168.1.12 192.168.1.13
VPN - connections 3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
kevinasa01.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy Remote_Kevin
type tunnel-group Remote_Kevin remote access
attributes global-tunnel-group Remote_Kevin
address-pool
Group Policy - by default-Remote_Kevin
IPSec-attributes tunnel-group Remote_Kevin
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
: endThank you
Hello
I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.
I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.
The acl must be:
sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
For nat (inside), you have 2 lines:
NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
NAT (inside) 1 0.0.0.0 0.0.0.0Why are you doing this nat (outside)?
NAT (outside) 1 192.168.254.0 255.255.255.0
Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)
Thank you.
PS: Please do not forget to rate and score as good response if this solves your problem.
-
ASA 5505 possibly interfere/blocking calls Incound UC560
ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462
All,
We had this problem the phone when we lose connectivity for some reason any. Here is an example:
We have an ASA 5505 before our UC560. Power lost to ASA (power connector from main Board loose) primary did identical backup with config. The layout-design is the following:
UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">---WAN(3>
After the passage of the ASAs, incoming calls have been piecemeal. I can see the traffic on the firewall when the calls log, nothing otherwise. OS on the device are:
UC560 - 15.0 XA (1r).
ASA 5505-4, 0000 38
Contacted the provider and after calls debugging support have been expire with the 408 SIP error.
Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.
So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA. Here is the config ASA (it's pretty long, sorry):
Output of the command: "show run".
: Saved
:
: Serial number:
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA 4,0000 Version 38
!
XXXXX-CA hostname
activate the encrypted password of WUGxGkjzJJSPhT9N
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
WUGxGkjzJJSPhT9N encrypted passwd
names of
DNS-guard
192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
!
interface Ethernet0/0
Description-> Internet
switchport access vlan 2
!
interface Ethernet0/1
Description-> inside
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
Shutdown
No nameif
no level of security
no ip address
!
interface Vlan2
Description-> Internet<>
nameif outside
security-level 0
address IP XXX.XXX. XXX.242 255.255.255.240
!
interface Vlan10
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
!
exec banner * W A R N I N G *.
banner exec unauthorised access prohibited. All access is
banner exec monitored and the intruder may be continued
exec banner to the extent of the law.
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
Banner motd this is a private computer system.
Banner motd, access is allowed only by authorized employees or agents of the
company banner motd.
Banner motd system can be used only for the authorized company.
Banner motd business management approval is required for all access privileges.
Banner motd, as this system is equipped with a safety system designed to prevent
Banner motd and attempts of unauthorized access record.
Banner motd
Banner motd unauthorized access or use is a crime under the law.
banner asdm XXXXX Enterprises Inc. $(hostname)
boot system Disk0: / asa904-38 - k8.bin
boot system Disk0: / asa904-29 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS domain-lookup outside
permit same-security-traffic intra-interface
object obj voip network
10.1.1.0 subnet 255.255.255.0
network object obj - 192.168.254.0--->--->
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
object obj cue-network
10.1.10.0 subnet 255.255.255.0
object obj priv-network
192.168.10.0 subnet 255.255.255.0
object obj data network
subnet 10.0.1.0 255.255.255.0
network object obj - 192.168.0.0
192.168.0.0 subnet 255.255.255.0
Description not used
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
Description not used
object obj nj-asa-private-network
Subnet 192.168.2.0 255.255.255.0
network obj object -? asa-private-network
192.168.5.0 subnet 255.255.255.0
network obj object -? asa-private-network
192.168.6.0 subnet 255.255.255.0
network obj object -? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network obj object -? asa-priv-networl
subnet 192.168.4.0 255.255.255.0
network obj object -? asa-private-network
192.168.7.0 subnet 255.255.255.0
object obj-asa-Interior-voip-nic network
host 10.1.1.1
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
network object obj - 0.0.0.0
host 0.0.0.0
object obj-vpn-nic network
Home 192.168.10.20
object obj XXXX-asa-private-network
192.168.8.0 subnet 255.255.255.0
House of XXXX description
network obj object -? asa-private-network
192.168.9.0 subnet 255.255.255.0
object asa inside-network data
subnet 10.0.1.0 255.255.255.0
asa data-outside-network object
subnet XXX.XXX. XXX.240 255.255.255.240
network of china-education-and-research-network-center object
Home 202.194.158.191
Acl explicitly blocked description
China unicom shandong network item
60.214.232.0 subnet 255.255.255.0
Acl explicitly blocked description
pbx-cue-Interior-nic network object
Home 10.1.10.2
pbx-cue-outside-nic network object
host 10.1.10.1
telepacific-voip-trunk network object
Home 64.60.66.250
Description is no longer used
us-la-mianbaodianying network object
Home 68.64.168.46
Acl explicitly blocked description
object network cue
10.1.10.0 subnet 255.255.255.0
private-network data object
192.168.10.0 subnet 255.255.255.0
pbx-outside-data-nic network object
host 10.0.1.2
pbx-voip-Interior-nic network object
host 10.1.1.1
voip network object
10.1.1.0 subnet 255.255.255.0
vpn-server-nic network object
Home 192.168.10.20
asa-data-outside-nic network object
host XXX.XXX. XXX.242
asa-voip-ctl-outside-nic network object
host XXX.XXX. XXX.244
the object 192.168.0.0 network
192.168.0.0 subnet 255.255.255.0
Description not used
the object 192.168.1.0 network
subnet 192.168.1.0 255.255.255.0
Description not used
nj-asa-priv-netowrk network object
Subnet 192.168.2.0 255.255.255.0
network of the 192.168.254.0 object
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
network of the object? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network of the object? asa-private-network
subnet 192.168.4.0 255.255.255.0
network of the object? asa-private-network
192.168.5.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.6.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.7.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.9.0 subnet 255.255.255.0
the XXXX-asa-private-network object network
192.168.8.0 subnet 255.255.255.0
network object XXX.XXX. XXX.242
host XXX.XXX. XXX.242
service object 47
tcp source eq eq 47 47 destination service
object network dvr
Home 192.168.10.16
network dvr-nat-tcp8888 object
Home 192.168.10.16
network dvr-nat-tcp6036 object
Home 192.168.10.16
network dvr-nat-udp6036 object
Home 192.168.10.16
dvr-8888 service object
destination eq 8888 tcp service
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service dvr-6036-tcp - udp
port-object eq 6036
détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
access-list out_in note remote access attempted
out_in list extended access deny ip object China unicom shandong network any4
access-list out_in note remote access attempted
out_in list extended access deny ip object we-the-mianbaodianying any4
out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
out_in list extended access allow icmp any4 object vpn-server-nic
out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
out_in list extended access allow accord any4 object vpn-server-nic
out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
Comment from out_in-HTTPS access outside the access list
out_in list extended access permitted tcp any4 object data-private-network eq https
outside_access_in list extended access allow icmp host 192.168.10.20 any4
access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
outside_access_in list extended access allowed host any4 object 47 192.168.10.20
outside_access_in list extended access allow accord any4 host 192.168.10.20
outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
outside_access_in list extended access allowed object dvr-8888 any object dvr
outside_access_in list extended access allow icmp any4 host 10.1.1.1
access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
go to list of access outside_access_in note incoming https.
outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
pager lines 24
Enable logging
exploitation forest-size of the buffer 1048576
monitor debug logging
debug logging in buffered memory
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
exploitation forest flash-bufferwrap
No registration message 106015
No message logging 313001
No registration message 313008
no logging message 106023
No message logging 710003
no logging message 106100
No message logging 302015
No message recording 302014
No message logging 302013
No message logging 302018
No message logging 302017
No message logging 302016
No message logging 302021
No message logging 302020
destination of exports flow inside 192.168.10.20 4432
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 3 burst-size 1
ICMP allow any response of echo outdoors
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
ICMP permitted host 75.140.0.86 outside
ICMP allow any inside
ASDM image disk0: / asdm-715 - 100.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
!
object obj-asa-Interior-voip-nic network
NAT XXX.XXX static (inside, outside). XXX.244
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT (inside, outside) dynamic obj - 0.0.0.0
object obj-vpn-nic network
NAT XXX.XXX static (inside, outside). XXX.254
network dvr-nat-tcp8888 object
NAT (inside, outside) interface static 8888 8888 tcp service
network dvr-nat-tcp6036 object
NAT (inside, outside) interface static 6036 6036 tcp service
network dvr-nat-udp6036 object
NAT (inside, outside) interface static service udp 6036 6036
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 192.168.254.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
authentication & encryption v3 private Server SNMP group
SNMP server group No_Authentication_No_Encryption v3 /noauth
SNMP-server host inside the 192.168.10.20 community *.
Server SNMP Ontario, CA location
SNMP Server contact [email protected] / * /
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
Crypto ca trustpoint CAP-RTP-001_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint CAP-RTP-002_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_0 key pair
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_1 key pair
Configure CRL
Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
registration auto
full domain name no
name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
_internal_PP_ctl_phoneproxy_file key pair
Configure CRL
Crypto ca trustpoint Cisco-Mfg-CA
Terminal registration
Configure CRL
Crypto ca trustpoint phoneproxy_trustpoint
registration auto
full domain name XXXXXXXXXX.com
name of the object CN = XXXXXX - ASA
phoneproxy_trustpoint key pair
Configure CRL
trustpool crypto ca policy
string encryption CAP-RTP-001_trustpoint ca certificates
certificate ca 7612f960153d6f9f4e42202032b72356
quit smoking
string encryption CAP-RTP-002_trustpoint ca certificates
certificate ca 353fb24bd70f14a346c1f3a9ac725675
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
certificate e1aee24c
CA
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
certificate e4aee24c
quit smoking
Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
certificate e8aee24c
quit smoking
a string of ca crypto Cisco-Mfg-CA certificates
certificate ca 6a6967b3000000000003
quit smoking
Crypto ca certificate chain phoneproxy_trustpoint
certificate 83cbe64c
quit smoking
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.0.1.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access insidepriority-queue outdoors
TX-ring-limit of 256
!
maximum-session TLS-proxy 24
!
!
TLS-proxy tls_proxy
_internal_PP_ctl_phoneproxy_file point server trust
CTL-file ctl_phoneproxy_file
file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
!
Media-termination asdm_media_termination
address XXX.XXX. XXX.245 outside interface
address interface inside 10.0.1.245!
Phone-proxy asdm_phone_proxy
Media-termination asdm_media_termination
interface address 10.1.1.1 TFTP server on the inside
TLS-proxy tls_proxy
no settings disable service
XXX.XXX proxy server address. Outside the xxx.242 80 interface
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.168.10.60 source inside
internal group myGROUP strategy
Group myGROUP policy attributes
VPN-idle-timeout no
VPN-session-timeout no
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ezvpn1
allow to NEM
XXXXX group policy / internal remote
attributes of group XXXXX policy / remote
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
username fstorm attributes
type of remote access service
username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
attributes username cisco
type of remote access service
username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu8 attributes
type of remote access service
username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
username XXXXXU1 attributes
Strategy Group-VPN-XXXXX / remote
type of remote access service
username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu3 attributes
type of remote access service
username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu2 attributes
type of remote access service
username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu5 attributes
type of remote access service
username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu4 attributes
type of remote access service
username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu7 attributes
type of remote access service
username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu6 attributes
type of remote access service
tunnel-group XXXXX type remote access / remote
attributes global-tunnel-group XXXXX / remote
XXXXX address pool / remote
Group Policy - by default-XXXXX / remote
IPSec-attributes tunnel-group XXXXX / remote
IKEv1 pre-shared-key *.
type tunnel-group mytunnel remote access
tunnel-group mytunnel General-attributes
strategy - by default-group myGROUP
mytunnel group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-card CM-VOICE-SIGNAL
match dscp af31
class-map-outside-phoneproxy
match eq 2443 tcp port
class-map inspection_default
match default-inspection-traffic
Class-map data
match flow ip destination-address
match tunnel-group mytunnel
class-card CM-VOICE
match dscp ef
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
inspect the icmp
class class by default
Statistical accounting of user
flow-export-type of event all 192.168.10.20 destination
outside-policy policy-map
class outside-phoneproxy
inspect the thin phone-proxy asdm_phone_proxy
CM-VOICE class
priority
CM-VOICE-SIGNAL class
priority
World-Policy policy-map
!
global service-policy global_policy
207.46.163.138 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
: endIf someone could give a clue as to what could be the problem, I would appreciate it.
/ / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //
Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!
Now, given that your issue is resolved, you must mark the thread as "answered" :)
Thank you for evaluating useful messages!
-
ASA 5505 factory reset when it restarts
I have an ASA 5505 that is set to zero by default whenever it restarts. I write from memory each time, but as soon as the electricity is cut, or I charge it, it starts back like "ciscoasa' with the default settings. Anyone know what would cause this?
Thank you
Hello
I wonder if your ASAs Config registry value has been set so that it starts without taking into account the Startup Configuration.
Can you check the output of the command 'show version' and copy / paste the line starting with 'registry setting's... " here.
-Jouni
-
Save the configuration to ASA 5505
Hi all, I have this problem, I save the configuration to the ASA 5505 help RAM or using the copy, run start but whe I unplug the power cord and plug it back to the ASA gets its default factory configuration... so what I do is a copy start run to get the active configuration...
Why is it so? even if I saved the config to Flash... greetings!
You have bad start to register:
Please follow the following document:
http://www.Cisco.com/en/us/docs/security/ASA/asa71/configuration/guide/trouble.html#wp1062992
You must set the default value 0 x 1
___
HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".
Maybe you are looking for
-
How to delete an account in thunderbird
I want to delete an account in Thunderbird, but cannot find a way to do it.How should I do?
-
How long windows xp with service Pack 3 continue to get help
Windows xp with service Pack 3 will continue to get the updates and supports after the deadline next Windows xp with service Pack 2.
-
Windows Media Player 11 Date added function - please stop repeating the date for EACH file.
I have been using Media Player 9, decided to upgrade to Windows Media Player 11, and the only thing I can not stand on Player 11 is how it sorts Date added media files. In Player 9 when I chose the column Date added, the program would list all the f
-
I have hp dv5000 and I can't install my logitech pro c910 hd webcam driver
I have hp dv5000 and I can't install my logitech pro c910 hd webcam driver I can do for this?
-
This is a discussion by developing I've updated or flashed my BIOS with the new version and the laptop will not start. It turns on for a second, HD + reels fan upward, but it turns off right after. I tried to reset the CMOS. How can I get my BIOS by