https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114499#M395723 <HTML><HEAD></HEAD><BODY><P>So. Keep the external IP I used on the laptop. Connect it to the inside interface. Flush the DNS.</P><P></P><P>Would the one to one translation be:</P><P></P><P>static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255</P><P></P><P>If I were using 1.1.1.1 on that laptop</P><P></P><P>I will also try the backup T1 by routing my traffic to that interface.</P><P></P><P>Message was edited by: Jay Wright</P></BODY></HTML> Tue, 13 Nov 2012 04:39:24 GMT Cybervex3 2012-11-13T04:39:24Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114488#M395705 <P>Running into a bit of a problem.&nbsp; Anytime I try to download a large file through our 5510 the download fails at different points.&nbsp; Cannot download via a download manger at all.&nbsp; I see nothing in the logs which are set to infomational.</P><P></P><P>I can connect my laptop to our internet connection outside the firewall and HTTP and download manager downloads connect and finish just fine.</P><P></P><P>Can someone point me in the right direction before I go through and scrub my config for posting?</P> Tue, 12 Mar 2019 00:22:17 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114488#M395705 Cybervex3 2019-03-12T00:22:17Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114489#M395706 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Do you see any logs when the connection fails? </P><P>Does the large downloads only affect HTTP traffic?</P><P>Can you try FTP traffic? </P><P>Do you have any logs on the Service policy? </P><P>Do you have HTTP inspection turned on? </P><P></P><P></P><P>Mike Rojas </P></BODY></HTML> Tue, 13 Nov 2012 03:11:40 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114489#M395706 Maykol Rojas 2012-11-13T03:11:40Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114490#M395708 <HTML><HEAD></HEAD><BODY><P>I see no logs other than the normal build and teardowns.</P><P></P><P>Seems to affect http and https. I have another user that complains of disconnects while connected to a client using an open source SSL VPN. </P><P></P><P>I will try a large FTP shortly.&nbsp; I have had no complaints of FTP disconnects.</P><P></P><P>I have not added any logs since I inherited this device.</P><P></P><P>I do not have inspection turned on for http or https.</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect pptp </P><P>&nbsp; inspect icmp </P></BODY></HTML> Tue, 13 Nov 2012 03:32:47 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114490#M395708 Cybervex3 2012-11-13T03:32:47Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114491#M395711 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P></P><P>Well this is going to take a bit of deep troubleshooting then. We may need to check captures, MSS settings, MTU settings, try to bypassing TCP inspection and last but not least set the MSS allow just in case. </P><P></P><P>Do they all stop at the same percentage? Are there any filtering services? WCCP, URL filter, Proxy and so on? </P><P></P><P></P><P>Mike</P></BODY></HTML> Tue, 13 Nov 2012 03:41:32 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114491#M395711 Maykol Rojas 2012-11-13T03:41:32Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114492#M395713 <HTML><HEAD></HEAD><BODY><P>The disconnects are very random.&nbsp; Happens mostly during the day.&nbsp; I was trying to download from Symantec today and it stopped at 220mb, 146mb, 25mb, 300mb.&nbsp; I just VPN'd in to work and RDP'd to my laptop and was able to download the same file.&nbsp; It is not just Symantec. I have noticed with MS and external users sending large files to our HTTPS file transfer service.</P><P></P><P>We have no URL filters or proxies.</P><P></P><P>Which are the least disruptive things I can try first?&nbsp; I will start cleaning up my config for posting.</P></BODY></HTML> Tue, 13 Nov 2012 03:54:16 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114492#M395713 Cybervex3 2012-11-13T03:54:16Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114493#M395714 <HTML><HEAD></HEAD><BODY><P>Nothing really, but we have issues with Microsoft downloads, can you try something like downloading an OS image (Ubuntu or something). </P><P></P><P>Also, do you have any servers on another interface that can host files on HTTP so you can upload them there and try to access is right from the next interface instead of going to the cloud (just to rule out ISP issues).</P><P></P><P>Mike</P></BODY></HTML> Tue, 13 Nov 2012 04:07:44 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114493#M395714 Maykol Rojas 2012-11-13T04:07:44Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114494#M395715 <HTML><HEAD></HEAD><BODY><P>Here is my current config.&nbsp; If you notice anything else while looking it over feel free to tell me we're doing it wrong.</P><P></P><P>Result of the command: "sh run"</P><P></P><P></P><P>: Saved</P><P>:</P><P>ASA Version 8.2(1)11 </P><P>!</P><P>hostname ciscoasa</P><P>domain-name company.local</P><P>enable password ***** encrypted</P><P>passwd **** encrypted</P><P>names</P><P>name 1.1.1.107 Sonoma description OLD MAIL SERVER</P><P>name 2.2.2.19 SonomaBullsEye description OLD MAIL SERVER</P><P>name 10.10.2.6 DAYTONA-INT</P><P>name 10.10.2.62 SEBRING-INT</P><P>name 10.10.2.4 AUTHENTICA-INT</P><P>name 10.10.2.11 MIDOHIO-INT</P><P>name 10.10.2.15 PMEUPDATE-INT</P><P>name 10.10.2.25 FILETRANSFER-INT</P><P>name 10.10.2.22 FTP-INT</P><P>name 10.10.2.1 HOMESTEAD-INT</P><P>name 1.1.1.102 DAYTONA-EXT-OUT description CAS Server</P><P>name 1.1.1.109 FILETRANSFER-EXT-OUT description Secure File Transfer</P><P>name 1.1.1.105 FTP-EXT-OUT description FTPS</P><P>name 1.1.1.103 AUTHENTICA-EXT-OUT description Secure PDF</P><P>name 1.1.1.106 OSCODA-EXT-OUT description SQL Testing</P><P>name 1.1.1.104 ALEXSYS123-EXT-OUT description MidOhio</P><P>name 1.1.1.108 PMEUPDATE-EXT-OUT description NC Update server</P><P>name 2.2.2.21 FILETRANSFER-EXT-BAK</P><P>name 2.2.2.133 DAYTONA-EXT-BAK</P><P>name 2.2.2.134 AUTHENTICA-EXT-BAK</P><P>name 2.2.2.18 ALEXSYS-EXT-BAK description MIS</P><P>name 1.1.1.110 CRASHPLAN-EXT-OUT description CrashPlan backup server</P><P>name 68.68.68.17 CORVID-WC</P><P>name 12.12.12.2 KINCEY-NC</P><P>name 10.10.2.34 CRASHPLAN-INT</P><P>!</P><P>interface Ethernet0/0</P><P> nameif backup</P><P> security-level 1</P><P> ip address 2.2.2.131 255.255.255.248 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.10.1.1 255.255.0.0 </P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> nameif outside2</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>interface Ethernet0/3</P><P> nameif outside</P><P> security-level 0</P><P> ip address 1.1.1.98 255.255.255.224 </P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 172.17.0.199 255.255.255.0 </P><P> management-only</P><P>!</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **************************** NOTICE ******************************</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *&nbsp;&nbsp;&nbsp; Unauthorized access to this network device is FORBIDDEN!&nbsp;&nbsp;&nbsp; *</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *&nbsp; All connection attempts and sessions are logged and AUDITED!&nbsp; *</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ******************************************************************</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **************************** NOTICE ******************************</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *&nbsp;&nbsp;&nbsp; Unauthorized access to this network device is FORBIDDEN!&nbsp;&nbsp;&nbsp; *</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *&nbsp; All connection attempts and sessions are logged and AUDITED!&nbsp; *</P><P>banner motd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ******************************************************************</P><P>boot system disk0:/asa821-11-k8.bin</P><P>ftp mode passive</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>dns domain-lookup inside</P><P>dns domain-lookup outside2</P><P>dns domain-lookup outside</P><P>dns domain-lookup management</P><P>dns server-group DefaultDNS</P><P> name-server HOMESTEAD-INT</P><P> name-server SEBRING-INT</P><P> domain-name pme.local</P><P>same-security-traffic permit intra-interface</P><P>object-group service SQLTEST udp</P><P> description SQLTEST for VES</P><P> port-object eq 1434</P><P>object-group service SQLTEST_TCP tcp</P><P> description SQLTEST For VES</P><P> port-object eq 1433</P><P>object-group service DM_INLINE_TCP_1 tcp</P><P> port-object eq ftp</P><P> port-object eq ftp-data</P><P>object-group service crashplan-4282 tcp</P><P> port-object eq 4282</P><P>access-list nonat extended permit ip any 10.10.11.0 255.255.255.0 </P><P>access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0 </P><P>access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0 </P><P>access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0 </P><P>access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0 </P><P>access-list nonat extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0 </P><P>access-list nonat extended permit ip host 1.1.1.98 10.100.0.0 255.255.0.0 </P><P>access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0 </P><P>access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 </P><P>access-list nonat extended permit ip any 10.20.11.0 255.255.255.0 </P><P>access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0 </P><P>access-list nonat extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0 </P><P>access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp </P><P>access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https </P><P>access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www </P><P>access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive </P><P>access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www </P><P>access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https </P><P>access-list outside_access_in extended permit udp any host 2.2.2.20 eq 1434 </P><P>access-list outside_access_in extended permit tcp any host 2.2.2.20 eq 1433 inactive </P><P>access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www </P><P>access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https </P><P>access-list outside_access_in remark HTTP for TeamWeb</P><P>access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www </P><P>access-list outside_access_in remark HTTPS for TeamWeb</P><P>access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https </P><P>access-list outside_access_in extended permit icmp host 10.100.0.1 any </P><P>access-list outside_access_in extended deny icmp any any </P><P>access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0 </P><P>access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0 </P><P>access-list Split_Tunnel_List standard permit 10.20.0.0 255.255.0.0 </P><P>access-list Split_Tunnel_List standard permit 10.100.0.0 255.255.0.0 </P><P>access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp </P><P>access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https </P><P>access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www </P><P>access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive </P><P>access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www </P><P>access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www </P><P>access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive </P><P>access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https </P><P>access-list outside_access_in_1 remark FTPS</P><P>access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1 </P><P>access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400 </P><P>access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www </P><P>access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https </P><P>access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive </P><P>access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive </P><P>access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www </P><P>access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https </P><P>access-list outside_access_in_1 extended permit tcp any host CRASHPLAN-EXT-OUT object-group crashplan-4282 </P><P>access-list outside_access_in_1 extended deny icmp any any </P><P>access-list inside_access_out extended permit ip any any log </P><P>access-list CORVID-WC_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0 </P><P>access-list CORVID-WC_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0 </P><P>access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0 </P><P>access-list KINCEY_CRYPTO extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 </P><P>access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0 </P><P>access-list KINCEY_CRYPTO extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0 </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging asdm-buffer-size 512</P><P>logging trap informational</P><P>logging asdm informational</P><P>logging from-address asa@**COMPANY**.com</P><P>logging recipient-address jwright@**COMPANY**.com level errors</P><P>logging host inside 10.10.2.12</P><P>logging permit-hostdown</P><P>no logging message 302015</P><P>no logging message 302014</P><P>no logging message 302013</P><P>no logging message 302012</P><P>no logging message 302017</P><P>no logging message 302016</P><P>mtu backup 1500</P><P>mtu inside 1500</P><P>mtu outside2 1500</P><P>mtu outside 1500</P><P>mtu management 1500</P><P>ip local pool IPSECVPN2 10.10.11.76-10.10.11.100</P><P>ip local pool SSLVPN 10.10.11.101-10.10.11.200 mask 255.255.0.0</P><P>ip local pool IPSECVPN 10.10.11.25-10.10.11.75</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-623.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (backup) 1 2.2.2.132</P><P>global (outside) 1 1.1.1.99 netmask 255.255.255.224</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 1 10.10.0.0 255.255.0.0</P><P>static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255 </P><P>static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255 </P><P>static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255 </P><P>static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255 </P><P>static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255 </P><P>static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255 </P><P>static (inside,backup) FILETRANSFER-EXT-BAK FILETRANSFER-INT netmask 255.255.255.255 </P><P>static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255 </P><P>static (inside,backup) AUTHENTICA-EXT-BAK AUTHENTICA-INT netmask 255.255.255.255 </P><P>static (inside,backup) ALEXSYS-EXT-BAK MIDOHIO-INT netmask 255.255.255.255 </P><P>static (inside,outside) CRASHPLAN-EXT-OUT CRASHPLAN-INT netmask 255.255.255.255 </P><P>access-group outside_access_in in interface backup</P><P>access-group inside_access_out in interface inside</P><P>access-group outside_access_in_1 in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 1.1.1.97 1 track 1</P><P>route backup 0.0.0.0 0.0.0.0 2.2.2.129 254</P><P>route backup 62.109.192.0 255.255.240.0 2.2.2.129 1</P><P>route backup 64.68.96.0 255.255.224.0 2.2.2.129 1</P><P>route backup 66.114.160.0 255.255.240.0 2.2.2.129 1</P><P>route backup 66.163.32.0 255.255.240.0 2.2.2.129 1</P><P>route backup 209.197.192.0 255.255.224.0 2.2.2.129 1</P><P>route backup 210.4.192.0 255.255.240.0 2.2.2.129 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 24:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P> webvpn</P><P>&nbsp; http-proxy enable</P><P>aaa-server PMERADIUS protocol radius</P><P>aaa-server PMERADIUS (inside) host HOMESTEAD-INT</P><P> key ******</P><P> radius-common-pw ******</P><P>aaa authentication ssh console LOCAL </P><P>http server enable</P><P>http 10.10.0.0 255.255.0.0 inside</P><P>http 172.17.0.0 255.255.255.0 management</P><P>http redirect backup 80</P><P>http redirect outside 80</P><P>snmp-server location Server Room</P><P>snmp-server contact Jay Wright</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 100</P><P> type echo protocol ipIcmpEcho 216.216.216.216 interface outside</P><P> timeout 3000</P><P> frequency 10</P><P>sla monitor schedule 100 life forever start-time now</P><P>crypto ipsec transform-set PM1 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac </P><P>crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport</P><P>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto ipsec df-bit clear-df outside</P><P>crypto dynamic-map dyn1 1 set pfs group1</P><P>crypto dynamic-map dyn1 1 set transform-set PM1</P><P>crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800</P><P>crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map dyn1 1 set reverse-route</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1</P><P>crypto map cryptomap1 interface backup</P><P>crypto map outside_map 20 match address KINCEY_CRYPTO</P><P>crypto map outside_map 20 set peer KINCEY-NC </P><P>crypto map outside_map 20 set transform-set PM1</P><P>crypto map outside_map 30 match address CORVID-WC_CRYPTO</P><P>crypto map outside_map 30 set peer CORVID-WC </P><P>crypto map outside_map 30 set transform-set PM1</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpoint vpn.**COMPANY**.com</P><P> enrollment terminal</P><P> fqdn vpn.**COMPANY**.com</P><P> subject-name CN=vpn.**COMPANY**.com, O=Pratt &amp; Miller Engineering, C=US, St=MI, L=New Hudson</P><P> keypair vpn.**COMPANY**.com</P><P> crl configure</P><P>crypto ca certificate chain vpn.**COMPANY**.com</P><P> certificate ca 0301</P><P>&nbsp;&nbsp;&nbsp; 308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500 </P><P>&nbsp;&nbsp;&nbsp; *********** </P><P>&nbsp;&nbsp;&nbsp; 776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee</P><P>&nbsp; quit</P><P> certificate 041200616c79f4</P><P>&nbsp;&nbsp;&nbsp; 30820577 3082045f a0030201 02020704 1200616c 79f4300d 06092a86 4886f70d </P><P>&nbsp;&nbsp; *********** </P><P>&nbsp;&nbsp;&nbsp; 5c940b2a 0083979e aad3794a 040d54bc ef874aa1 9a12944f b4aeef</P><P>&nbsp; quit</P><P>crypto isakmp identity address </P><P>crypto isakmp enable backup</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 1</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp nat-traversal 33</P><P>!</P><P>track 1 rtr 100 reachability</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 60</P><P>ssh version 2</P><P>console timeout 0</P><P>management-access inside</P><P>threat-detection basic-threat</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp server 64.22.86.210 source backup prefer</P><P>ssl trust-point vpn.**COMPANY**.com outside2</P><P>ssl trust-point vpn.**COMPANY**.com backup</P><P>ssl trust-point vpn.**COMPANY**.com outside</P><P>webvpn</P><P> enable backup</P><P> enable outside2</P><P> enable outside</P><P> svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2</P><P> svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 3</P><P> svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 4</P><P> svc profiles AllowRemoteUsers disk0:/AnyConnectProfile20121003.xml</P><P> svc enable</P><P> internal-password enable</P><P>group-policy DefaultRAGroup internal</P><P>group-policy DefaultRAGroup attributes</P><P> dns-server value 10.10.2.1</P><P> vpn-tunnel-protocol IPSec l2tp-ipsec </P><P> default-domain none</P><P>group-policy DfltGrpPolicy attributes</P><P> dns-server value 10.10.2.1 10.10.2.62</P><P> vpn-idle-timeout 600</P><P> vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value Split_Tunnel_List</P><P> default-domain value pme.local</P><P> webvpn</P><P>&nbsp; url-list value Book1</P><P>&nbsp; svc profiles value AllowRemoteUsers</P><P>&nbsp; svc ask enable default webvpn timeout 10</P><P>group-policy AnyConnect internal</P><P>group-policy AnyConnect attributes</P><P> vpn-tunnel-protocol webvpn</P><P> webvpn</P><P>&nbsp; svc ask enable default webvpn timeout 15</P><P>username **** password **** encrypted privilege 15</P><P>username **** password **** encrypted privilege 15</P><P>username **** password **** encrypted privilege 15</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group DefaultRAGroup general-attributes</P><P> default-group-policy DefaultRAGroup</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group DefaultRAGroup ppp-attributes</P><P> authentication ms-chap-v2</P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P> address-pool (backup) IPSECVPN2</P><P> address-pool (outside2) IPSECVPN2</P><P> address-pool (outside) SSLVPN</P><P> address-pool SSLVPN</P><P> authentication-server-group PMERADIUS</P><P>tunnel-group pm_ipsec type remote-access</P><P>tunnel-group pm_ipsec general-attributes</P><P> address-pool IPSECVPN2</P><P>tunnel-group pm_ipsec ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group **COMPANY** type remote-access</P><P>tunnel-group **COMPANY** general-attributes</P><P> address-pool IPSECVPN</P><P>tunnel-group **COMPANY** ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group 2.2.2.20 type ipsec-l2l</P><P>tunnel-group 2.2.2.20 ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group 68.68.68.68 type ipsec-l2l</P><P>tunnel-group 68.68.68.68 ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group 12.12.12.12 type ipsec-l2l</P><P>tunnel-group 12.12.12.12 ipsec-attributes</P><P> pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 1024</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect pptp </P><P>&nbsp; inspect icmp </P><P> class class-default</P><P>!</P><P>service-policy global_policy global</P><P>smtp-server 10.10.2.6</P><P>prompt hostname context </P><P>Cryptochecksum:07619858a9af4b27c5f4104bc3c95018</P><P>: end</P></BODY></HTML> Tue, 13 Nov 2012 04:08:04 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114494#M395715 Cybervex3 2012-11-13T04:08:04Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114495#M395717 <HTML><HEAD></HEAD><BODY><P>You have Backup ISP, have you tried to rollover to the Other one and see if the issue persist? </P><P></P><P>Mike Rojas </P></BODY></HTML> Tue, 13 Nov 2012 04:12:27 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114495#M395717 Maykol Rojas 2012-11-13T04:12:27Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114496#M395718 <HTML><HEAD></HEAD><BODY><P>I am able to give my laptop an external IP and connect between the ISP and the ASA and download without interuption.&nbsp; Our connection is WiMax so that was my first thought.</P></BODY></HTML> Tue, 13 Nov 2012 04:12:42 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114496#M395718 Cybervex3 2012-11-13T04:12:42Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114497#M395720 <HTML><HEAD></HEAD><BODY><P>I have not only because I can connect outside our firewall and download without issue.&nbsp; Also because it is only a T1 and most of our services do not fail over.&nbsp; It just allows for email/webmail and internet access.&nbsp; </P></BODY></HTML> Tue, 13 Nov 2012 04:18:10 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114497#M395720 Cybervex3 2012-11-13T04:18:10Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114498#M395722 <HTML><HEAD></HEAD><BODY><P>Ok, </P><P></P><P>To make that a valid test, grab that IP and the laptop, connect it on the inside, set a one to one translation and do the same download and see if it fails. (Make sure to clear the local host of the laptop)&nbsp; </P><P>Let me know. </P><P></P><P></P><P>Mike</P></BODY></HTML> Tue, 13 Nov 2012 04:19:04 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114498#M395722 Maykol Rojas 2012-11-13T04:19:04Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114499#M395723 <HTML><HEAD></HEAD><BODY><P>So. Keep the external IP I used on the laptop. Connect it to the inside interface. Flush the DNS.</P><P></P><P>Would the one to one translation be:</P><P></P><P>static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255</P><P></P><P>If I were using 1.1.1.1 on that laptop</P><P></P><P>I will also try the backup T1 by routing my traffic to that interface.</P><P></P><P>Message was edited by: Jay Wright</P></BODY></HTML> Tue, 13 Nov 2012 04:39:24 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114499#M395723 Cybervex3 2012-11-13T04:39:24Z https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114500#M395724 <HTML><HEAD></HEAD><BODY><P>Good, </P><P></P><P>Let me know.</P><P></P><P>Mike</P></BODY></HTML> Tue, 13 Nov 2012 13:50:03 GMT https://community.cisco.com/t5/network-security/disconnected-downloads-through-asa5510/m-p/2114500#M395724 Maykol Rojas 2012-11-13T13:50:03Z