topic Re: ASA DMZ no outside access basic config in Network Security

ASA DMZ no outside access basic config

Robert Rummel — Mon, 11 Mar 2019 23:57:37 GMT

Real basic config on a ASA 5505 with 8.4(4)1 code.

Ethernet 0/0 is the WAN outside Internet from a ISP with DHCP configured on the interface along with the default route from the ISP.

Ehternet 0/1 is the Inside LAN inside 192.168.1.2

Ethernet 0/2 is the DMZ ciscovpn which I want to be NATed to the outside 192.168.2.1

LAN works fine and I have full internet access

Ciscovpn interface I have no outside access. I could ping the ASA but I show no xlate for 192.168.2.0

What I'm a missing????

ASA Version 8.4(4)1

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 12

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 12

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

no nameif

no security-level

no ip address

interface Vlan12

nameif CISCOVPN

security-level 50

ip address 192.168.2.1 255.255.255.0

boot system disk0:/asa844-1-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ROB.NET

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network CISCOVPN

subnet 192.168.2.0 255.255.255.0

description Cisco VPN Access

object network INSIDE

subnet 192.168.1.0 255.255.255.0

description INSIDE Network

access-list outside_access_in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging asdm informational

logging queue 0

mtu inside 1500

mtu outside 1500

mtu CISCOVPN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (CISCOVPN,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic INSIDE interface

nat (CISCOVPN,outside) after-auto source dynamic CISCOVPN interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 CISCOVPN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd auto_config outside interface inside

dhcpd update dns interface inside

dhcpd option 3 ip 192.168.1.1 interface inside

dhcpd enable inside

dhcpd address 192.168.2.10-192.168.2.13 CISCOVPN

dhcpd auto_config outside interface CISCOVPN

dhcpd update dns interface CISCOVPN

dhcpd enable CISCOVPN

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username robert password Ye1VVaIKAE72Mhl5 encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

Thanks in advance!!

ASA DMZ no outside access basic config

Jennifer Halim — Sat, 22 Sep 2012 08:26:23 GMT

Here is the configuration:

object network CISCOVPN

nat (CISCOVPN,outside) dynamic interface

no nat (CISCOVPN,outside) source dynamic any interface

no nat (CISCOVPN,outside) after-auto source dynamic CISCOVPN interface

Then "clear xlate" after the above changes.

Also assuming that you have dns configured on the host that is connected to the CISCOVPN subnet.

ASA DMZ no outside access basic config

Robert Rummel — Sat, 22 Sep 2012 14:50:02 GMT

Applied the config but still same thing.

on the CISCOVPN I get DHCP address but cant ping anyting from the outside such as 64.65.64.65

Inside lan works fine.

I included IP permit any any for the trace below just to aid in troubleshooting. Below is the trace with the modified configs.

notice the "Drop-reason: (acl-drop) Flow is denied by configured rule"

OB-ASA# packet-tracer input CISCOVPN icmp 192.168.2.13 1 1 1 64.65.64.65 deta$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CISCOVPN_access_in in interface CISCOVPN
access-list CISCOVPN_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacdb7590, priority=13, domain=permit, deny=false
        hits=0, user_data=0xa9a35e90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=CISCOVPN, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac5b96c0, priority=0, domain=inspect-ip-options, deny=true
        hits=479, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=CISCOVPN, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac5b9298, priority=66, domain=inspect-icmp-error, deny=false
        hits=18, user_data=0xac5b88b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
        input_ifc=CISCOVPN, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: DROP
Config:
object network CISCOVPN
nat (CISCOVPN,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacdb9920, priority=6, domain=nat, deny=false
        hits=4, user_data=0xa86c6688, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.2.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=CISCOVPN, output_ifc=outside

Result:
input-interface: CISCOVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ROB-ASA# wr t
: Saved
:
ASA Version 8.4(4)1
!
hostname ROB-ASA
domain-name ROB.NET
enable password 3scBzwPl3/UG7Td6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no nameif
no security-level
no ip address
!
interface Vlan12
nameif CISCOVPN
security-level 50
ip address 192.168.2.1 255.255.255.0
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ROB.NET
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CISCOVPN
subnet 192.168.2.0 255.255.255.0
description Cisco VPN Access
object network INSIDE
subnet 192.168.1.0 255.255.255.0
description INSIDE Network
object network CISCOCPN
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit ip any any
access-list CISCOVPN_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging asdm informational
logging queue 0
mtu inside 1500
mtu outside 1500
mtu CISCOVPN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
!
object network CISCOVPN
nat (CISCOVPN,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic INSIDE interface
access-group outside_access_in in interface outside
access-group CISCOVPN_access_in in interface CISCOVPN
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 CISCOVPN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd auto_config outside interface inside
dhcpd update dns interface inside
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd enable inside
!
dhcpd address 192.168.2.10-192.168.2.13 CISCOVPN
dhcpd auto_config outside interface CISCOVPN
dhcpd update dns interface CISCOVPN
dhcpd enable CISCOVPN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username robert password Ye1VVaIKAE72Mhl5 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Re: ASA DMZ no outside access basic config

Faisal Siddiqui — Sun, 23 Sep 2012 04:12:43 GMT

There is a mistake in your packet-tracer command. In packet-tracer for ICMP you enter ‘ ’. As per your packet-tracer command, the inputs are:

Type = 1

Code = 1

This is not equivalent to ICMP echo-request. Hence, will be dropped. You should be entering values such that:

Type = 8

Code = 0

This is equivalent to ICMP echo-request and should pass.

Could you please try to ping 64.65.64.65 from the firewall itself, Since you are doing a PAT with the Firewall outside interface address ?

Re: ASA DMZ no outside access basic config

Robert Rummel — Sun, 23 Sep 2012 06:19:49 GMT

Thanks used Type 8 and Code 0 and packet trace was a succes but still when I connect a client PC to the CISCOVPN port unable to reach outside.

I am able to ping 64.65.64.65 from the ASA and also from the same client when sitting on the inside interface.

Re: ASA DMZ no outside access basic config

Faisal Siddiqui — Sun, 23 Sep 2012 08:52:28 GMT

Please perform the below steps and get the following output in log file

1- Clear local-host 192.168.2.13

2- Clear interface e0/2

3- Clear asp drop

Apply Bidirectional captures on CISCOVPN and outside interface (both ingress and Egress interface)

Take ASP drop Captures, below is how you can get asp captures

capture asp type asp-drop all packet-length 1518 buffer 200000

logging buffered 7

Initiate the traffic and collect the below output

1- sh local-host 192.168.2.13

2- sh interface e0/2

3- sh asp drop

Capture output of both interfaces

sh capture asp | in icmp

sh logging

sh ver

Re: ASA DMZ no outside access basic config

Robert Rummel — Mon, 08 Oct 2012 21:07:55 GMT

Been traveling and finally got a chance to sit down and take a look. Here are the outputs requested.

ROB-ASA# sh local-host 192.168.2.13
Licensed host limit: Unlimited.

Interface CISCOVPN: 3 active, 4 maximum active, 0 denied
Interface outside: 56 active, 1649 maximum active, 0 denied
Interface inside: 7 active, 15 maximum active, 0 denied
Interface _internal_loopback: 0 active, 0 maximum active, 0 denied
ROB-ASA# sh inter
ROB-ASA# sh interface e0/2
Interface Ethernet0/2 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 0019.0724.b4f3, MTU not set
        IP address unassigned
        165 packets input, 26608 bytes, 0 no buffer
        Received 64 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        106 switch ingress policy drops
        7 packets output, 1288 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops
ROB-ASA# sh asp dro
ROB-ASA# sh asp drop

Frame drop:
Invalid encapsulation (invalid-encap)                                        2
Flow is denied by configured rule (acl-drop)                                19
TCP RST/FIN out of order (tcp-rstfin-ooo)                                    4
Slowpath security checks failed (sp-security-failed)                        50

Last clearing: 20:52:53 UTC Oct 8 2012 by enable_15

Flow drop:

Last clearing: 20:52:53 UTC Oct 8 2012 by enable_15
ROB-ASA# sh cap
ROB-ASA# sh capture as
ROB-ASA# sh capture asp | in icmp
ROB-ASA# sh capture asp | in icmp
ROB-ASA# sh log
ROB-ASA# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: level debugging, 4413383 messages logged
    Buffer logging: level debugging, 4217511 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 3227433 messages logged
nside:192.168.1.165/64626 (70.181.146.81/64626)
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900289 for outside:68.105.29.12/53 to inside:192.168.1.165/51436 duration 0:00:00 bytes 191
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900290 for outside:68.105.29.12/53 to inside:192.168.1.165/53667 duration 0:00:00 bytes 193
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900294 for outside:68.105.29.12/53 to inside:192.168.1.165/55396 duration 0:00:00 bytes 132
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900292 for outside:68.105.29.12/53 to inside:192.168.1.165/64971 duration 0:00:00 bytes 193
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900291 for outside:68.105.29.12/53 to inside:192.168.1.165/65038 duration 0:00:00 bytes 191
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900293 for outside:68.105.29.12/53 to inside:192.168.1.165/59363 duration 0:00:00 bytes 193
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900298 for outside:68.105.29.12/53 to inside:192.168.1.165/64626 duration 0:00:00 bytes 134
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900297 for outside:68.105.29.12/53 to inside:192.168.1.165/49453 duration 0:00:00 bytes 134
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900296 for outside:68.105.29.12/53 to inside:192.168.1.165/59131 duration 0:00:00 bytes 132
Oct 08 2012 21:00:48: %ASA-6-302016: Teardown UDP connection 900295 for outside:68.105.29.12/53 to inside:192.168.1.165/51618 duration 0:00:00 bytes 134
Oct 08 2012 21:00:57: %ASA-7-111009: User 'enable_15' executed cmd: show local-host 192.168.2.13
Oct 08 2012 21:01:10: %ASA-7-111009: User 'enable_15' executed cmd: show interface Ethernet 0/2
Oct 08 2012 21:01:15: %ASA-7-111009: User 'enable_15' executed cmd: show asp drop
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/51436 to outside:70.181.146.81/51436 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/53667 to outside:70.181.146.81/53667 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/55396 to outside:70.181.146.81/55396 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/65038 to outside:70.181.146.81/65038 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/64971 to outside:70.181.146.81/64971 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/59363 to outside:70.181.146.81/59363 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/49453 to outside:70.181.146.81/49453 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/64626 to outside:70.181.146.81/64626 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/51618 to outside:70.181.146.81/51618 duration 0:00:30
Oct 08 2012 21:01:18: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.165/59131 to outside:70.181.146.81/59131 duration 0:00:30
Oct 08 2012 21:01:27: %ASA-6-302016: Teardown UDP connection 900271 for CISCOVPN:0.0.0.0/68 to identity:255.255.255.255/67 duration 0:02:01 bytes 910
Oct 08 2012 21:01:27: %ASA-6-302016: Teardown UDP connection 900272 for CISCOVPN:255.255.255.255/68 to identity:192.168.2.1/67 duration 0:02:01 bytes 866
Oct 08 2012 21:01:31: %ASA-7-609002: Teardown local-host outside:68.105.29.12 duration 0:10:26
Oct 08 2012 21:01:46: %ASA-7-609002: Teardown local-host outside:174.76.228.8 duration 0:10:26
Oct 08 2012 21:01:48: %ASA-7-609002: Teardown local-host outside:174.76.228.35 duration 0:10:26
Oct 08 2012 21:01:49: %ASA-6-302016: Teardown UDP connection 900288 for outside:216.218.192.202/123 to inside:192.168.1.77/123 duration 0:02:01 bytes 96
ROB-ASA# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(9)

Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"

ROB-ASA up 16 days 4 hours

Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 512MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 0019.0724.b4f9, irq 11
1: Ext: Ethernet0/0         : address is 0019.0724.b4f1, irq 255
2: Ext: Ethernet0/1         : address is 0019.0724.b4f2, irq 255
3: Ext: Ethernet0/2         : address is 0019.0724.b4f3, irq 255
4: Ext: Ethernet0/3         : address is 0019.0724.b4f4, irq 255
5: Ext: Ethernet0/4         : address is 0019.0724.b4f5, irq 255
6: Ext: Ethernet0/5         : address is 0019.0724.b4f6, irq 255
7: Ext: Ethernet0/6         : address is 0019.0724.b4f7, irq 255
8: Ext: Ethernet0/7         : address is 0019.0724.b4f8, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 25             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 24             perpetual
Total UC Proxy Sessions           : 24             perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1047K3AN
Running Permanent Activation Key: 0x651eef6c 0x307def3d 0x2c33297c 0xa65060d0 0x813304a1
Configuration register is 0x1
Configuration last modified by enable_15 at 16:50:28.708 UTC Sun Sep 23 2012
ROB-ASA#