topic Problem with ASA 5505 in Network Security https://community.cisco.com/t5/network-security/problem-with-asa-5505/m-p/1768248#M532250 <HTML><HEAD></HEAD><BODY><P>ASA Version 7.2(4) </P><P>!</P><P>hostname ciscoasa</P><P>domain-name cvnatural.local</P><P>enable password 2KFQnbNIdI.2KYOU encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 189.11.**.*** oi234</P><P>name 172.16.0.140 local</P><P>name 189.11.**.*** oi235 description oi235</P><P>dns-guard</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 0</P><P> ip address local 255.255.252.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address oi234 255.255.255.248 </P><P>!</P><P>interface Vlan13</P><P> shutdown</P><P> nameif inativo</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>interface Vlan23</P><P> shutdown</P><P> no nameif</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>interface Vlan33</P><P> shutdown</P><P> no nameif</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P> switchport access vlan 23</P><P>!</P><P>interface Ethernet0/2</P><P> switchport access vlan 33</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P> switchport access vlan 13</P><P>!</P><P>interface Ethernet0/5</P><P> switchport access vlan 13</P><P>!</P><P>interface Ethernet0/6</P><P> switchport access vlan 13</P><P>!</P><P>interface Ethernet0/7</P><P> switchport access vlan 13</P><P>!</P><P>banner exec&nbsp; CRV - ACESSO RESTRITO</P><P>banner login&nbsp; CRV - ACESSO RESTRITO</P><P>banner motd&nbsp; CRV - ACESSO RESTRITO</P><P>banner asdm&nbsp; CRV - ACESSO RESTRITO</P><P>ftp mode passive</P><P>clock timezone BRST -3</P><P>clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00</P><P>dns server-group DefaultDNS</P><P> domain-name cvnatural.local</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group protocol TCPUDP</P><P> protocol-object udp</P><P> protocol-object tcp</P><P>object-group service DM_INLINE_TCP_1 tcp</P><P> port-object eq ftp</P><P> port-object eq ftp-data</P><P>object-group service DM_INLINE_TCP_2 tcp</P><P> port-object eq www</P><P> port-object eq https</P><P>access-list CRV_splitTunnelAcl standard permit any </P><P>access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in remark DNS</P><P>access-list inside_access_in remark SMTP</P><P>access-list inside_access_in extended permit udp 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in extended permit ip 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in extended permit ip interface outside 172.16.0.0 255.255.252.0 </P><P>access-list inside_access_in extended permit tcp interface outside 172.16.0.0 255.255.252.0 </P><P>access-list inside_access_in extended permit udp interface outside 172.16.0.0 255.255.252.0 </P><P>access-list outside_access_in extended permit object-group TCPUDP any any eq www </P><P>access-list outside_access_in extended permit tcp any any eq 81 </P><P>access-list outside_access_in extended permit icmp any any </P><P>access-list outside_access_in extended permit tcp any any eq https </P><P>access-list outside_access_in extended permit tcp any any eq domain </P><P>access-list outside_access_in extended permit ip 172.16.0.0 255.255.252.0 interface outside </P><P>access-list outside_access_in extended permit object-group TCPUDP 172.16.0.0 255.255.252.0 interface outside </P><P>access-list crv standard permit any </P><P>access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.252.0 any </P><P>pager lines 24</P><P>logging enable</P><P>logging buffered alerts</P><P>logging trap alerts</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu inativo 1500</P><P>ip local pool CRV 172.16.3.150-172.16.3.160 mask 255.255.252.0</P><P>no failover</P><P>monitor-interface inside</P><P>monitor-interface outside</P><P>monitor-interface inativo</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-524.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 172.16.0.0 255.255.252.0</P><P>static (inside,outside) tcp interface www 172.16.0.22 www netmask 255.255.255.255 </P><P>static (inside,outside) tcp interface sip 172.16.0.102 sip netmask 255.255.255.255 </P><P>static (inside,outside) tcp oi235 www 172.16.0.4 www netmask 255.255.255.255 </P><P>access-group inside_access_in in interface inside</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 189.11.**.*** 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>http server enable</P><P>http 172.16.0.0 255.255.252.0 inside</P><P>http 201.22.57.115 255.255.255.255 outside</P><P>http 200.146.84.147 255.255.255.255 outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sysopt connection tcpmss 0</P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto dynamic-map outside_dyn_map 20 set pfs </P><P>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5</P><P>crypto map outside_map 1 match address outside_1_cryptomap</P><P>crypto map outside_map 1 set pfs group1</P><P>crypto map outside_map 1 set peer 187.16.33.130 </P><P>crypto map outside_map 1 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map interface outside</P><P>crypto isakmp enable inside</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp nat-traversal&nbsp; 20</P><P>crypto isakmp ipsec-over-tcp port 10000 </P><P>vpn-sessiondb max-session-limit 25</P><P>telnet 172.16.0.0 255.255.252.0 inside</P><P>telnet timeout 5</P><P>ssh 172.16.0.0 255.255.252.0 inside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd auto_config outside</P><P>!</P><P></P><P>webvpn</P><P> port 444</P><P> enable inside</P><P>group-policy CRV internal</P><P>group-policy CRV attributes</P><P> dns-server value 172.16.0.253 172.16.0.19</P><P> vpn-tunnel-protocol IPSec l2tp-ipsec webvpn</P><P> group-lock value CRV</P><P> ipsec-udp enable</P><P> ipsec-udp-port 10000</P><P> split-tunnel-policy excludespecified</P><P> split-tunnel-network-list none</P><P> nem enable</P><P>username luis password QYp.GVVJsgLuHoKE encrypted</P><P>username master password Z4lv47kJo.V6M7HB encrypted</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group CRV type ipsec-ra</P><P>tunnel-group CRV general-attributes</P><P> dhcp-server 172.16.0.253</P><P>tunnel-group CRV ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group CRV ppp-attributes</P><P> authentication pap</P><P> authentication ms-chap-v2</P><P> authentication eap-proxy</P><P>tunnel-group 187.16.33.130 type ipsec-l2l</P><P>tunnel-group 187.16.33.130 ipsec-attributes</P><P> pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:14b4c4e2494f30db95c157d8727f8279</P><P>: end</P></BODY></HTML> Mon, 29 Aug 2011 13:37:47 GMT eduardodewes 2011-08-29T13:37:47Z Problem with ASA 5505 https://community.cisco.com/t5/network-security/problem-with-asa-5505/m-p/1768247#M532249 <P>Hello, I have an ASA 5505, firmware 7.2 (4). Configured ACLs, NAT, it's all working, but after a while it seems that running crashes, no longer makes the directions of NATs, the logs until they stop working. To resolve, I have to restart the ASA, and everything will work again. Could it be a firmware problem, someone has had a similar problem?</P> Mon, 11 Mar 2019 21:18:07 GMT https://community.cisco.com/t5/network-security/problem-with-asa-5505/m-p/1768247#M532249 eduardodewes 2019-03-11T21:18:07Z Problem with ASA 5505 https://community.cisco.com/t5/network-security/problem-with-asa-5505/m-p/1768248#M532250 <HTML><HEAD></HEAD><BODY><P>ASA Version 7.2(4) </P><P>!</P><P>hostname ciscoasa</P><P>domain-name cvnatural.local</P><P>enable password 2KFQnbNIdI.2KYOU encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>name 189.11.**.*** oi234</P><P>name 172.16.0.140 local</P><P>name 189.11.**.*** oi235 description oi235</P><P>dns-guard</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 0</P><P> ip address local 255.255.252.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address oi234 255.255.255.248 </P><P>!</P><P>interface Vlan13</P><P> shutdown</P><P> nameif inativo</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>interface Vlan23</P><P> shutdown</P><P> no nameif</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>interface Vlan33</P><P> shutdown</P><P> no nameif</P><P> security-level 0</P><P> no ip address</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P> switchport access vlan 23</P><P>!</P><P>interface Ethernet0/2</P><P> switchport access vlan 33</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P> switchport access vlan 13</P><P>!</P><P>interface Ethernet0/5</P><P> switchport access vlan 13</P><P>!</P><P>interface Ethernet0/6</P><P> switchport access vlan 13</P><P>!</P><P>interface Ethernet0/7</P><P> switchport access vlan 13</P><P>!</P><P>banner exec&nbsp; CRV - ACESSO RESTRITO</P><P>banner login&nbsp; CRV - ACESSO RESTRITO</P><P>banner motd&nbsp; CRV - ACESSO RESTRITO</P><P>banner asdm&nbsp; CRV - ACESSO RESTRITO</P><P>ftp mode passive</P><P>clock timezone BRST -3</P><P>clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00</P><P>dns server-group DefaultDNS</P><P> domain-name cvnatural.local</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group protocol TCPUDP</P><P> protocol-object udp</P><P> protocol-object tcp</P><P>object-group service DM_INLINE_TCP_1 tcp</P><P> port-object eq ftp</P><P> port-object eq ftp-data</P><P>object-group service DM_INLINE_TCP_2 tcp</P><P> port-object eq www</P><P> port-object eq https</P><P>access-list CRV_splitTunnelAcl standard permit any </P><P>access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in remark DNS</P><P>access-list inside_access_in remark SMTP</P><P>access-list inside_access_in extended permit udp 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in extended permit ip 172.16.0.0 255.255.252.0 any </P><P>access-list inside_access_in extended permit ip interface outside 172.16.0.0 255.255.252.0 </P><P>access-list inside_access_in extended permit tcp interface outside 172.16.0.0 255.255.252.0 </P><P>access-list inside_access_in extended permit udp interface outside 172.16.0.0 255.255.252.0 </P><P>access-list outside_access_in extended permit object-group TCPUDP any any eq www </P><P>access-list outside_access_in extended permit tcp any any eq 81 </P><P>access-list outside_access_in extended permit icmp any any </P><P>access-list outside_access_in extended permit tcp any any eq https </P><P>access-list outside_access_in extended permit tcp any any eq domain </P><P>access-list outside_access_in extended permit ip 172.16.0.0 255.255.252.0 interface outside </P><P>access-list outside_access_in extended permit object-group TCPUDP 172.16.0.0 255.255.252.0 interface outside </P><P>access-list crv standard permit any </P><P>access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.252.0 any </P><P>pager lines 24</P><P>logging enable</P><P>logging buffered alerts</P><P>logging trap alerts</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu inativo 1500</P><P>ip local pool CRV 172.16.3.150-172.16.3.160 mask 255.255.252.0</P><P>no failover</P><P>monitor-interface inside</P><P>monitor-interface outside</P><P>monitor-interface inativo</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-524.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 172.16.0.0 255.255.252.0</P><P>static (inside,outside) tcp interface www 172.16.0.22 www netmask 255.255.255.255 </P><P>static (inside,outside) tcp interface sip 172.16.0.102 sip netmask 255.255.255.255 </P><P>static (inside,outside) tcp oi235 www 172.16.0.4 www netmask 255.255.255.255 </P><P>access-group inside_access_in in interface inside</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 189.11.**.*** 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>http server enable</P><P>http 172.16.0.0 255.255.252.0 inside</P><P>http 201.22.57.115 255.255.255.255 outside</P><P>http 200.146.84.147 255.255.255.255 outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sysopt connection tcpmss 0</P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto dynamic-map outside_dyn_map 20 set pfs </P><P>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5</P><P>crypto map outside_map 1 match address outside_1_cryptomap</P><P>crypto map outside_map 1 set pfs group1</P><P>crypto map outside_map 1 set peer 187.16.33.130 </P><P>crypto map outside_map 1 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map interface outside</P><P>crypto isakmp enable inside</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp nat-traversal&nbsp; 20</P><P>crypto isakmp ipsec-over-tcp port 10000 </P><P>vpn-sessiondb max-session-limit 25</P><P>telnet 172.16.0.0 255.255.252.0 inside</P><P>telnet timeout 5</P><P>ssh 172.16.0.0 255.255.252.0 inside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd auto_config outside</P><P>!</P><P></P><P>webvpn</P><P> port 444</P><P> enable inside</P><P>group-policy CRV internal</P><P>group-policy CRV attributes</P><P> dns-server value 172.16.0.253 172.16.0.19</P><P> vpn-tunnel-protocol IPSec l2tp-ipsec webvpn</P><P> group-lock value CRV</P><P> ipsec-udp enable</P><P> ipsec-udp-port 10000</P><P> split-tunnel-policy excludespecified</P><P> split-tunnel-network-list none</P><P> nem enable</P><P>username luis password QYp.GVVJsgLuHoKE encrypted</P><P>username master password Z4lv47kJo.V6M7HB encrypted</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group CRV type ipsec-ra</P><P>tunnel-group CRV general-attributes</P><P> dhcp-server 172.16.0.253</P><P>tunnel-group CRV ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group CRV ppp-attributes</P><P> authentication pap</P><P> authentication ms-chap-v2</P><P> authentication eap-proxy</P><P>tunnel-group 187.16.33.130 type ipsec-l2l</P><P>tunnel-group 187.16.33.130 ipsec-attributes</P><P> pre-shared-key *</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:14b4c4e2494f30db95c157d8727f8279</P><P>: end</P></BODY></HTML> Mon, 29 Aug 2011 13:37:47 GMT https://community.cisco.com/t5/network-security/problem-with-asa-5505/m-p/1768248#M532250 eduardodewes 2011-08-29T13:37:47Z Problem with ASA 5505 https://community.cisco.com/t5/network-security/problem-with-asa-5505/m-p/1768249#M532251 <HTML><HEAD></HEAD><BODY><P>Hi Eduardo,</P><P></P><P>Whenever the device stops passing traffic, I would suggest you to kindly take captures on the firewall, to check if the request is going through the ASA and if you are able to get any reply back from the ISP device. Because I had a previous experience where in the ISP device was losing the arp entries aftemr every fixed time and the resolution was to create static arp for the ASA on the ISP device.</P><P></P><P>For taking captures:</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-1222">https://supportforums.cisco.com/docs/DOC-1222</A></P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Mon, 29 Aug 2011 18:02:05 GMT https://community.cisco.com/t5/network-security/problem-with-asa-5505/m-p/1768249#M532251 varrao 2011-08-29T18:02:05Z