cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2187
Views
5
Helpful
19
Replies

Moving from ASA 5505 to 5510 - VLAN Issue

jones-jeremy
Level 1
Level 1

I am changing out a Cisci 5505 for a 5510, however i am having issue with the vlans

With the 5505 in place eveything was working well, upgraded to a 5510

The devices behind the FW on the 192.168.x.x network can no longer communicate.

THe configs are basically identical up to the Interfaces.

The issue is the VLANs, however i am not sure how to get past it.

ASA 5505 Config

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.X.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.252

ASA 5510 COnfiguration

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.X 255.255.255.252

!

interface Ethernet0/1

no nameif

security-level 100

no ip address

!            

interface Ethernet0/2

no nameif

security-level 100

no ip address

!

interface Ethernet0/3

no nameif

security-level 100

no ip address

!

interface Management0/0

nameif Inside

security-level 100

ip address 192.168.X.1 255.255.255.0

19 Replies 19

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The ASA 5510 ports are basically routed/router ports.

The ASA 5505 behaves more like a L3 switch. You've got Vlan interfaces and their Vlan IDs are attached to certain ports.

Seems you have no Trunks configured on the ASA5505 so the problem can't be that either on the ASA5510. Basically you werent (and arent) doing any Trunking.

If you are just changing this device, have you made sure to CLEAR ARP on the connected devices? Notice that since you have changed a completely different device with same IP addresses but different MAC addresses that the traffic might not work until you have cleared arp from the connected routers that might have ARP still for the old ASA5505 Vlan interface IPs.

Ofcourse problem might be something else also.

If the above wasnt the cause for the connection problems can you please share some more information on what kind of networking devices you have in addition to the firewall and perhaps even some configurations if possible/needed.

- Jouni

The Firewall connectes to Ciso switches(Small Business) and then to servers, no routers.

The servers can all browse the internet.

If ARP was the issue would the servers still be able to browse?

Hi,

Since you got only switches there should be no problem with ARP with any networking devices.

Do you have a single network for both servers and normal users? What specifically isnt working atm?

Can you perhaps share the 5505 and 5510 configurations (remove any sensitive information)

- Jouni

Hi,

I'm surprised that these devices can communicate with internet as you did this:

interface Management0/0

nameif Inside

security-level 100

ip address 192.168.X.1 255.255.255.0

and the management interface can not pass data traffic through unless you configure this:

interface Management0/0

no management-only

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

Atleast the configuration line "management-only" doesnt show in the copy/pasted configuration, unless its missing from the copied output.

If its disabled it shouldnt show up at the configuration at all.

Still, a pretty strange choice for LAN port even though all the rest of the ports are free for use.

- Jouni

I could change it but it isnt a management port any more.

See configurations below

ASA 5510 Config

ASA Version 8.2(5)

!

hostname DataCenter

domain-name lexlocal

enable password XXXXX encrypted

passwd hhhhhh encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Ethernet0/1

no nameif

security-level 100

no ip address

!

interface Ethernet0/2

no nameif

security-level 100

no ip address

!

interface Ethernet0/3

no nameif

security-level 100

no ip address

!

interface Management0/0

nameif Inside

security-level 100

ip address 192.168.x.x 255.255.255.0

!

ftp mode passive

clock timezone EST -5

dns domain-lookup Outside

dns domain-lookup Inside

dns server-group DefaultDNS

domain-name lexlocal

same-security-traffic permit inter-interface

object-group service DM_INLINE_SERVICE_3

service-object tcp eq https

service-object tcp eq telnet

service-object icmp

service-object tcp-udp eq www

service-object udp

service-object ip

object-group service DM_INLINE_SERVICE_5

service-object udp

service-object tcp

service-object tcp-udp eq www

service-object tcp eq www

service-object udp eq www

service-object icmp

object-group service DM_INLINE_SERVICE_8

service-object tcp eq https

service-object tcp-udp eq www

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_4

service-object tcp-udp eq www

service-object tcp eq https

service-object tcp eq smtp

service-object udp eq snmp

service-object ip

service-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object udp

protocol-object tcp

access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0

access-list outside_authentication extended permit object-group DM_INLINE_PROTOCOL_3 any any inactive

access-list inside_access_in extended permit ip any any inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 host Jeremy any

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.x.0 255.255.255.0 any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.x.0 255.255.255.0 192.168.x.0 255.255.255.0

access-list outside_access_in extended permit ip Barbado-Internal 255.255.255.0 192.168.x.0 255.255.255.0

access-list outside_access_in extended permit ip JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0

access-list outside_access_in extended permit ip P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host Jeremy interface Outside inactive

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any interface Outside

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any interface Outside inactive

access-list outside_1_cryptomap extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0

access-list Outside_3_cryptomap extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0

access-list Outside_cryptomap_1 extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0

access-list Outside_1_cryptomap extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

ip local pool Remote_Users 192.168.x.x-192.168.x.x mask 255.255.255.0

ip local pool VPN_IPs 192.168.x.x-192.168.x.x mask 255.255.255.248

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 0 access-list inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface Outside

access-group inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication match outside_authentication Outside LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer b.b.b.b

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer c.c.c.c

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer f.f.f.f

crypto map outside_map 3 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set peer l.l.l.l

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map 2 match address Outside_cryptomap_1

crypto map Outside_map 2 set peer u.u.u.u

crypto map Outside_map 2 set transform-set ESP-3DES-SHA

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set peer e.e.e.e

crypto map Outside_map 3 set transform-set ESP-DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp disconnect-notify

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Outside

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 5

console timeout 0

dhcpd dns w.w.w.w w.w.w.w interface Outside

!

dhcpd address 192.168.x.30-192.168.x.50 Inside

dhcpd dns w.w.w.w w.w.w.w interface Inside

dhcpd enable Inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable Outside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol svc

default-domain value lexlocal

webvpn

  svc keepalive none

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

vpn-tunnel-protocol IPSec

default-domain value lexlocal

webvpn

  svc keepalive none

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol IPSec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

group-policy VPN_Tunnel_Client internal

group-policy VPN_Tunnel_Client attributes

dns-server value 192.168.x.1

vpn-tunnel-protocol IPSec l2tp-ipsec svc

default-domain value lexlocal

username kjkhlj password uhoiujop encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool Remote_Users

address-pool VPN_IPs

default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group l.l.l.ltype ipsec-l2l

tunnel-group l.l.l.lipsec-attributes

pre-shared-key *****

tunnel-group VPN_Tunnel_Client type remote-access

tunnel-group VPN_Tunnel_Client general-attributes

address-pool Remote_Users

default-group-policy VPN_Tunnel_Client

tunnel-group VPN_Tunnel_Client ipsec-attributes

pre-shared-key *****

tunnel-group u.u.u.u type ipsec-l2l

tunnel-group u.u.u.u general-attributes

default-group-policy GroupPolicy1

tunnel-group u.u.u.u ipsec-attributes

pre-shared-key *****

tunnel-group e.e.e.e type ipsec-l2l

tunnel-group e.e.e.e ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1af2ddebd3a11cfaf58509a0fff1e57f

: end

ASA 5505 Config

: Saved

:

ASA Version 8.2(5)

!

hostname Datacenter

domain-name lexlocal

enable password xxxx encrypted

passwd fgssgsd encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.x.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x255.255.255.252

!

ftp mode passive

clock timezone EST -5

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name lexlocal

object-group service DM_INLINE_SERVICE_3

service-object tcp eq https

service-object tcp eq telnet

service-object icmp

service-object tcp-udp eq www

service-object udp

object-group service DM_INLINE_SERVICE_5

service-object udp

service-object tcp

service-object tcp-udp eq www

service-object tcp eq www

service-object udp eq www

service-object icmp

object-group service DM_INLINE_SERVICE_8

service-object tcp eq https

service-object tcp-udp eq www

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_4

service-object tcp-udp eq www

service-object tcp eq https

service-object tcp eq smtp

service-object udp eq snmp

service-object ip

service-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object udp

protocol-object tcp

access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0

access-list outside_authentication extended permit object-group DM_INLINE_PROTOCOL_3 any any inactive

access-list inside_access_in extended permit ip any any inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 host Jeremy any

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.x.0 255.255.255.0 any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.x.0 255.255.255.0 192.168.x.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host Jeremy interface outside inactive

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any interface outside

access-list outside_access_in extended permit ip Barbado-Internal 255.255.255.0 192.168.x.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any interface outside inactive

access-list outside_access_in extended permit ip JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0

access-list outside_access_in extended permit ip P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Remote_Users 192.168.Y.1-192.168.Y.10 mask 255.255.255.0

ip local pool VPN_IPs 192.168.Y.25-192.168.Y.50 mask 255.255.255.248

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Y.Y.Y.Y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication match outside_authentication outside LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer V.V.V.V

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer T.T.T.T

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer R.R.R.R

crypto map outside_map 3 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp disconnect-notify

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.x.30-192.168.x.50 inside

dhcpd dns 66.54.116.4 66.54.116.5 interface inside

dhcpd enable inside

!

dhcpd dns 66.54.116.4 66.54.116.5 interface outside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol svc

default-domain value lexlocal

webvpn

  svc keepalive none

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

vpn-tunnel-protocol l2tp-ipsec

default-domain value lexlocal

webvpn

  svc keepalive none

group-policy VPN_Tunnel_Client internal

group-policy VPN_Tunnel_Client attributes

dns-server value 192.168.x.1

vpn-tunnel-protocol IPSec l2tp-ipsec svc

default-domain value lexlocal

username VPN_Connect password 6f7B+J8S2ADfQF4a/CJfvQ== nt-encrypted

username VPN_Connect attributes

service-type nas-prompt

username lexadmin password iFxSRrE9uIWAFjJE encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool Remote_Users

address-pool VPN_IPs

default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group V.V.V.Vtype ipsec-l2l

tunnel-group V.V.V.Vipsec-attributes

pre-shared-key *****

tunnel-group VPN_Tunnel_Client type remote-access

tunnel-group VPN_Tunnel_Client general-attributes

address-pool Remote_Users

default-group-policy VPN_Tunnel_Client

tunnel-group VPN_Tunnel_Client ipsec-attributes

pre-shared-key *****

tunnel-group T.T.T.Ttype ipsec-l2l

tunnel-group T.T.T.Tipsec-attributes

pre-shared-key *****

tunnel-group R.R.R.Rtype ipsec-l2l

tunnel-group R.R.R.Ripsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ff9eb3bcf46f4f6aa169c2d3bf3efeed

: end

Hi,

If my mind is not too much rusty, the deafault don't appear in the show run and the default for a management interface is management-only so as it appears in your config you haven't got no management-only configured so it cans pass data traffic.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

This is not configured as a mangement interface...

Hi,

I know  i'm a stubborn guy   But then how come there is not the keyword no management-only under the management interface in the running config ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

The "no management-only" command remove the "management-only" line comepletely

Hi

Default setting for Management0/0 is that its set only as management interface and that setting shows (which is kind of against the usual Cisco logic on ASA that default configuration doesnt show)

Defaults The Management n/n interface, if available for your model, is set to management-only mode by default.

One of our ASA 5585-X Management interface is the following

interface Management0/0

description x

nameif

security-level 100

ip address x.x.x.x 255.255.255.248

management-only

But to the actual problem, For some reason I cant really see any problems with the firewall. (Or I am totally missing something)

  • ASA has default route configured
  • ASA has nat source (nat) and destination (global) configured for normal Internet bound traffic
    • nat0/nat exempt doesnt seem to interfere with normal NAT operation as it hasnt got destination networks set as "any"
  • The access-list, even though they look a bit special, seem fine to me.
    • You have created groups for the services through ASDM and also you have disabled the rule "permit ip any any"

Would really need some clarification on the problem at this point.

  • You said the server can browse the Internet? What isnt working at the moment?
  • Have you checked through real time ASDM monitoring what happens to connection attempts that are failing?
  • Since you dont have any LAN routers, you should be able to see every single computer behind the ASA with "show arp" command. Do you see the computer IP/MAC in the listing that might not be working?
    • Also in the previous configuration you didnt have any Trunks so I guess you had the switches at pretty much default configuration where every port belongs to Vlan1 (or some other)

You could also try the "packet-tracer" command on the ASA either through the ASDM GUI or the CLI and test some connections/services with that and see what rules they are hitting when going through the ASA

CLI format is

packet-tracer input

- Jouni

You are correct about the switches, an i can see the devices with the sh arp command

sh arp

    Outside Y.Y.Y.Y 001a.1039.ed10 8587

    Inside 192.168.X.4 d077.e5gd.87e5 4

    Inside 192.168.X.7 d077.e5gd.8f0f 7

    Inside 192.168.X.16 0035.5d76.2203 345

    Inside 192.168.X.15 0035.5d76.2201 1408

    Inside 192.168.X.31 d087.e4fg.8b10 3088

From the trace the traffic is dropping at an implict deny rule

3    Dec 13 2012    02:15:23    106014    192.168.x.4         192.168.x.7        Deny inbound icmp src Inside:192.168.x.4 dst  Inside:192.168.x.7 (type 0, code 1)

That seems odd because I ahve a rule permitting internal traffic

access-list  inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1  192.168.x.0 255.255.255.0 192.168.x.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object udp 
 service-object tcp 
 service-object icmp traceroute
 service-object tcp-udp eq echo 
 service-object tcp-udp eq www 
 service-object tcp eq echo 
 service-object tcp eq www 
 service-object tcp eq https 
 service-object udp eq www 
 service-object udp eq snmp

Hi,

The log message is strange in 2 ways atleast

  • It doesnt define the blocking ACL name
  • The traffic source and destination is inside the same subnet

Wonder if this is an proxy arp issue.

Try issuing the command "sysopt noproxyarp Inside"

Then "clear arp" (even though it doesnt really have anything to do with the above one but still)

Then try connections again

You could also try adding the command "same-security-traffic permit intra-interface" (you have the other one that looks similiar but is "inter")

- Jouni

After i add the "same-security-traffic permit intra-interface" command I get the following in the logs.

The traffic doesnt pass still, gets dropped by a dynamic NAT rule

ASA-3-305006: {outbound static|identity|portmap|regular) translation

creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]

A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.

The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.

The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.

For example:

static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128

The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.

When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:

static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255

static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128

The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: