cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
0
Helpful
5
Replies

Unable to Access ASA5510

rgaasbeek
Level 1
Level 1

Hi,

I have been working on figuring out a VPN problem on my companies ASA5510. I was accessing the device via: ASDM, SSH using Putty, and even initially with a console cable (also using Putty) using a computer in the networking closet. All 3 of these access methods worked properly for me.

I believe I may have inadvertantly changed something as of Friday using ASDM. I am mostly assuming this because, as of yesterday I can no longer connect to the device. I actually cannot even communicate with it (ping the interface I normally use to manage, which I could previously ping). No computer on the same subnet as me is able to ping the interface.

The device is still accepting VPN connections, dishing out DHCP addresses and everything else it normally does, but I really need to be able to gain access to it again. Any suggestions as to where to start? I am thinking to reboot the device when there is some downtime, in the hopes that ASDM doesn't save to startup-config and only to running-config.

Thanks for your time,

Ramai

1 Accepted Solution

Accepted Solutions

Looks like this particular static NAT statement cause the issue:

static (inside1,inside1) interface 192.168.5.35 netmask 255.255.255.255

You can't configure static NAT to the interface, because that will stop all the access to the ASA as you have experienced.

If you want to configure static NAT to the interface, you would need to configure static PAT instead, ie: specifying the port.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Pls share your current running config so we can check if there is any missing lines.

Console should work, as there is no networking or configuration that can prevent the console connection.

I apologize for the very late reply.

Console did work, I must have missed something very obvious last time I tried it.

Here is the running-config:

ciscoasa# sh ru

: Saved

:

ASA Version 8.2(5)

!

hostname *********

enable password 8R*********24 encrypted

passwd c/*********Mi encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 98.***.***.57 255.255.255.192

!

interface Ethernet0/1

nameif inside1

security-level 100

ip address 192.168.1.1 255.255.254.0

!

interface Ethernet0/2

nameif inside2

security-level 99

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

nameif inside3

security-level 98

ip address 192.168.3.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 101 extended permit tcp any host 98.***.***.57 eq ftp

access-list cap extended permit ip host 192.168.3.2 host 192.168.1.50

access-list cap extended permit ip host 192.168.3.2 host 192.168.1.75

access-list test extended permit ip host 192.168.2.27 host 192.168.1.20

access-list test extended permit ip host 192.168.1.20 host 192.168.2.27

access-list test extended permit ip any host 192.168.1.20

access-list test extended permit ip host 192.168.1.20 any

access-list split standard permit 192.168.0.0 255.255.254.0

access-list split standard permit 192.168.2.0 255.255.255.0

access-list split standard permit 192.168.3.0 255.255.255.0

access-list split standard permit 192.168.4.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.254.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip any 192.168.5.0 255.255.255.0

access-list nonat1 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat2 extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list new extended permit ip host 192.168.1.50 host 192.168.2.131

access-list new extended permit ip host 192.168.2.131 host 192.168.1.50

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp any any eq ftp

access-list capin extended permit tcp host 192.168.2.131 host 192.168.2.1

access-list capin extended permit tcp host 192.168.2.1 host 192.168.2.131

access-list capin extended permit tcp host 192.168.1.1 host 192.168.1.50

access-list capin extended permit tcp host 192.168.1.50 host 192.168.1.1

access-list capin extended permit tcp any host 98.***.***.57

access-list capin extended permit tcp host 98.***.***.57 any

access-list capin extended permit tcp host 192.168.1.50 host 192.168.2.131

access-list capin extended permit tcp host 192.168.3.2 host 192.168.3.1

access-list capin extended permit tcp host 192.168.3.1 host 192.168.3.2

access-list tcpstatebypass extended permit tcp host 192.168.2.131 host 192.168.1.50

access-list inside1 extended permit ip any any

access-list inside2 extended permit ip any any

pager lines 15

logging enable

logging buffered debugging

logging asdm informational

logging from-address *********@*********.com

logging recipient-address *********@*********.com level critical

mtu outside 1500

mtu inside1 1500

mtu inside2 1500

mtu inside3 1500

mtu management 1500

ip local pool VPNPOOL 192.168.5.1-192.168.5.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside1) 1 interface

global (inside2) 1 interface

nat (inside1) 0 access-list nonat

nat (inside1) 1 0.0.0.0 0.0.0.0

nat (inside2) 0 access-list nonat1

nat (inside2) 1 0.0.0.0 0.0.0.0

nat (inside3) 0 access-list nonat2

nat (inside3) 1 0.0.0.0 0.0.0.0

static (inside1,outside) tcp interface ftp 192.168.1.50 ftp netmask 255.255.255.255  dns

static (inside1,inside2) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255

static (inside1,inside3) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255

static (inside1,inside1) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255

static (inside2,inside3) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (inside3,inside1) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside3,inside2) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside3,inside1) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside3,inside2) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside1,inside3) 192.168.0.0 192.168.0.0 netmask 255.255.254.0

static (inside1,inside2) 192.168.0.0 192.168.0.0 netmask 255.255.254.0

static (inside1,inside1) interface 192.168.5.35 netmask 255.255.255.255

access-group 101 in interface outside

access-group inside1 in interface inside2

access-group inside2 in interface inside3

route outside 0.0.0.0 0.0.0.0 98.***.***.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside1

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

sysopt connection tcpmss 0

sysopt noproxyarp inside1

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 1 set pfs group1

crypto dynamic-map dynmap 1 set transform-set ESP-3DES

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-

DES-SHA ESP-DES-MD5

crypto map outside-map 65535 ipsec-isakmp dynamic dynmap

crypto map outside-map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside1

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside1

ssh timeout 20

console timeout 0

management-access inside2

dhcpd dns 208.***.***.222 208.***.***.220

!

dhcpd address 192.168.0.1-192.168.0.254 inside1

dhcpd enable inside1

!

dhcpd address 192.168.2.11-192.168.2.254 inside2

dhcpd enable inside2

!

dhcpd address 192.168.3.2-192.168.3.254 inside3

dhcpd enable inside3

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

enable inside1

enable inside2

enable inside3

group-policy VPNPOOL internal

group-policy VPNPOOL attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

username R*********n password K2*********E0 encrypted

username c*********r password wZ*********an encrypted

username s*********w password 91*********/3 encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool VPNPOOL

default-group-policy VPNPOOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group VPNPOOL type remote-access

tunnel-group VPNPOOL general-attributes

address-pool VPNPOOL

default-group-policy VPNPOOL

tunnel-group VPNPOOL ipsec-attributes

pre-shared-key *****

!

class-map tcpstatebypass

match access-list tcpstatebypass

class-map inspection_default

match default-inspection-traffic

class-map new

match access-list new

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class new

  set connection random-sequence-number disable

  set connection advanced-options tcp-state-bypass

policy-map tcpstatebypass

class tcpstatebypass

  set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ac8cca6aeb421d84c69f7cb2a19758b3

: end

Thank you for your time Jennifer.

-Ramai

Looks like this particular static NAT statement cause the issue:

static (inside1,inside1) interface 192.168.5.35 netmask 255.255.255.255

You can't configure static NAT to the interface, because that will stop all the access to the ASA as you have experienced.

If you want to configure static NAT to the interface, you would need to configure static PAT instead, ie: specifying the port.

I removed the static route and am able to access it again. Thank you once again Jennifer, I really appreciate it.

-Ramai

Excellent, thanks for your update and rating.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco