- Cisco Community
- Technology and Support
- Security
- Network Security
- Re: ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX AND FWSM
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX AND FWSM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2011 08:03 AM - edited 03-11-2019 12:29 PM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 14, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2011 04:56 PM
Hi Kureli,
We have a PIX515e running 6.3.5 code. Is there a way to create an IPSec remote access VPN tunnel on this device that will work with an apple iPad? If so, could you offer a config please? Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2011 05:20 PM
You can certainly configure remote access VPN on this PIX515e but not with the code that you have running. You need to upgrade.
PIX515e can run 8.0.4.x code. The last code that was published for PIX platform is 8.0.4(28)
You can download it here:
Guide to upgrade from 6.x to 8.x: http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1032446
Pls. make sure you meet the minimum memory requirement for PIX515e which is 128 MB
If you don't have to save the config you don't have to do the gradual upgrade and can go from 6.x to 8.x.
Here is the guide to configure remote access: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html#wp1042338
The IPAD has a built in IPSEC VPN client for remote access.
Good Luck.
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2011 10:03 AM
Hi
We have a 1941 router ios 15
We are attempting to run an Exchange 2010 server behind the firewall. 3 Problems
The https communication stops when the outlook client is asked for a password, nothing typed will work
do I need to add the msrpc to the firewall rule and acl ? Is that all i need to pass certificates and passwords ?
I cannot get port 3389 opened for the RDP client , it is not listed in the services and i cannot find a way to add in the CCP program.
Finally trying to get the SSLVPN to work as an alternative to https but I cannot see the internal address on the Exchange server 192.168.90.31?
config
Building configuration...
Current configuration : 31844 bytes
!
! Last configuration change at 13:49:03 PCTime Thu Jan 13 2011 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Pharma1941
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$MqHK$sHlOfLd5iqla9R.3q9P/u0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.90.1 192.168.90.49
!
ip dhcp pool ccp-pool1
import all
network 192.168.90.0 255.255.255.0
dns-server 68.87.75.194 68.87.64.146
default-router 192.168.90.1
!
!
no ip bootp server
ip domain name pmi.local
ip name-server 68.87.75.194
ip name-server 68.87.64.146
ip port-map user-protocol--2 port tcp 3389
ip port-map user-protocol--1 port udp 3389
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
crypto pki trustpoint TP-self-signed-3991814225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3991814225
revocation-check none
rsakeypair TP-self-signed-3991814225
!
!
crypto pki certificate chain TP-self-signed-3991814225
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393931 38313432 3235301E 170D3130 30353037 31353438
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39393138
31343232 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B7EB A831883F 4A171AD4 D0296B2F AC296399 5D7725BA 176C4598 A82CEE18
E455BB76 B88670A2 756F64F2 C0560098 143F663E B77B47DA 35746CBD 562AE8B2
0E1FCB38 2FAE9F8A 9453351B B0F1827A DA4EF9C9 05B86544 126E7945 72005345
34529BA3 BF6A431F BD974065 19436FF7 E66C4A75 708FFD37 CF301FC1 06FDDD24
6BC90203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14506861 726D6131 3934312E 706D692E 6C6F6361 6C301F06
03551D23 04183016 8014C79E 0C4E3811 6A4050F1 6F4F9ADD CFA15F0C 47BF301D
0603551D 0E041604 14C79E0C 4E38116A 4050F16F 4F9ADDCF A15F0C47 BF300D06
092A8648 86F70D01 01040500 03818100 3174E0D3 1FC3CFCF 339DAE1E 0579F419
5C7D2457 BCAAEFCB 4019BB3F 0898A18B C843E7B5 89DD0BD9 1ED9B6FB D952866B
C06E045D BABCB8DE 24CEC759 00EDCCEF C8684EB7 7B5C54BA 5B6B93AD 95E72E51
61E1D4D7 60508306 ED8026AF 4CA4F4B4 2FBB6E42 1828F439 7EACB673 0BED0640
094DD697 4E046BEE CE4A8D8F 778C7F62
quit
license udi pid CISCO1941/K9 sn FTX141781EY
!
!
username admin privilege 15 secret 5 $1$GXaC$AM6xpzg4h/tqtXIp7isLo1
username mshirozian privilege 5 secret 5 $1$37ht$l7f9fcZhmT9j9ZKq9iWB0/
!
redundancy
crypto ctcp port 3390 3391 3392 3393
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 113
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 114
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-5
match access-group name pharma1inter
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-4
match access-group name Pharma2
class-map type inspect match-all CCP_SSLVPN
match access-group name SDM_IP
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
match access-group name pharma1
class-map type inspect match-any exchange
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol smtp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-2
match class-map exchange
match access-group name exchange
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 115
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 109
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
match protocol user-protocol--1
match class-map ccp-cls-icmp-access
match protocol microsoft-ds
match protocol ms-sql
match protocol ms-sql-m
match protocol user-protocol--2
match protocol http
match protocol https
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_DMVPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_GRE
match class-map SDM_ESP
class-map type inspect match-all SDM_DMVPN_PT
match access-group 101
match class-map SDM_DMVPN_TRAFFIC
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any SSL_VPN
match protocol https
match protocol http
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 106
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-4
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-5
inspect
class class-default
drop
policy-map type inspect sdm-permit-gre
class type inspect SDM_GRE
pass
class class-default
drop log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect SSL_VPN
pass
class type inspect SDM_VPN_PT
pass
class type inspect SDM_DMVPN_PT
pass
class type inspect sdm-mgmt-cls-ccp-permit-0
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security dmvpn-zone
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-gre source out-zone destination dmvpn-zone
service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-gre-out source dmvpn-zone destination out-zone
service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-ezvpn-zone-sslvpn-zone source ezvpn-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-dmvpn-zone source sslvpn-zone destination dmvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-ezvpn-zone source sslvpn-zone destination ezvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-dmvpn-zone-sslvpn-zone source dmvpn-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 2152741316 address 173.161.201.13
crypto isakmp key 2152741316 address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group Pharmahomes
key 2152741316
dns 207.106.150.1 192.168.90.1
domain pharma.local
pool SDM_POOL_1
max-users 25
netmask 255.255.255.0
!
crypto isakmp client configuration group pharma1
key 2152741316
pool SDM_POOL_1
max-users 25
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group Pharmahomes
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
match identity group pharma1
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set main esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
!
crypto ipsec profile CiscoCP_Profile2
set security-association idle-time 4200
set transform-set main ESP-3DES-SHA ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile3
set security-association idle-time 14400
set transform-set ESP-3DES-SHA2
set isakmp-profile ciscocp-ike-profile-2
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to173.161.201.13
set peer 173.161.201.13
set transform-set ESP-3DES-SHA1
match address 112
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.80.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
zone-member security dmvpn-zone
ip tcp adjust-mss 1360
no ip split-horizon eigrp 405
delay 1000
shutdown
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
ip address 192.168.90.1 255.255.255.0
ip access-group 107 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ES_WAN$
ip address 209.2.0.81 255.255.255.0 secondary
ip address 209.2.0.82 255.255.255.0 secondary
ip address 207.8.129.2 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/1
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile3
!
!
interface Virtual-Template3
ip unnumbered GigabitEthernet0/0
zone-member security sslvpn-zone
!
!
!
router eigrp 405
network 192.168.80.0
!
ip local pool SDM_POOL_1 192.168.90.150 192.168.90.175
ip forward-protocol nd
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.90.115 80 207.8.129.2 80 extendable
ip nat inside source static tcp 192.168.90.115 443 207.8.129.2 443 extendable
ip nat inside source static tcp 192.168.90.115 3389 207.8.129.2 3389 extendable
ip nat inside source static tcp 192.168.90.103 80 209.2.0.81 80 extendable
ip nat inside source static tcp 192.168.90.103 443 209.2.0.81 443 extendable
ip nat inside source static tcp 192.168.90.103 3389 209.2.0.81 3389 extendable
ip nat inside source static tcp 192.168.90.31 25 209.2.0.82 25 extendable
ip nat inside source static tcp 192.168.90.31 80 209.2.0.82 80 extendable
ip nat inside source static tcp 192.168.90.31 110 209.2.0.82 110 extendable
ip nat inside source static tcp 192.168.90.31 443 209.2.0.82 443 extendable
ip nat inside source static 192.168.90.31 209.2.0.82
ip route 0.0.0.0 0.0.0.0 207.8.129.1
!
ip access-list extended Pharma2
remark CCP_ACL Category=128
permit ip any host 192.168.90.115
permit ip host 192.168.90.111 any
permit ip any host 192.168.90.111
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended VPN
permit ip any any
permit ip any 192.168.90.0 0.0.0.255
ip access-list extended exchange
remark CCP_ACL Category=128
permit ip any host 192.168.90.31
ip access-list extended pharma1
remark CCP_ACL Category=128
permit ip any host 192.168.90.102
ip access-list extended pharma1inter
remark CCP_ACL Category=128
permit ip any host 192.168.90.103
ip access-list extended rdp
remark CCP_ACL Category=1
remark rdp
permit tcp any eq 3389 host 192.168.90.31 eq 3389
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.90.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.90.0 0.0.0.255
access-list 2 permit 173.161.201.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 173.161.201.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any host 173.161.201.11
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip 192.168.80.0 0.0.0.255 host 192.168.90.0
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any host 209.2.0.83 eq 443
access-list 103 permit udp host 68.87.64.146 eq domain any
access-list 103 permit udp host 68.87.75.194 eq domain any
access-list 103 permit tcp any host 207.8.129.2 eq 3389
access-list 103 permit tcp any host 209.2.0.81 eq 3389
access-list 103 permit tcp any host 209.2.0.82 eq 3389
access-list 103 permit tcp any host 207.8.129.2 eq 443
access-list 103 permit tcp any host 209.2.0.81 eq 443
access-list 103 permit tcp any host 209.2.0.82 eq 443
access-list 103 permit tcp any host 207.8.129.2 eq www
access-list 103 permit tcp any host 209.2.0.81 eq www
access-list 103 permit tcp any host 209.2.0.82 eq www
access-list 103 permit tcp any host 209.2.0.82 eq smtp
access-list 103 permit tcp any host 209.2.0.82 eq pop3
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.80.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 103 permit udp host 173.161.201.13 host 207.8.129.2 eq non500-isakmp
access-list 103 permit udp host 173.161.201.13 host 207.8.129.2 eq isakmp
access-list 103 permit esp host 173.161.201.13 host 207.8.129.2
access-list 103 permit ahp host 173.161.201.13 host 207.8.129.2
access-list 103 permit tcp 173.161.201.0 0.0.0.255 host 207.8.129.2 eq telnet
access-list 103 permit tcp 173.161.201.0 0.0.0.255 host 207.8.129.2 eq 22
access-list 103 permit tcp 173.161.201.0 0.0.0.255 host 207.8.129.2 eq www
access-list 103 permit tcp 173.161.201.0 0.0.0.255 host 207.8.129.2 eq 443
access-list 103 permit tcp 173.161.201.0 0.0.0.255 host 207.8.129.2 eq cmd
access-list 103 deny tcp any host 207.8.129.2 eq telnet
access-list 103 deny tcp any host 207.8.129.2 eq 22
access-list 103 deny tcp any host 207.8.129.2 eq www
access-list 103 deny tcp any host 207.8.129.2 eq 443
access-list 103 deny tcp any host 207.8.129.2 eq cmd
access-list 103 deny udp any host 207.8.129.2 eq snmp
access-list 103 remark network
access-list 103 permit tcp host 173.161.201.13 any
access-list 103 permit udp host 173.161.201.13 any
access-list 103 permit icmp host 173.161.201.13 any
access-list 103 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit ip 192.168.90.0 0.0.0.255 any
access-list 104 permit ip 173.161.201.0 0.0.0.255 any
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 permit ip 192.168.90.0 0.0.0.255 any
access-list 105 permit ip 173.161.201.0 0.0.0.255 any
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark CCP_ACL Category=1
access-list 106 permit ip 173.161.201.0 0.0.0.255 host 207.8.129.2
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark CCP_ACL Category=1
access-list 107 permit ip any host 192.168.90.1
access-list 107 permit tcp 192.168.90.0 0.0.0.255 host 192.168.90.1 eq telnet
access-list 107 permit tcp 192.168.90.0 0.0.0.255 host 192.168.90.1 eq 22
access-list 107 permit tcp 192.168.90.0 0.0.0.255 host 192.168.90.1 eq www
access-list 107 permit tcp 192.168.90.0 0.0.0.255 host 192.168.90.1 eq 443
access-list 107 permit tcp 192.168.90.0 0.0.0.255 host 192.168.90.1 eq cmd
access-list 107 permit ip any any
access-list 108 remark CCP_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.90.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 109 remark CCP_ACL Category=128
access-list 109 permit ip host 173.161.201.11 any
access-list 109 permit ip host 173.161.201.13 any
access-list 109 permit ip host 173.161.201.12 any
access-list 110 remark CCP_ACL Category=0
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.80.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 111 remark CCP_ACL Category=2
access-list 111 remark IPSec Rule
access-list 111 deny ip 192.168.90.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 111 permit ip 192.168.90.0 0.0.0.255 any
access-list 112 remark CCP_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.90.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 113 remark CCP_ACL Category=0
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.80.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 114 remark CCP_ACL Category=0
access-list 114 permit ip any host 192.168.90.111
access-list 115 remark CCP_ACL Category=128
access-list 115 permit ip any host 209.2.0.83
!
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 111
!
!
!
control-plane
!
!
banner exec ^CCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 104 in
logging synchronous
transport input telnet ssh
line vty 5 15
access-class 105 in
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway VPN_GATEWAY
ip address 209.2.0.83 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3991814225
inservice
!
webvpn install svc flash0:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
!
webvpn context VPN
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
!
url-list "OWA"
heading "Outlook Web Access"
url-text "OWA" url-value "https://pharmaexch/owa"
!
nbns-list "pharmaexch"
nbns-server 192.168.90.30 master
!
policy group VPN_POLICY
functions svc-enabled
banner "Login Successful"
hide-url-bar
filter tunnel VPN
svc address-pool "SDM_POOL_1"
svc keep-client-installed
svc dpd-interval gateway 30
svc split include 192.168.90.0 255.255.255.0
svc split include 192.168.80.0 255.255.255.0
svc dns-server primary 192.168.90.30
svc dns-server secondary 192.168.80.20
virtual-template 3
default-group-policy VPN_POLICY
gateway VPN_GATEWAY
logging enable
inservice
!
end
Any help is appreciated
Jim Kovalcik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2011 05:52 AM
Jim,
You have this nat line for 3389 to go to 192.168.90.115.
ip nat inside source static tcp 192.168.90.115 3389 207.8.129.2 3389 extendable
So long as you have permission allowed for the out to in zone this should work fine. Regarding exchange 2010 I am not sure what other ports need to be allowed besides 443 for this to work. Have you tried 1-1 NAT? As complex as this config looks, with multiple zone pairs, class-maps and nested class-maps, it is very hard to say just looking at the config what could be wrong. Pls. open a TAC case so, we can enable "ip inspect log drop" and also get the output of "sh policy-map type inspect zone-pair sdm-zp-NATOutsideToInside-1 session" to see why packets are dropped and offer a solution.
This ATE event closes today and will be locked and I doubdt we will be able to resolve the problems before EOB today and that is the main reason for suggesting to open a TAC case.
-Kureli
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2011 01:22 PM
I have a remote access vpn enabled at asa outside interface. When I access firewall asdm at inside interface from a vpn client, I get alerts of "deny IP reverse-path from my inside interface ip to the vpn client ip"
I understood why I got all this kind of alerts. My question is how I can suppress this specific log or check while keeping ip verify reverse-path enable on outside interface.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2011 08:00 PM
I believe you need to add "management-access inside" command, if you need to access the asdm using the inside ip address from the vpn remote access client.
If you have the ip verify reverse path command, you will see the syslogs. You can issue "no logging message
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2011 08:27 PM
Yes, I have already had "management-access inside" command in place and I cansuccessfully access ASDM using VPN client. The thing is that everytime I use asdm it will trigger a log of "deny tcp reverse-path from x.x.x.x (inside interface IP) to x.x.x.x (VPN client IP) at outside interface". The log will then send as a notification by email and fire a incident on MARS. The notification and incident are obviously false postive but I cannot just not log this message_no because I still need to be able to monitor ip spoofing on outside interface.
Can I suppress this log based on specific source IP and destination IP? Or is it possible to make this asdm traffic apply to the reverse-path check at inside interface instead of outside interface so that the check will not fail at first place?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2011 08:59 PM
There is no way to supress this message based on your vpn client IP address. You can use the outside IP
addres to manage the unit. This will not trigger this syslog message since your client is on the outside and you would access the unit using its outside address.
-KS
- « Previous
- Next »
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
