12-12-2012 01:56 PM - edited 03-11-2019 05:36 PM
I am changing out a Cisci 5505 for a 5510, however i am having issue with the vlans
With the 5505 in place eveything was working well, upgraded to a 5510
The devices behind the FW on the 192.168.x.x network can no longer communicate.
THe configs are basically identical up to the Interfaces.
The issue is the VLANs, however i am not sure how to get past it.
ASA 5505 Config
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.252
ASA 5510 COnfiguration
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.X 255.255.255.252
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/2
no nameif
security-level 100
no ip address
!
interface Ethernet0/3
no nameif
security-level 100
no ip address
!
interface Management0/0
nameif Inside
security-level 100
ip address 192.168.X.1 255.255.255.0
12-12-2012 02:03 PM
Hi,
The ASA 5510 ports are basically routed/router ports.
The ASA 5505 behaves more like a L3 switch. You've got Vlan interfaces and their Vlan IDs are attached to certain ports.
Seems you have no Trunks configured on the ASA5505 so the problem can't be that either on the ASA5510. Basically you werent (and arent) doing any Trunking.
If you are just changing this device, have you made sure to CLEAR ARP on the connected devices? Notice that since you have changed a completely different device with same IP addresses but different MAC addresses that the traffic might not work until you have cleared arp from the connected routers that might have ARP still for the old ASA5505 Vlan interface IPs.
Ofcourse problem might be something else also.
If the above wasnt the cause for the connection problems can you please share some more information on what kind of networking devices you have in addition to the firewall and perhaps even some configurations if possible/needed.
- Jouni
12-13-2012 04:22 AM
The Firewall connectes to Ciso switches(Small Business) and then to servers, no routers.
The servers can all browse the internet.
If ARP was the issue would the servers still be able to browse?
12-13-2012 04:29 AM
Hi,
Since you got only switches there should be no problem with ARP with any networking devices.
Do you have a single network for both servers and normal users? What specifically isnt working atm?
Can you perhaps share the 5505 and 5510 configurations (remove any sensitive information)
- Jouni
12-13-2012 04:33 AM
Hi,
I'm surprised that these devices can communicate with internet as you did this:
interface Management0/0
nameif Inside
security-level 100
ip address 192.168.X.1 255.255.255.0
and the management interface can not pass data traffic through unless you configure this:
interface Management0/0
no management-only
Regards.
Alain
Don't forget to rate helpful posts.
12-13-2012 04:42 AM
Hi,
Atleast the configuration line "management-only" doesnt show in the copy/pasted configuration, unless its missing from the copied output.
If its disabled it shouldnt show up at the configuration at all.
Still, a pretty strange choice for LAN port even though all the rest of the ports are free for use.
- Jouni
12-13-2012 04:59 AM
I could change it but it isnt a management port any more.
See configurations below
ASA 5510 Config
ASA Version 8.2(5)
!
hostname DataCenter
domain-name lexlocal
enable password XXXXX encrypted
passwd hhhhhh encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/2
no nameif
security-level 100
no ip address
!
interface Ethernet0/3
no nameif
security-level 100
no ip address
!
interface Management0/0
nameif Inside
security-level 100
ip address 192.168.x.x 255.255.255.0
!
ftp mode passive
clock timezone EST -5
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name lexlocal
same-security-traffic permit inter-interface
object-group service DM_INLINE_SERVICE_3
service-object tcp eq https
service-object tcp eq telnet
service-object icmp
service-object tcp-udp eq www
service-object udp
service-object ip
object-group service DM_INLINE_SERVICE_5
service-object udp
service-object tcp
service-object tcp-udp eq www
service-object tcp eq www
service-object udp eq www
service-object icmp
object-group service DM_INLINE_SERVICE_8
service-object tcp eq https
service-object tcp-udp eq www
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp eq smtp
service-object udp eq snmp
service-object ip
service-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list outside_authentication extended permit object-group DM_INLINE_PROTOCOL_3 any any inactive
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 host Jeremy any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.x.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.x.0 255.255.255.0 192.168.x.0 255.255.255.0
access-list outside_access_in extended permit ip Barbado-Internal 255.255.255.0 192.168.x.0 255.255.255.0
access-list outside_access_in extended permit ip JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list outside_access_in extended permit ip P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host Jeremy interface Outside inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any interface Outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any interface Outside inactive
access-list outside_1_cryptomap extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list Outside_3_cryptomap extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
ip local pool Remote_Users 192.168.x.x-192.168.x.x mask 255.255.255.0
ip local pool VPN_IPs 192.168.x.x-192.168.x.x mask 255.255.255.248
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface Outside
access-group inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication match outside_authentication Outside LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer b.b.b.b
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer c.c.c.c
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer f.f.f.f
crypto map outside_map 3 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer l.l.l.l
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 2 match address Outside_cryptomap_1
crypto map Outside_map 2 set peer u.u.u.u
crypto map Outside_map 2 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set peer e.e.e.e
crypto map Outside_map 3 set transform-set ESP-DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcpd dns w.w.w.w w.w.w.w interface Outside
!
dhcpd address 192.168.x.30-192.168.x.50 Inside
dhcpd dns w.w.w.w w.w.w.w interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable Outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol svc
default-domain value lexlocal
webvpn
svc keepalive none
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol IPSec
default-domain value lexlocal
webvpn
svc keepalive none
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy VPN_Tunnel_Client internal
group-policy VPN_Tunnel_Client attributes
dns-server value 192.168.x.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc
default-domain value lexlocal
username kjkhlj password uhoiujop encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool Remote_Users
address-pool VPN_IPs
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group l.l.l.ltype ipsec-l2l
tunnel-group l.l.l.lipsec-attributes
pre-shared-key *****
tunnel-group VPN_Tunnel_Client type remote-access
tunnel-group VPN_Tunnel_Client general-attributes
address-pool Remote_Users
default-group-policy VPN_Tunnel_Client
tunnel-group VPN_Tunnel_Client ipsec-attributes
pre-shared-key *****
tunnel-group u.u.u.u type ipsec-l2l
tunnel-group u.u.u.u general-attributes
default-group-policy GroupPolicy1
tunnel-group u.u.u.u ipsec-attributes
pre-shared-key *****
tunnel-group e.e.e.e type ipsec-l2l
tunnel-group e.e.e.e ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1af2ddebd3a11cfaf58509a0fff1e57f
: end
ASA 5505 Config
: Saved
:
ASA Version 8.2(5)
!
hostname Datacenter
domain-name lexlocal
enable password xxxx encrypted
passwd fgssgsd encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x255.255.255.252
!
ftp mode passive
clock timezone EST -5
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name lexlocal
object-group service DM_INLINE_SERVICE_3
service-object tcp eq https
service-object tcp eq telnet
service-object icmp
service-object tcp-udp eq www
service-object udp
object-group service DM_INLINE_SERVICE_5
service-object udp
service-object tcp
service-object tcp-udp eq www
service-object tcp eq www
service-object udp eq www
service-object icmp
object-group service DM_INLINE_SERVICE_8
service-object tcp eq https
service-object tcp-udp eq www
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp eq smtp
service-object udp eq snmp
service-object ip
service-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list outside_authentication extended permit object-group DM_INLINE_PROTOCOL_3 any any inactive
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 host Jeremy any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.x.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.x.0 255.255.255.0 192.168.x.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host Jeremy interface outside inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any interface outside
access-list outside_access_in extended permit ip Barbado-Internal 255.255.255.0 192.168.x.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any interface outside inactive
access-list outside_access_in extended permit ip JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list outside_access_in extended permit ip P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.x.0 255.255.255.0 Barbado-Internal 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.x.0 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.x.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Remote_Users 192.168.Y.1-192.168.Y.10 mask 255.255.255.0
ip local pool VPN_IPs 192.168.Y.25-192.168.Y.50 mask 255.255.255.248
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Y.Y.Y.Y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication match outside_authentication outside LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer V.V.V.V
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer T.T.T.T
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer R.R.R.R
crypto map outside_map 3 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.x.30-192.168.x.50 inside
dhcpd dns 66.54.116.4 66.54.116.5 interface inside
dhcpd enable inside
!
dhcpd dns 66.54.116.4 66.54.116.5 interface outside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol svc
default-domain value lexlocal
webvpn
svc keepalive none
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value lexlocal
webvpn
svc keepalive none
group-policy VPN_Tunnel_Client internal
group-policy VPN_Tunnel_Client attributes
dns-server value 192.168.x.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc
default-domain value lexlocal
username VPN_Connect password 6f7B+J8S2ADfQF4a/CJfvQ== nt-encrypted
username VPN_Connect attributes
service-type nas-prompt
username lexadmin password iFxSRrE9uIWAFjJE encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool Remote_Users
address-pool VPN_IPs
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group V.V.V.Vtype ipsec-l2l
tunnel-group V.V.V.Vipsec-attributes
pre-shared-key *****
tunnel-group VPN_Tunnel_Client type remote-access
tunnel-group VPN_Tunnel_Client general-attributes
address-pool Remote_Users
default-group-policy VPN_Tunnel_Client
tunnel-group VPN_Tunnel_Client ipsec-attributes
pre-shared-key *****
tunnel-group T.T.T.Ttype ipsec-l2l
tunnel-group T.T.T.Tipsec-attributes
pre-shared-key *****
tunnel-group R.R.R.Rtype ipsec-l2l
tunnel-group R.R.R.Ripsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ff9eb3bcf46f4f6aa169c2d3bf3efeed
: end
12-13-2012 05:43 AM
Hi,
If my mind is not too much rusty, the deafault don't appear in the show run and the default for a management interface is management-only so as it appears in your config you haven't got no management-only configured so it cans pass data traffic.
Regards.
Alain
Don't forget to rate helpful posts.
12-13-2012 05:49 AM
This is not configured as a mangement interface...
12-13-2012 05:53 AM
Hi,
I know i'm a stubborn guy But then how come there is not the keyword no management-only under the management interface in the running config ?
Regards.
Alain
Don't forget to rate helpful posts.
12-13-2012 06:00 AM
The "no management-only" command remove the "management-only" line comepletely
12-13-2012 06:19 AM
Hi
Default setting for Management0/0 is that its set only as management interface and that setting shows (which is kind of against the usual Cisco logic on ASA that default configuration doesnt show)
Defaults The Management n/n interface, if available for your model, is set to management-only mode by default.
One of our ASA 5585-X Management interface is the following
interface Management0/0
description x
nameif
security-level 100
ip address x.x.x.x 255.255.255.248
management-only
But to the actual problem, For some reason I cant really see any problems with the firewall. (Or I am totally missing something)
Would really need some clarification on the problem at this point.
You could also try the "packet-tracer" command on the ASA either through the ASDM GUI or the CLI and test some connections/services with that and see what rules they are hitting when going through the ASA
CLI format is
packet-tracer input
- Jouni
12-13-2012 07:04 AM
You are correct about the switches, an i can see the devices with the sh arp command
sh arp
Outside Y.Y.Y.Y 001a.1039.ed10 8587
Inside 192.168.X.4 d077.e5gd.87e5 4
Inside 192.168.X.7 d077.e5gd.8f0f 7
Inside 192.168.X.16 0035.5d76.2203 345
Inside 192.168.X.15 0035.5d76.2201 1408
Inside 192.168.X.31 d087.e4fg.8b10 3088
From the trace the traffic is dropping at an implict deny rule
3 Dec 13 2012 02:15:23 106014 192.168.x.4 192.168.x.7 Deny inbound icmp src Inside:192.168.x.4 dst Inside:192.168.x.7 (type 0, code 1)
That seems odd because I ahve a rule permitting internal traffic
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.x.0 255.255.255.0 192.168.x.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1 service-object ip service-object icmp service-object udp service-object tcp service-object icmp traceroute service-object tcp-udp eq echo service-object tcp-udp eq www service-object tcp eq echo service-object tcp eq www service-object tcp eq https service-object udp eq www service-object udp eq snmp
12-13-2012 07:25 AM
Hi,
The log message is strange in 2 ways atleast
Wonder if this is an proxy arp issue.
Try issuing the command "sysopt noproxyarp Inside"
Then "clear arp" (even though it doesnt really have anything to do with the above one but still)
Then try connections again
You could also try adding the command "same-security-traffic permit intra-interface" (you have the other one that looks similiar but is "inter")
- Jouni
12-13-2012 08:12 AM
After i add the "same-security-traffic permit intra-interface" command I get the following in the logs.
The traffic doesnt pass still, gets dropped by a dynamic NAT rule
ASA-3-305006: {outbound static|identity|portmap|regular) translation
creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]
A protocol (UDP, TCP, or ICMP) failed to create a translation through the ASA. The ASA does not allow packets through that are destined for network or broadcast addresses. The ASA provides this checking for addresses that are explicitly identified with static commands. For inbound traffic, the ASA denies translations for an IP address identified as a network or broadcast address.
The ASA does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT translation. As a result, when the other ICMP messages types are dropped, this message is generated.
The ASA uses the global IP address and mask from configured static commands to differentiate regular IP addresses from network or broadcast IP addresses. If the global IP address is a valid network address with a matching network mask, then the ASA does not create a translation for network or broadcast IP addresses with inbound packets.
For example:
static (inside,outside) 10.2.2.128 10.1.1.128 netmask 255.255.255.128
The ASA responds to global address 10.2.2.128 as a network address and to 10.2.2.255 as the broadcast address. Without an existing translation, the ASA denies inbound packets destined for 10.2.2.128 or 10.2.2.255, and logs this message.
When the suspected IP address is a host IP address, configure a separate static command with a host mask in front of the subnet static command (the first match rule for static commands). The following static commands cause the ASA to respond to 10.2.2.128 as a host address:
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.255
static (inside,outside) 10.2.2.128 10.2.2.128 netmask 255.255.255.128
The translation may be created by traffic started from the inside host with the IP address in question. Because the ASA views a network or broadcast IP address as a host IP address with an overlapped subnet static configuration, the network address translation for both static commands must be the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide