06-27-2012 07:37 AM - edited 03-11-2019 04:23 PM
Hi Guys
I was trying to add an Access Rule then Nat rule, they applied ok then i lost connection to my ASA 5510.
I cant ping device ip, i cant connect via console , only can acess via Management port, i have pasted Running config below, be greatful for any suggestions.
many thanks
Max
: Saved
:
ASA Version 8.0(3)
!
hostname TGHQASA1
domain-name technogym.co.uk
enable password 6oq4gHgZ.eEI.Gqo encrypted
names
name 10.104.0.0 insideTGDR description Technogym DR inside net
name 10.103.0.0 insideTGHQ description TG internal net HQ
name 192.168.2.0 VPNClient description VPN Client Network
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 82.244.233.116 255.255.255.240
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif insideTGHQ
security-level 100
ip address 10.103.30.254 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup insideTGHQ
dns server-group DefaultDNS
name-server 10.103.30.1
domain-name technogym.co.uk
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VMware tcp-udp
description VMware Client
port-object eq 443
port-object eq 58876
object-group network net-insidetghq
object-group network site-insidetghq
object-group network net-local
access-list Admin_splitTunnelAcl standard permit insideTGHQ 255.255.0.0
access-list Admin_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list insideTGHQ_nat0_outbound extended permit ip insideTGHQ 255.255.0.0 insideTGDR 255.255.0.0
access-list insideTGHQ_nat0_outbound extended permit ip any 192.168.2.96 255.255.255.240
access-list outside_1_cryptomap extended permit ip insideTGHQ 255.255.0.0 insideTGDR 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu insideTGHQ 1500
mtu management 1500
ip local pool VPNClient 192.168.2.100-192.168.2.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 66.245.75.34 outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (insideTGHQ) 0 access-list insideTGHQ_nat0_outbound
nat (insideTGHQ) 1 insideTGHQ 255.255.0.0
static (insideTGHQ,insideTGHQ) interface 10.103.30.1 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 83.244.233.113 1
route outside insideTGDR 255.255.0.0 10.103.30.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http insideTGHQ 255.255.0.0 insideTGHQ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 66.245.75.34
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet insideTGHQ 255.255.0.0 insideTGHQ
telnet timeout 30
ssh insideTGHQ 255.255.0.0 insideTGHQ
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
webvpn
enable outside
svc enable
group-policy TGHQVPN internal
group-policy TGHQVPN attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
group-policy TGHQVPN_1 internal
group-policy TGHQVPN_1 attributes
dns-server value 10.10.30.1 10.103.30.2
vpn-tunnel-protocol IPSec svc webvpn
webvpn
url-list none
svc ask enable
group-policy Admin internal
group-policy Admin attributes
dns-server value 10.103.30.1 10.103.30.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Admin_splitTunnelAcl
default-domain value technogym.co.uk
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
dns-server value 10.103.30.1 10.103.30.2
vpn-tunnel-protocol IPSec webvpn
group-policy VPN internal
group-policy VPN attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
username brandon password BPOdN1VKq0yxKcFE encrypted privilege 15
username brandon attributes
vpn-group-policy Admin
memberof Administrators
username trevos password netCwlrh3QiZK/KspknpuQ== nt-encrypted
username fazaln password bwbgtVfQVWWC5KVQ encrypted privilege 0
username fazaln attributes
vpn-group-policy TGHQVPN
username thnmf01 password MBe0MnrJ5N//6xhR encrypted privilege 15
username thnmf01 attributes
vpn-group-policy Admin
memberof Administrators
tunnel-group Admin type remote-access
tunnel-group Admin general-attributes
address-pool VPNClient
default-group-policy Admin
tunnel-group Admin ipsec-attributes
pre-shared-key *
tunnel-group 66.245.75.34 type ipsec-l2l
tunnel-group 66.245.75.34 ipsec-attributes
pre-shared-key *
tunnel-group CiscoVPN type remote-access
tunnel-group CiscoVPN general-attributes
address-pool VPNClient
default-group-policy CiscoVPN
tunnel-group CiscoVPN ipsec-attributes
pre-shared-key *
!
!
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:e076e5a6690c8e2c4381fb5fb350ecb7
: end
asdm image disk0:/asdm-603.bin
asdm location insideTGDR 255.255.0.0 insideTGHQ
no asdm history enable
06-27-2012 02:42 PM
Naheem-
When you say that you lost your connection, what network were you on, and which interface were you trying to connect and ping to? Is this through your split-tunneled VPN or the insideTGHQ interface? (I'm assuming VPN)
One thing that looks wrong off of the bat is your second route statement. I may be wrong, but I believe that should be a route on your insideTGHQ interface instead of the outside interface.
With a little more info this should be pretty easy to solve.
HTH,
Paul
06-28-2012 02:22 AM
Hi Paul
thank you for your reply.
I lost connection moments after applying a new NAT rule, this was during the write mem stage, the ASDM hung for at least 3-4 mins timed out then shut down. The network interface i was connected to was Ethernet 0/3 Inside TGHQ ( office network) ip: 10.103.30.254. After losing connection i tried to ping this interface also tried to Telnet to this ip, all with no success. The site to site IPSec Tunnel is running fine and was not affected.
The 2nd route statement ive checked and looks ok, can you explain?
thanks
Naheem
06-28-2012 05:55 AM
Naheem-
What is bothering me about that second route statement is this: The insideTGDR network is 10.104.0.0/16, and the existing route statement tells the ASA that any traffic destined for that network should go to the outside interface, but the next hop specified in that statement is the ASA insideTGHQ interface address. I am assuming that 10.104.0.0/16 neds to be routed through the inside interface instead, so instead of the following statement:
route outside insideTGDR 255.255.0.0 10.103.30.254 1
it should really be
route insideTGHQ insideTGDR 255.255.0.0 10.103.30.254 1
If I am wrong and this network actually exists on the outside interface, then the next hop needs to be changed to that of the outside interface.
Now, that being said, you lost your connectivity under very odd circumstances. If the NAT statement that you aded was to blame, you would have lost your connection the instant that you hit 'enter' on that command, not when you did a write mem.
I would check the route statement again, and also check the status of Eth0/3 to make sure that it is up. Version 8 software on the 5510 allows you to run the first two interfaces (Eth0/0 and Eth0/1) at Gigabit speed while the last two will only run at 100Mbps. It is generally a best practice to force your ASA ports to whatever speed and duplex you want, and not allow them to negotiate.
You may also want to upgrade to the latest version of software for the 5510. I would suggest 8.2(5) as any version after this and the command set changes as does the way that the ASA's perform certain functions, such as NAT. I would suggest you play around with any later version on a lab box for a while to get used to it before putting it in production.
HTH,
Paul
06-29-2012 01:04 AM
morning Paul
many thanks for all your support on this issue.
I will re-visit this 2nd route statement today and also the v8 release. sadly I don’t have a lab box, but I’ll certainly look at upgrading to the latest software v 8.2(5)
thank you for your assistance and ill post any changes that occur.
Regards
Naheem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide