05-31-2013 06:20 AM - edited 03-11-2019 06:51 PM
06-16-2013 11:19 PM
Hi,
None of these commands werent meant to configure VPN connections. They were meant to get the ASDM working so you can easily run the VPN configuration wizard that lets you just fill in the information and the ASDM will generate the needed configuration for you.
Have you inserted the configurations I suggested?
There shouldnt really be many things that could go wrong with regards to accessing the ASA through the browser and then installing ASDM on the computer to manage the ASA.
Here is a link to a document here on the CSC which gives help with troubleshooting the ASDM connectivity
https://supportforums.cisco.com/docs/DOC-15016
- Jouni
05-31-2013 06:30 AM
The 5510 can handle up to 250 VPNs. You find that information in the data-shhet:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-31-2013 06:37 AM
please send me the configuratioan
05-31-2013 06:45 AM
ACTIVE# sh running-config
: Saved
:
ASA Version 8.2(5)
!
hostname ACTIVE
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description Inside to the Core Switches
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/1
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/2
description public Server - DMZ
duplex full
nameif DMZ
security-level 50
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface Ethernet0/3
description outside to the internet via router
duplex full
nameif Outside
security-level 0
ip address 125.209.70.90 255.255.255.248 standby 125.209.70.91
!
interface Management0/0
description LAN/STATE Failover Interface
management-only
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250
!
ftp mode passive
clock timezone PST 5
dns domain-lookup DMZ
dns domain-lookup Outside
dns server-group DEFAULT-DNS
name-server 202.142.160.2
name-server 202.141.224.34
dns server-group DefaultDNS
domain-name dhalahore.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DMZ-BLOCKED-LAN-NETWORKS
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
access-list 102 extended permit icmp any any
access-list 102 extended permit ip any any
access-list 102 extended permit tcp any any eq www
access-list 102 extended permit tcp any host 125.209.70.90 eq www
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255
.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255
.255.0
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255
.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255
.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.25
5.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.2
55.255.248
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.25
5.255.0
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
pager lines 24
logging asdm informational
mtu DMZ 1500
mtu Outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover key *****
failover link FAILOVER Management0/0
failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.2
50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (DMZ) 1 10.1.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255
static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.25
5
access-group DMZ-IN in interface DMZ
access-group 102 in interface Outside
access-group no-nat in interface inside
route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1
route inside 0.0.0.0 0.0.0.0 192.168.11.254 2
route inside 172.16.10.0 255.255.255.0 192.168.11.254 1
route inside 172.16.20.0 255.255.255.0 192.168.11.254 1
route inside 172.16.30.0 255.255.255.0 192.168.11.254 1
route inside 172.16.40.0 255.255.255.0 192.168.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.11.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
Navaz
05-31-2013 07:34 AM
Hi,
First off I would suggest providing us with more information when you ask something (even though you later posted the configuration). There is a very high chance that discussions will get completely ignored when the original post doesnt contain much information about the situation.
I would suggest you enable the graphical user interface called ASDM on the ASA and access the ASA using it.
First you should check the Flash memory which ASDM image you have there with command
dir flash:
Choose the highest number file called asdm-xxx.bin and enable it using
asdm image flash:/asdm-xxx.bin
Where naturally the "xxx" means the number in the file name that you see on the Flash memory.
Then enable the management through the use of "http" command
http
The connect using a browser to the IP address of the "inside" interface IP address
And install the ASDM. If you are prompted for authentication use your Enable password to login and dont give a username.
It has a VPN Wizard (in the Wizards menu) with which you can easily insert the needed information and the ASDM will generate the configurations for you.
- Jouni
06-02-2013 09:42 PM
ACTIVE# dir flash:
Directory of disk0:/
126 -rwx 15390720 23:58:50 May 08 2012 asa825-k8.bin
127 -rwx 16280544 02:19:18 May 09 2012 asdm-645.bin
3 drwx 4096 05:03:38 Jan 01 2003 log
10 drwx 4096 05:04:06 Jan 01 2003 crypto_archive
11 drwx 4096 05:04:08 Jan 01 2003 coredumpinfo
129 -rwx 12105313 02:01:50 May 09 2012 csd_3.5.841-k9.pkg
130 drwx 4096 02:02:00 May 09 2012 sdesktop
131 -rwx 2857568 02:02:14 May 09 2012 anyconnect-wince-ARMv4I-2.4.1012-
k9.pkg
132 -rwx 3203909 02:02:34 May 09 2012 anyconnect-win-2.4.1012-k9.pkg
133 -rwx 4832344 02:03:12 May 09 2012 anyconnect-macosx-i386-2.4.1012-k
9.pkg
134 -rwx 5209423 02:03:46 May 09 2012 anyconnect-linux-2.4.1012-k9.pkg
135 drwx 4096 08:08:12 May 31 2013 tmp
255320064 bytes total (193347584 bytes free)
and after run comand http 192.168.11.249 255.255.255.0 inside
it give error
WARNING: IP address <192.168.11.249> and netmask <255.255.255.0> inconsistent
Navaz
06-02-2013 09:48 PM
and how to install asdm?
Navaz
06-02-2013 11:07 PM
Hi,
You will basically have to make sure you have this configured
asdm image flash:/asdm-645.bin
Then you configure for example
http server enable
http 192.168.11.0 255.255.255.0 inside
Then you could try to open your web browser and insert
It should get you to the screen where you have the option to install the ASDM software from your ASA to your local computer. Later on you can then use the ASDM to get into your ASA.
- Jouni
06-10-2013 12:34 AM
I can ping 192.168.11.249 but cant access throught browser
after this command VPN still not working
Navaz
06-16-2013 09:19 PM
i am still waiting
Navaz
06-16-2013 11:19 PM
Hi,
None of these commands werent meant to configure VPN connections. They were meant to get the ASDM working so you can easily run the VPN configuration wizard that lets you just fill in the information and the ASDM will generate the needed configuration for you.
Have you inserted the configurations I suggested?
There shouldnt really be many things that could go wrong with regards to accessing the ASA through the browser and then installing ASDM on the computer to manage the ASA.
Here is a link to a document here on the CSC which gives help with troubleshooting the ASDM connectivity
https://supportforums.cisco.com/docs/DOC-15016
- Jouni
06-21-2013 12:17 AM
Thanks a lot and i have another issue regarding IPS
Thanks
Navaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide