Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About GrahamB_SEMC
08-29-2018
Stats
Member since
11-22-2012
16
Posts
0
Helpful
0
Solutions
01-27-2014
01:40 PM
They're BroadCom NetXtreme cards so I believe BroadCom has a provided utility for creating Teams that I'll need to look into. Your answer clears up my suspicions of LACP, Thank you.
... View more
01-27-2014
01:21 PM
We have a server with dual NIC cards I want to configure for redundancy to our 5505 router. Reading online though the router has no support for EtherChannel or LACP. What are my options here for a proper redundant network link? If I configure LACP on the server will the Cisco ASA not know what to do with the packets sent via LACP? Or is there a better configuration option to utilize the NICs for reliability on Windows Server 2008 R2?
... View more
- Tags:
- asa5505
- redundancy
Labels:
Created by
GrahamB_SEMC
in VPN and AnyConnect
in VPN and AnyConnect
10-28-2013
07:09 AM
10-28-2013
07:09 AM
Harry, I appreciate the reply and apologise for taking so long to respond myself. When trying to connect to the service it still fails, I was using the Packet Tracer as a quicker means of testing. However, after further investigation Friday I believe the issue I am having may be with the service itself. It is a specialized device which, after reviewing its routing table has no route for 192.168.16.x addresses. I cannot update this configuration without scheduling a critical downtime hopefully within the next week. Again I appreciate the response but unfortunately my issue might not have to do with the VPN configuration at all!
... View more
Created by
GrahamB_SEMC
in VPN and AnyConnect
in VPN and AnyConnect
10-25-2013
12:46 PM
10-25-2013
12:46 PM
I'm trying to set up a new VPN user/group/policy to replace a flawed old version that used IP addresses from the same pool as the inside VLAN. As of right now I have most things configured but am unable to establish a connection to a service host on the inside VLAN with the new configuration. The old configuration works fine. Other services like RDP are working fine on the new configuration. I *thought* that I had everything configured to use the new IP addresses in ACL lists, NAT Excemptions and the like but must have a conflict or missing rule somewhere I can't spot. Using the packet tracer everything works except when I test 192.168.16.x -> 192.168.15.x on interface outside, it says "IPSEC Spoof Detected" as the reason for dropping packets. When attempting to establish the connection there is no errors, just "Built inbound TCP..." followed by "Teardown TCP... SYN Timeout 00:30" For the record the 192.168.16.100-150 pool is the correct VPN address pool. Once I have it working 100% I'd like to remove the 192.168.15.200-250 pool from the ASDM configuration. My configurations: : Saved : ASA Version 8.2(5) ! hostname SEMC-TEST enable password D37rIydCZ/bnf1uj encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.15.0 192.168.15.0 description Internal Network devices ddns update method DDNS_Update ddns both interval maximum 0 4 0 0 ! ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 description VLAN to inside hosts nameif inside security-level 100 ddns update hostname 0.0.0.0 ddns update DDNS_Update dhcp client update dns server both ip address 192.168.15.1 255.255.255.0 ! interface Vlan2 description External VLAN to internet nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.248 ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 216.221.96.37 name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit ip 192.168.16.0 255.255.255.0 any access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list outside_access_in extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list Remote_test_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.15.192 255.255.255.192 access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list inside_access_in extended permit ip interface inside interface inside access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192 access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any 192.168.16.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.16.0 255.255.255.0 any access-list inside_access_in remark Block Internet Traffic access-list inside_access_out extended permit icmp 192.168.15.0 255.255.255.0 any access-list inside_access_out extended permit ip 192.168.15.192 255.255.255.192 any access-list inside_access_out extended permit ip 192.168.15.0 255.255.255.0 192.168.15.192 255.255.255.192 access-list inside_access_out extended permit ip 192.168.16.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN_IP_Alt 192.168.16.100-192.168.16.150 mask 255.255.255.0 ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0 ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any echo-reply inside icmp permit any echo-reply outside icmp permit any outside no asdm history enable arp timeout 14400 nat-control global (inside) 2 interface global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound_2 access-group inside_access_in in interface inside access-group inside_access_ipv6_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.15.0 255.255.255.0 inside http 192.168.16.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.15.200-192.168.15.250 inside dhcpd enable inside ! no threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 192.168.15.101 source inside ntp server 192.168.15.100 source inside prefer webvpn group-policy Remote_test_Alt internal group-policy Remote_test_Alt attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote_test_splitTunnelAcl group-policy Remote_test internal group-policy Remote_test attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote_test_splitTunnelAcl username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0 username StockUser attributes vpn-group-policy Remote_test username StockUser2 password t6a0Nv8HUfWtUdKz encrypted privilege 0 username StockUser2 attributes vpn-group-policy Remote_test_Alt tunnel-group Remote_test type remote-access tunnel-group Remote_test general-attributes address-pool VPN_IP_Pool default-group-policy Remote_test tunnel-group Remote_test ipsec-attributes pre-shared-key ***** tunnel-group Remote_test2 type remote-access tunnel-group Remote_test2 general-attributes address-pool VPN_IP_Alt default-group-policy Remote_test_Alt tunnel-group Remote_test2 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:834543b67beaaa65578d8032d7d272c3 : end
... View more
Labels:
10-10-2013
01:00 PM
Thanks for the reply Rizwan. I made the changes by adding a new Group and VPN user to get a 192.168.16.x IP address and configured the access rules to allow connection. I am able to successfully connect to one of the services but will confirm the other services work after coordinating with a coworker. I'll follow up tomorrow if everything worked.
... View more
10-10-2013
07:55 AM
Hello folks, I've had a lot of trouble trying to resolve this issue, but hoping someone here can enlighten me. I have a remote site that hosts a number of services that we manage remotely with an IPSec VPN connection. When connecting to the site we establish connection fine and can do most actions like RDP and connect to servers for maintenance but one service fails to connect unless I add a NAT exempt rule to the router configuration (ASA 5505). Once this rule is in place the service works, but other services that originally worked stop working. In short, this rule must be in place while doing one task, but then taken out for other tasks. I'm hoping there is some sort of rule or behavior I can add to the ASDM configuration making it so I no longer have to manually add this rule each time I connect. Here's the rule details: access-list outside_nat0_outbound line 1 extended permit ip 192.168.15.192 255.255.255.192 192.168.15.0 255.255.255.0 nat (outside) 0 access-list outside_nat0_outbound outside tcp 0 0 udp 0 When establishing the connection without the rule in place the ASDM syslog shows these warnings: Deny tcp src inside:<inside_host_ip>/61745 dst outside:10.100.32.203/135 by access-group "inside_access_in" [0x0, 0x0] The weird thing is 10.100.32.203 is my host computer's internal IP. Its not even the external IP of the network I'm connecting from. Is it possible the problem stems from the VPN pool using a subset of the inside VLAN's subnet? The inside VLAN is 192.168.15.0/24 and the VPN is 192.168.15.200-250. I'm willing to reconfigure the VPN address pool but need to do it remotely and am not aware how to make this reconfiguration safely without losing my remote access since gaining physical access to the router itself is very difficult currently. If more details are needed I'm happy to provide them.
... View more
Labels:
09-09-2013
01:47 PM
Yes I am able to ping 192.168.15.1 reliably. I'm not extremely familiar with Cisco devices and configuring, how would changing the address pool help resolve this issue?
... View more
09-09-2013
01:21 PM
Hello folks, I posted a discussion earlier detailing my problem which got some help. I applied the user's fix and seemingly had my configuration working so I accepted the answer. However, after disconnecting/reconnecting the VPN I am faced with the same problem again. He had me change some nat rules which, once applied allowed me to connect to RDP. Once disconnecting/reconnecting the original issue occurred again. The Problem: When using IPSec Remote Access VPN configuration I am unable to ping or connect with RDP/VNC protocols. At times I get a single ping response but I can't understand why that would happen if I cannot establish any other connections. Details; - Router is a Cisco ASA 5505 with ASDM 6.4 - Internal VLAN is 192.168.15.0/24, has DHCP enabled - All current internal hosts have static addresses somewhere near 192.168.15.100-120 with 192.168.15.1 configured as a gateway - VPN Users receive a 192.168.15.200-250 address - Cisco VPN Client is used to connect and there are no network connectivity issues between my remote computer and the ASDM application My Configuration: Result of the command: "show config" : Saved : Written by enable_15 at 15:06:09.524 CDT Mon Sep 9 2013 ! ASA Version 8.2(5) ! hostname host enable password D37rIydCZ/bnf1uj encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.15.0 inside-network description Internal Network devices ddns update method DDNS_Update ddns both interval maximum 0 4 0 0 ! ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 description VLAN to inside hosts nameif inside security-level 100 ddns update hostname 0.0.0.0 ddns update DDNS_Update dhcp client update dns server both ip address 192.168.15.1 255.255.255.0 ! interface Vlan2 description External VLAN to internet nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.248 ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 216.221.96.37 name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https access-list outside_access_in extended permit icmp any interface inside access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list Remote_splitTunnelAcl standard permit inside-network 255.255.255.0 access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 192.168.15.192 255.255.255.192 access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list inside_access_in extended permit ip interface inside interface inside access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192 access-list inside_access_in extended permit icmp any any access-list inside_access_out extended permit icmp inside-network 255.255.255.0 any access-list inside_access_out extended permit ip 192.168.15.192 255.255.255.192 any access-list inside_access_out extended permit ip inside-network 255.255.255.0 192.168.15.192 255.255.255.192 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0 ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any echo-reply inside icmp permit any echo-reply outside icmp permit any outside no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group inside_access_ipv6_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http inside-network 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.15.200-192.168.15.250 inside dhcpd enable inside ! no threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 192.168.15.101 source inside ntp server 192.168.15.100 source inside prefer webvpn group-policy Remote internal group-policy Remote attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote_splitTunnelAcl username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0 username StockUser attributes vpn-group-policy Remote tunnel-group Remote type remote-access tunnel-group Remote general-attributes address-pool VPN_IP_Pool default-group-policy Remote tunnel-group Remote ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:f1351b0e8517ff0725884ef5f6e3abe7
... View more
Labels:
09-09-2013
12:23 PM
Hi Jeet, thanks for the reply I looked into the nat rules you mentioned and had to play around with them but got some positive results. This is what I have remaining on my configuration: nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 Everything seems well. However, if you don't mind can you answer these questions just to help my overall understanding of the ASA and NAT excemption overall? By default the ASA has no network address translations. By adding a dynamic rule to translate any inside packets destined for the outside interface I told the ASA to rewrite the IP address to use the outside interface's address? This leads to requiring a excemption such that packets destined for my VPN pool were being incorrectly translated? I'm doing my best to get my mind wrapped around the Cisco ASDM interface but there are a ton of options to take in. At times its overwhelming to understand these things so if you have any personal resource recommendations I'd be happy to hear them. Thanks again!
... View more
09-09-2013
11:29 AM
Hello everyone, First off, I apologize if this is something that I can google. My knowledge of network administration is all self-taught so if there is a guide to follow that I've missed please point me in the right direction, its often hard to Google terms for troubleshooting when your jargon isn't up to snuff. The chief issue is that when pinging internal devices while connected to the results are very inconsistent. Pinging 192.168.15.102 with 32 bytes of data: Reply from 192.168.15.102: bytes=32 time=112ms TTL=128 Request timed out. Request timed out. Request timed out. We've set up a IPSec VPN connection to a remote Cisco ASA 5505. There are no issues connecting, connection seems constant, packets good etc. At this point I can only assume I have configuration issues but I've been looking at this for so long, and coupled with my inexperience configuring these settings I have no clue where to start. My initial thoughts are that the LAN devices I am pinging are not sending their response back or the ASA doesn't know how to route packets back? Here's a dump of the configuration: Result of the command: "show config" : Saved : Written by enable_15 at 12:40:06.114 CDT Mon Sep 9 2013 ! ASA Version 8.2(5) ! hostname VPN_Test enable password D37rIydCZ/bnf1uj encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.15.0 internal-network ddns update method DDNS_Update ddns both interval maximum 0 4 0 0 ! ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 description VLAN to inside hosts nameif inside security-level 100 ddns update hostname 0.0.0.0 ddns update DDNS_Update dhcp client update dns server both ip address 192.168.15.1 255.255.255.0 ! interface Vlan2 description External VLAN to internet nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.248 ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns server-group DefaultDNS name-server 216.221.96.37 name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https access-list outside_access_in extended permit icmp any any access-list outside_access_in extended deny icmp interface outside interface inside access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list Remote_splitTunnelAcl standard permit internal-network 255.255.255.0 access-list inside_nat0_outbound extended permit ip internal-network 255.255.255.0 192.168.15.192 255.255.255.192 access-list inside_access_in remark Block Internet Traffic access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list inside_access_in remark Block Internet Traffic access-list inside_access_in extended permit ip interface inside interface inside access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192 access-list inside_access_in remark Block Internet Traffic access-list inside_nat0_outbound_1 extended permit ip 192.168.15.192 255.255.255.192 any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0 ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any echo-reply outside icmp permit any outside no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 access-list inside_nat0_outbound_1 outside nat (inside) 1 192.168.15.192 255.255.255.192 nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group inside_access_ipv6_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside http internal-network 255.255.255.0 inside http yy.yy.yy.yy 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection timewait crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.15.200-192.168.15.250 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 192.168.15.101 source inside ntp server 192.168.15.100 source inside prefer webvpn group-policy Remote internal group-policy Remote attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote_splitTunnelAcl username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0 username StockUser attributes vpn-group-policy Remote tunnel-group Remote type remote-access tunnel-group Remote general-attributes address-pool VPN_IP_Pool default-group-policy Remote tunnel-group Remote ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3
... View more
Labels:
Created by
GrahamB_SEMC
in Switching
in Switching
11-27-2012
07:58 AM
11-27-2012
07:58 AM
Good timing. I'll take what you've provided and add to what I've learned. Thanks again!
... View more
Created by
GrahamB_SEMC
in Switching
in Switching
11-27-2012
06:56 AM
11-27-2012
06:56 AM
EDIT²: So, turns out my previous inclination from the edit below is true. If I disable DHCP on the inside interface and properly configure my network settings I am able to reach out to the web. I need to configure a couple access rules to allow it but it *does* work once I have this set up. I guess I'll just work with static IPs and work on placing a company policy on IP managment. You've been a big help on helping me get this far joel. ---- EDIT: Found this FAQ: Question—Is it possible to assign a static/permanent IP address to the computer that uses ASA as the DHCP server? Answer—It is not possible using PIX/ASA. [Source] Could this be a sign of what I'm after? ----- To hopefully simplify things I've started over. Here's my setup config pasted into the CLI: --snipped as of edit 2 for bevity-- When I plug into the inside interfaces I'm immediately given address 10.100.34.65 and have access to the web. Checks out. If I open my network adapter settings and say manually set my interface settings to 10.100.34.5/24 I can connect to the router through ADSM and the like but have no external web access. The ASA log in the ADSM has numerous debug lines stating something akin to: UDP Request discarded from 10.100.34.5 to inside 10.100.34.1 ....on some non-standard port like 54955 or the like.
... View more
Created by
GrahamB_SEMC
in Switching
in Switching
11-27-2012
06:07 AM
11-27-2012
06:07 AM
>ip dhcp excluded-address 192.168.12.1 That command gives me errors: that dhcp is not a valid arg to the ip command. I couldn't find something similar digging through `help dhcpd` `help ip` or `help dhcp`. Care to point me in the right direction?
... View more
Created by
GrahamB_SEMC
in Switching
in Switching
11-26-2012
01:07 PM
11-26-2012
01:07 PM
Yes I can access the web on DHCP. The resulting config, above, is from following generic guides online to first configure a DHCP range, getting that to work and then revisiting the configuration in order to add static IP support. Seeing how my computer registers with the IP and the ASA log is sending numerous deny messages I would assume it isn't letting me pick my own IP?
... View more
Created by
GrahamB_SEMC
in Switching
in Switching
11-26-2012
07:07 AM
11-26-2012
07:07 AM
Hi Joel, thanks for the reply. Unfortunately following that guide I am still unable to access the internet from the internal interfaces while I have configured a static IP. Is there some feature of the ASA that prevents users from specifying their IP manually when the vlan is configured for DHCP? From what it seems when I set my own IP on the OS the ASA Log just denies/discards all packets I send regardless of destination. Here is a snip of my running configuration that may help. I am looking right now to just understand how to make these configurations and then cleaning up the rules and making them somewhat sane. interface Vlan1
description VLAN to inside hosts
nameif inside
security-level 100
ip address 10.100.31.1 255.255.255.0
!
access-list outside_access_in extended permit icmp any any
access-list semc_splitTunnelAcl standard permit 10.100.31.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.0 255.255.255.192
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip interface inside any
access-list ACL_OUT extended permit tcp any any
access-list ANY extended permit ip any any
access-list OUT extended permit ip any any
ip local pool VPN_Pool 10.100.31.220-10.100.31.250 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.100.31.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ANY in interface inside
access-group inside_access_out out interface inside
access-group ACL_OUT in interface outside
access-group OUT out interface outside
dhcpd address 10.100.31.64-10.100.31.95 inside
dhcpd enable inside
... View more
01-27-2014
They're BroadCom NetXtreme cards so I believe BroadCom has a provided
utility for creating Teams tha...
01-27-2014
We have a server with dual NIC cards I want to configure for redundancy
to our 5505 router. Reading ...
10-28-2013
Harry,I appreciate the reply and apologise for taking so long to respond
myself. When trying to conn...
10-25-2013
I'm trying to set up a new VPN user/group/policy to replace a flawed old
version that used IP addres...
10-10-2013
Thanks for the reply Rizwan.I made the changes by adding a new Group and
VPN user to get a 192.168.1...
10-10-2013
Hello folks, I've had a lot of trouble trying to resolve this issue, but
hoping someone here can enl...
09-09-2013
Yes I am able to ping 192.168.15.1 reliably.I'm not extremely familiar
with Cisco devices and config...
09-09-2013
Hello folks,I posted a discussion earlier detailing my problem which got
some help. I applied the us...
09-09-2013
Hi Jeet, thanks for the replyI looked into the nat rules you mentioned
and had to play around with t...
09-09-2013
Hello everyone,First off, I apologize if this is something that I can
google. My knowledge of networ...
Created by
GrahamB_SEMC
in Switching
11-27-2012
11-27-2012
Good timing. I'll take what you've provided and add to what I've
learned. Thanks again!
Created by
GrahamB_SEMC
in Switching
11-27-2012
11-27-2012
EDIT²: So, turns out my previous inclination from the edit below is
true. If I disable DHCP on the i...
Created by
GrahamB_SEMC
in Switching
11-27-2012
11-27-2012
>ip dhcp excluded-address 192.168.12.1That command gives me errors: that
dhcp is not a valid arg to ...
Created by
GrahamB_SEMC
in Switching
11-26-2012
11-26-2012
Yes I can access the web on DHCP. The resulting config, above, is from
following generic guides onli...
Created by
GrahamB_SEMC
in Switching
11-26-2012
11-26-2012
Hi Joel, thanks for the reply.Unfortunately following that guide I am
still unable to access the int...
Public Statistics
| Date Registered | 11-22-2012 08:51 AM |
| Date Last Visited | 08-29-2018 12:01 AM |
| Total Messages Posted | 16 |
