We have a server with dual NIC cards I want to configure for redundancy to our 5505 router. Reading online though the router has no support for EtherChannel or LACP. What are my options here for a proper redundant network link? If I configure LACP on the server will the Cisco ASA not know what to do with the packets sent via LACP? Or is there a better configuration option to utilize the NICs for reliability on Windows Server 2008 R2?
... View more
Harry, I appreciate the reply and apologise for taking so long to respond myself. When trying to connect to the service it still fails, I was using the Packet Tracer as a quicker means of testing. However, after further investigation Friday I believe the issue I am having may be with the service itself. It is a specialized device which, after reviewing its routing table has no route for 192.168.16.x addresses. I cannot update this configuration without scheduling a critical downtime hopefully within the next week. Again I appreciate the response but unfortunately my issue might not have to do with the VPN configuration at all!
... View more
I'm trying to set up a new VPN user/group/policy to replace a flawed old version that used IP addresses from the same pool as the inside VLAN. As of right now I have most things configured but am unable to establish a connection to a service host on the inside VLAN with the new configuration. The old configuration works fine. Other services like RDP are working fine on the new configuration. I *thought* that I had everything configured to use the new IP addresses in ACL lists, NAT Excemptions and the like but must have a conflict or missing rule somewhere I can't spot. Using the packet tracer everything works except when I test 192.168.16.x -> 192.168.15.x on interface outside, it says "IPSEC Spoof Detected" as the reason for dropping packets. When attempting to establish the connection there is no errors, just "Built inbound TCP..." followed by "Teardown TCP... SYN Timeout 00:30" For the record the 192.168.16.100-150 pool is the correct VPN address pool. Once I have it working 100% I'd like to remove the 192.168.15.200-250 pool from the ASDM configuration. My configurations: : Saved : ASA Version 8.2(5) ! hostname SEMC-TEST enable password D37rIydCZ/bnf1uj encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.15.0 192.168.15.0 description Internal Network devices ddns update method DDNS_Update ddns both interval maximum 0 4 0 0 ! ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 description VLAN to inside hosts nameif inside security-level 100 ddns update hostname 0.0.0.0 ddns update DDNS_Update dhcp client update dns server both ip address 192.168.15.1 255.255.255.0 ! interface Vlan2 description External VLAN to internet nameif outside security-level 0 ip address xx.xx.xx.xx 255.255.255.248 ! ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 184.108.40.206 name-server 220.127.116.11 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit ip 192.168.16.0 255.255.255.0 any access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list outside_access_in extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list Remote_test_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.15.192 255.255.255.192 access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any access-list inside_access_in extended permit ip interface inside interface inside access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192 access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any 192.168.16.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.16.0 255.255.255.0 any access-list inside_access_in remark Block Internet Traffic access-list inside_access_out extended permit icmp 192.168.15.0 255.255.255.0 any access-list inside_access_out extended permit ip 192.168.15.192 255.255.255.192 any access-list inside_access_out extended permit ip 192.168.15.0 255.255.255.0 192.168.15.192 255.255.255.192 access-list inside_access_out extended permit ip 192.168.16.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN_IP_Alt 192.168.16.100-192.168.16.150 mask 255.255.255.0 ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0 ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any echo-reply inside icmp permit any echo-reply outside icmp permit any outside no asdm history enable arp timeout 14400 nat-control global (inside) 2 interface global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound_2 access-group inside_access_in in interface inside access-group inside_access_ipv6_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.15.0 255.255.255.0 inside http 192.168.16.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.15.200-192.168.15.250 inside dhcpd enable inside ! no threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 192.168.15.101 source inside ntp server 192.168.15.100 source inside prefer webvpn group-policy Remote_test_Alt internal group-policy Remote_test_Alt attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote_test_splitTunnelAcl group-policy Remote_test internal group-policy Remote_test attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote_test_splitTunnelAcl username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0 username StockUser attributes vpn-group-policy Remote_test username StockUser2 password t6a0Nv8HUfWtUdKz encrypted privilege 0 username StockUser2 attributes vpn-group-policy Remote_test_Alt tunnel-group Remote_test type remote-access tunnel-group Remote_test general-attributes address-pool VPN_IP_Pool default-group-policy Remote_test tunnel-group Remote_test ipsec-attributes pre-shared-key ***** tunnel-group Remote_test2 type remote-access tunnel-group Remote_test2 general-attributes address-pool VPN_IP_Alt default-group-policy Remote_test_Alt tunnel-group Remote_test2 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:834543b67beaaa65578d8032d7d272c3 : end
... View more
Thanks for the reply Rizwan. I made the changes by adding a new Group and VPN user to get a 192.168.16.x IP address and configured the access rules to allow connection. I am able to successfully connect to one of the services but will confirm the other services work after coordinating with a coworker. I'll follow up tomorrow if everything worked.
... View more
Hello folks, I've had a lot of trouble trying to resolve this issue, but hoping someone here can enlighten me. I have a remote site that hosts a number of services that we manage remotely with an IPSec VPN connection. When connecting to the site we establish connection fine and can do most actions like RDP and connect to servers for maintenance but one service fails to connect unless I add a NAT exempt rule to the router configuration (ASA 5505). Once this rule is in place the service works, but other services that originally worked stop working. In short, this rule must be in place while doing one task, but then taken out for other tasks. I'm hoping there is some sort of rule or behavior I can add to the ASDM configuration making it so I no longer have to manually add this rule each time I connect. Here's the rule details: access-list outside_nat0_outbound line 1 extended permit ip 192.168.15.192 255.255.255.192 192.168.15.0 255.255.255.0 nat (outside) 0 access-list outside_nat0_outbound outside tcp 0 0 udp 0 When establishing the connection without the rule in place the ASDM syslog shows these warnings: Deny tcp src inside:<inside_host_ip>/61745 dst outside:10.100.32.203/135 by access-group "inside_access_in" [0x0, 0x0] The weird thing is 10.100.32.203 is my host computer's internal IP. Its not even the external IP of the network I'm connecting from. Is it possible the problem stems from the VPN pool using a subset of the inside VLAN's subnet? The inside VLAN is 192.168.15.0/24 and the VPN is 192.168.15.200-250. I'm willing to reconfigure the VPN address pool but need to do it remotely and am not aware how to make this reconfiguration safely without losing my remote access since gaining physical access to the router itself is very difficult currently. If more details are needed I'm happy to provide them.
... View more
Hi Jeet, thanks for the reply I looked into the nat rules you mentioned and had to play around with them but got some positive results. This is what I have remaining on my configuration: nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 Everything seems well. However, if you don't mind can you answer these questions just to help my overall understanding of the ASA and NAT excemption overall? By default the ASA has no network address translations. By adding a dynamic rule to translate any inside packets destined for the outside interface I told the ASA to rewrite the IP address to use the outside interface's address? This leads to requiring a excemption such that packets destined for my VPN pool were being incorrectly translated? I'm doing my best to get my mind wrapped around the Cisco ASDM interface but there are a ton of options to take in. At times its overwhelming to understand these things so if you have any personal resource recommendations I'd be happy to hear them. Thanks again!
... View more
EDIT²: So, turns out my previous inclination from the edit below is true. If I disable DHCP on the inside interface and properly configure my network settings I am able to reach out to the web. I need to configure a couple access rules to allow it but it *does* work once I have this set up. I guess I'll just work with static IPs and work on placing a company policy on IP managment. You've been a big help on helping me get this far joel. ---- EDIT: Found this FAQ: Question—Is it possible to assign a static/permanent IP address to the computer that uses ASA as the DHCP server? Answer—It is not possible using PIX/ASA. [Source] Could this be a sign of what I'm after? ----- To hopefully simplify things I've started over. Here's my setup config pasted into the CLI: --snipped as of edit 2 for bevity-- When I plug into the inside interfaces I'm immediately given address 10.100.34.65 and have access to the web. Checks out. If I open my network adapter settings and say manually set my interface settings to 10.100.34.5/24 I can connect to the router through ADSM and the like but have no external web access. The ASA log in the ADSM has numerous debug lines stating something akin to: UDP Request discarded from 10.100.34.5 to inside 10.100.34.1 ....on some non-standard port like 54955 or the like.
... View more
>ip dhcp excluded-address 192.168.12.1 That command gives me errors: that dhcp is not a valid arg to the ip command. I couldn't find something similar digging through `help dhcpd` `help ip` or `help dhcp`. Care to point me in the right direction?
... View more
Yes I can access the web on DHCP. The resulting config, above, is from following generic guides online to first configure a DHCP range, getting that to work and then revisiting the configuration in order to add static IP support. Seeing how my computer registers with the IP and the ASA log is sending numerous deny messages I would assume it isn't letting me pick my own IP?
... View more
Hi Joel, thanks for the reply. Unfortunately following that guide I am still unable to access the internet from the internal interfaces while I have configured a static IP. Is there some feature of the ASA that prevents users from specifying their IP manually when the vlan is configured for DHCP? From what it seems when I set my own IP on the OS the ASA Log just denies/discards all packets I send regardless of destination. Here is a snip of my running configuration that may help. I am looking right now to just understand how to make these configurations and then cleaning up the rules and making them somewhat sane. interface Vlan1
description VLAN to inside hosts
ip address 10.100.31.1 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list semc_splitTunnelAcl standard permit 10.100.31.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.0 255.255.255.192
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip interface inside any
access-list ACL_OUT extended permit tcp any any
access-list ANY extended permit ip any any
access-list OUT extended permit ip any any
ip local pool VPN_Pool 10.100.31.220-10.100.31.250 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.100.31.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ANY in interface inside
access-group inside_access_out out interface inside
access-group ACL_OUT in interface outside
access-group OUT out interface outside
dhcpd address 10.100.31.64-10.100.31.95 inside
dhcpd enable inside
... View more