turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Sheraz.Salim
02-11-2019
Sheraz.Salim
Member since
03-08-2005
Rising star
02-01-2019
11:05 AM
try this and sorry for the late reply ! object-group protocol TCP protocol-object tcp ! object network INSIDE-SERVER03 host 4.3.2.1 nat (inside,outside) static 1.2.3.4 ! access-list OUT-IN exten permit object-group TCP any INSIDE-SERVER03 eq 80 access-list OUT-IN exten permit object-group TCP any INSIDE-SERVER03 eq 443 access-group OUT-IN in interface outside
... View more
02-01-2019
03:33 AM
you are correct. access-list thorman extended permit ip object-group thorman-local object-group thorman-remote access-list thorman extended permit ip any4 object-group thorman-remote the above statement match two rule in one. where ip any4 and object-group thorman. what you can do if you dont want to apply the new rules. do show access-list and check what number is giving from ASA to these ACLs.
... View more
02-01-2019
03:12 AM
can you try this ! access-list thorman2 extended permit ip object-group thorman-local object-group thorman-remote ! crypto map external-vpns 600 match address thorman2 crypto map external-vpns 600 set pfs crypto map external-vpns 600 set peer 135.176.20.84 135.177.156.235 crypto map external-vpns 600 set ikev1 transform-set AES-128-SHA crypto map external-vpns 600 set security-association lifetime seconds 3600 crypto map external-vpns 600 set security-association lifetime kilobytes 4608000 !
... View more
02-01-2019
02:31 AM
in your most recent ASA config you provided i have simplified for us to understand/break them so we could easliy know what is going on. however in you config. i dont see the Thorman config. Note: I also notice you give us the config from your secondary firewall. could be all config are in Active firewall and they not syn to secondary firwall ============================================ ! object-group network Noverton-local network-object 10.99.206.0 255.255.255.0 network-object 192.168.142.0 255.255.255.0 object-group network Noverton-remote network-object 10.20.4.0 255.255.255.0 ! access-list 181.49.11.243_Noverton extended permit ip object-group Noverton-local object-group Noverton-remote ! nat (inside,outside) source static Noverton-local Noverton-local destination static Noverton-remote Noverton-remote ! crypto map external-vpns 320 match address 181.49.11.243_Noverton crypto map external-vpns 320 set peer 181.49.11.243 crypto map external-vpns 320 set ikev1 transform-set ESP-AES-256-SHA crypto map external-vpns 320 set security-association lifetime seconds 28800 crypto map external-vpns 320 set security-association lifetime kilobytes 4608000 ! =============================================================== Now If i go back to your post the first 2 posts you provide some of the config of your firewall. as i already said in post recent i can not find the Thorman and relying on old information we have. here What i found. ! Problematic ------- object-group network thorman-local network-object 10.99.206.0 255.255.255.0 network-object 10.99.240.0 255.255.255.0 network-object 10.99.241.0 255.255.255.0 network-object 10.99.242.0 255.255.255.0 network-object 10.99.243.0 255.255.255.0 network-object 10.1.0.0 255.255.0.0 network-object 10.2.0.0 255.255.0.0 network-object 10.20.3.0 255.255.255.0 network-object 10.20.4.0 255.255.255.0 network-object 10.20.12.0 255.255.255.0 network-object 10.20.5.0 255.255.255.0 ! object-group network thorman-remote network-object 192.168.142.0 255.255.255.0 ! nat (inside,outside) source static thorman-local thorman-local destination static thorman-remote thorman-remot ! access-list incoming-outside extended permit ip object-group thorman-remote object-group Noverton-remote ! crypto map external-vpns 600 match address thorman---PROBLEM I can not find the thorman. where is the access-list for that? crypto map external-vpns 600 set pfs crypto map external-vpns 600 set peer 135.176.20.84 135.177.156.235 crypto map external-vpns 600 set ikev1 transform-set AES-128-SHA crypto map external-vpns 600 set security-association lifetime seconds 3600 crypto map external-vpns 600 set security-association lifetime kilobytes 4608000 !
... View more
01-31-2019
02:11 PM
Each object group has a different number of subnets contained within them. Would this cause a problem with the natting? For instance, thorman-local has 11 subnets whereas thorman-remote has just the 1 - is this ok? This is not an issue. you mind to upload the complete ASA config instead of showing a small part of it. you can remove the real public ip addresses and username or fake it up.
... View more
01-31-2019
11:05 AM
to add what RJI said you need ASA version 9.8 in order to run/config the VTI to consolidate your configuration.
... View more
01-31-2019
10:59 AM
no access-list 81.149.11.243_Noverton extended permit ip any object-group Noverton-remote access-list 81.149.11.243_Noverton extended permit ip object-group Noverton-local object-group Noverton-remote ! crypto map external-vpns 600 match address thorman i can not see the thorman. and why you define twice the 81.149.11.243_Noverton
... View more
01-31-2019
07:15 AM
@LegusolI did noticed that wrong ip address in your packet tracer and i was curious why you doing this. also i was tired too and this also get over looked from me other wise i have mentioned to you. anyway good to hear all sorted.
... View more
Created by
Sheraz.Salim
in Firewalls
in Firewalls
01-31-2019
06:34 AM
01-31-2019
06:34 AM
try this config. I have try to configure the service objects as you requested but this is not possible as we have no source ip address known. service object work with source ip and with destination ip. in our case source ip address is any ip address from the internet and the destination ip address is our group CAM. ! !object-group network CAM network-object host 192.168.5.43 network-object host 192.168.5.44 network-object host 192.168.5.45 ! object-group protocol TCP protocol-object tcp ! nat (inside1,outside) source static CAM interface ! access-list outside_access_in extend permit object-group TCP any object-group CAM eq 81 access-list outside_access_in extend permit object-group TCP any object-group CAM eq 82 access-list outside_access_in extend permit object-group TCP any object-group CAM eq 83 access-list outside_access_in extend permit object-group TCP any object-group CAM eq 84 access-list outside_access_in extend permit object-group TCP any object-group CAM eq 8000 ! access-group outside_access_in in iterface outside
... View more
Created by
Sheraz.Salim
in Firewalls
in Firewalls
01-31-2019
06:12 AM
01-31-2019
06:12 AM
you have to go to the patch 8.2 to 8.4 to 9.x. you need to upgrade the active ASA to software 9.1 and for the passive which you lost control of it you need to console to the cli to check what is happening. i am afraid there is no quick fix for it. for the passive 8.2 to 8.4 than 9.1
... View more
Created by
Sheraz.Salim
in Firewalls
in Firewalls
01-31-2019
03:35 AM
01-31-2019
03:35 AM
for 8.2(5) to 9.1 you need to first upgrade to 8.4(5) first.
... View more
01-31-2019
01:44 AM
check this document. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/quality_of_service_qos_for_firepower_threat_defense.pdf
... View more
01-30-2019
04:18 PM
Router A LAN can ping to Router B LAN and Router B LAN fail to ping Router A LAN. Now here is the question does Router A and Router B are configured with site-to-site vpn configuration and the ASA is in the middle acting as proxy. if so you need to make sure the Router A config (vpn config with ACL mirror) the Router B. if that is not the case than provide us the config of all device to look into this.
... View more
01-30-2019
03:58 PM
We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with. object network REAL host 10.0.0.25 ! object network MAPPED host 46.181.101.214 ! nat (inside,outside) source static REAL MAPPED ! access-list OUT-IN exten permit tcp any object REAL eq 443 access-group OUT-IN in interface outside
... View more
Created by
Sheraz.Salim
in Firewalls
in Firewalls
01-30-2019
03:49 PM
01-30-2019
03:49 PM
I dont see any major hole in your config. if your 10.x.x.x interface is shutdown and if you see a lot of traffic is coming to hit this subnet than that make sense to say that traffic is block because ASA know the interface is shutdown state so it drop the packets configuration looks fine to me.
... View more
Public Statistics
| Date Registered | 03-08-2005 10:42 AM |
| Date Last Visited | 02-11-2019 11:51 PM |
| Total Messages Posted | 758 |
| Total Helpful Votes Received | 473 |
Helpful Votes Given To
.jpg "Hall of Fame Master"){kind=icon}
.jpg "VIP Collaborator"){kind=icon}
