Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Sheraz.Salim
Online
Sheraz.Salim
Member since
03-08-2005
Rising star
903
Posts
763
Helpful
80
Solutions
Recent Badges
Awards
Spotlight Awards Member's Choice, February 2019
1
07-16-2019
12:06 PM
have a look on below link. It more CLI but will achieve your objective. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc17
... View more
Created by
Sheraz.Salim
in Cisco Bug Discussions
in Cisco Bug Discussions
07-08-2019
01:17 AM
07-08-2019
01:17 AM
Hi All. hitting this bug using FMC virtual appliance 6.3.0.1. any idea when it will fixed.
... View more
- Tags:
- FMC BUG CSCvk40714
Labels:
Created by
Sheraz.Salim
in VPN and AnyConnect
in VPN and AnyConnect
06-23-2019
02:05 PM
06-23-2019
02:05 PM
curious have you give this command on the ASA. crypto ikev2 enable outside ! and make sure you have configured your VPN in this way. You dont have to give pre-sharedkey 3 times. see the template for IKEV2 ! asa1(config)#crypto ikev2 policy 1 ! asa1(config-ikev2-policy)#encryption aes ! asa1(config-ikev2-policy)#integrity sha ! asa1(config-ikev2-policy)#group 2 ! asa1(config-ikev2-policy)#prf sha ! asa1(config-ikev2-polocy)#lifetime seconds 86400 ! asa1(config)#crypto ikev2 enable outside ! asa1(config)#crypto ipsec ikev2 ipsec-proposal ikev2-proposal ! asa1(config-ipsec-proposal)#protocol esp encryption aes ! asa1(config-ipsec-proposal)#protocol esp integrity sha-1 ! asa1(config)# access-list ikev2-list extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 ! asa1(config)#tunnel-group 10.10.10.2 type ipsec-l2l ! asa1(config)#tunnel-group 10.10.10.2 ipsec-attributes ! asa1(config-tunnel-ipsec)#ikev2 local-authentication pre-shared-key this_is_a_key ! asa1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key this_is_a_key ! asa1(config)#crypto map ikev2-map 1 match address ikev2-list ! asa1(config)#crypto map ikev2-map 1 set peer 10.10.10.2 ! asa1(config)#crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal ! asa1(config)#crypto map ikev2-map interface outside
... View more
Created by
Sheraz.Salim
in Firewalls
in Firewalls
06-23-2019
01:48 PM
06-23-2019
01:48 PM
you might have many nat rules in place if we suggest you one it could break the other functional nat. from above post i see you want to allow a whole subnet to be access able from outside. curious if you have any spare public ip addresses. as landing/coming from outside to mapping to (if you have a single ip address) your interested subnet is not a good practice. however, you can change the ip addresses if you thing they are sensitive. remember we are here to help. and give you a good advise to make things works where you get stuck :) as you have a dynamic rule in your nat. you need to change this to static. as mentioned earlier by GRANT I wont recommand this to you but unless you do not have any public ip addresses. but here is the config like are ! Object network BlackBelt subnet 192.168.100.0 255.255.255.0 ! nat (inside,outside) 1 source static BlackBelt interface ! access-list outside_in exten permit tcp any subnet 192.168.100.0 255.255.255.0 eq https (or) access-list outside_in exten permit tcp any object BlackBelt eq https ! access-group outside_in in interface outside ! you need to narrow down what protocol in regards to transport layer need to be access from outside to your inside(interested) subnet.
... View more
Created by
Sheraz.Salim
in Firewalls
in Firewalls
06-23-2019
01:17 PM
06-23-2019
01:17 PM
Just make sure you are on 9.7 onward version of the ASA code. As VTI was introduce in 9.7 code here is the link in case you need it in regards to configurations https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf
... View more
Created by
Sheraz.Salim
in VPN and AnyConnect
in VPN and AnyConnect
06-23-2019
01:09 AM
06-23-2019
01:09 AM
In your debug output you see this message REN-ASA5510# no IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE where mean could be a typo error in presharekey between two firewalls. also see the link https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html
... View more
Created by
Sheraz.Salim
in Firewalls
in Firewalls
06-19-2019
02:00 PM
06-19-2019
02:00 PM
kindly please if possible to upload the config in order to help you.
... View more
06-15-2019
11:28 AM
have a read on this doc https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html will clear all your concepts
... View more
06-15-2019
11:27 AM
have a read on this link https://www.geeksforgeeks.org/computer-network-dynamic-nat-on-asa/
... View more
06-15-2019
09:41 AM
let say. object network SRV_WEB host 192.168.70.10 nat (dmz,outside) interface ! access-list OUTSIDE_IN extended permit tcp any host 192.168.70.10 eq 443 access-group OUTSIDE_IN in interface outside ! so on the above in ACL you will always define the RFC 1918 ip address (Private range of your network addresses). and when you do a packet-trace to test remeber you have to give the Public ip address to test the connection for example. packet-tracer input outside tcp 8.8.8.8 12345 1.1.1.1 443 where 1.1.1.1 is your outside ip address of your Firewall which is married to your 192.168.71.10 address. HTH.
... View more
06-15-2019
12:33 AM
let walk though on your configuration ------------------------------------------------ object network Natted_Hosts subnet 200.10.10.0 255.255.255.0 nat (any,outside) static interface access-list inside extended permit ip object natted_Hosts any access-group inside in interface inside access-list outside extended permit ip any object Natted_Hosts ---------------------------------------------------------- first your object Natted_Hosts better use dynamic instead of static as you have a subnet behind outside with /24. access-list inside extended permit ip object natted_Hosts any access-group inside in interface inside this above rule can be seen as a first line of defense, but depends how to play and what protocols you allow or deny. Example now here if the initiator is subnet 200.10.10.0 255.255.255.0 and you want to allow only traffic ssh. you will write it as access-list inside extended permit tcp object natted_Hosts any eq shh access-list inside extended permit deny ip any any access-group inside in interface inside. now the ASA will narrow down the access at inside instead of doing it at outside. this is also classify as good practice to save your ASA cpu. access-list outside extended permit ip any object Natted_Hosts packet coming from outside interface is allow access to Natted_Hosts. in you example (any,outside) with subnet 200.10.10.0 255.255.255.0. will be translated to asa outside ip address.
... View more
06-15-2019
12:16 AM
object network natted_Subnet subnet 10.10.10.0 255.255.255.0 nat (any,outside) static interface long ago i read in cisco documentation nat (any,outside) is not a best practice. would be better if you put tight control on the flow of traffic either from (inside,outside) or (dmz,outside) instead of any,outside. you better do a dynamic PAT, object network natted_Subnet subnet 10.10.10.0 255.255.255.0 nat (any,outside) dynamic interface
... View more
06-14-2019
04:44 PM
hm.. can you try this please. object network DVR-web host 192.168.185.11 ! object service 53429 service tcp source eq 53429 ! object service HTTP service tcp source eq https ! nat (wireless-house,outside) source static DVR-web interface service HTTP 53429 ! packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 ! if the above even does not work.share the output command "show nat detail"
... View more
06-14-2019
12:46 PM
put these command and display it output of packet tracer. no nat (int_video,outside) source dynamic LAN_Video interface ! object network LAN_Video subnet 192.168.79.0 255.255.255.0 nat (int_video,outside) dynamic interface ! object network DVR-web host 192.168.79.10 nat (int_video,outside) static interface service tcp https 53429 ! access-list outside_access_in extended permit tcp any host 192.168.79.10 eq https ! access-group outside_access_in in interface outside ! packet-tracer input outside tcp 8.8.8.8 12345 X.X.X.X 53429 ! NOTE: X.X.X.X put your firewall outside ip address.
... View more
Public Statistics
| Date Registered | 03-08-2005 10:42 AM |
| Date Last Visited | 07-16-2019 01:07 PM |
| Total Messages Posted | 903 |
| Total Helpful Votes Received | 763 |
Helpful Votes Given To
.jpg "Hall of Fame Master"){kind=icon}
.jpg "VIP Engager"){kind=icon}
Helpful Votes From
Awards
Community Spotlight Award
Member's Choice, February 2019
