Do you have any ideas on this? ... View more

I guess my biggest question is, Why do I need it? Can I set a route on my L3 switch so that the traffic knows where to go? It is just a different IP address space as far as anything is concerned. It is tunneled into my whole network. I guess I just don't understand why a NAT statement.  ... View more

When I remove the NAT statement saying to go from my internal to the VPN IP Pool, I get no more connectivity. I add it back and it works again.  ... View more

I figured out what the problem was. I got a hold of NEC and they said I had to add a command to the switches, because... "The Cisco Switch (or any Cisco Device) is performing an ARP probe which we know to cause many issues but one of which is causing the system to think it has a Duplicate IP Address, hence the Duplicate IP Alarm in the system. Please see http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html on what can be done to resolve this, assuming their IT person wont already know how to disable this. Cisco refers to this I believe as 'IP ARP Probe' and that link should have information on disabling or at least making sure the Cisco devices do not apply this feature to the NEC System IP Addresses." Thanks for the help! I hope that this helps someone else! ... View more

Mr. Doherty, First off, thank you for your quick reply! I have checked the ports and none are showing drops. There are only 2 in the stack and it is running in whatever configuration it is between Port 1 -> 2, Port 2 -> 1. I have the same configuration for 2 of my C2960s's that are next to each other.  3750g's -> 15.0.2-SE9 2960s ->  12.2.55-SE5 ... View more

So then for the last piece would I just do a no nat statement for the dynamic and then re-enter it again and it should put it at the bottom? Sorry for all the questions. I just want to be thorough. Sent from Cisco Technical Support iPhone App ... View more

So then what about my access list? I am sure I have to allow it there right? or does NAT take care of that as well? ... View more

Thank you so much for all your help! I figured it had to do with the NAT statements...it generally is where most of the problems lie. In my config can you tell me exactly where to fix this stuff? I don't want to mess this up any further... do you want the:      object network obj_any      nat (inside,outside) dynamic interface moved down? And if so where does it need to be. Like I said I am a novice and I am sure that is why it is messed up the way it is Thanks again for all your help! nat (inside,outside) source static Inside-all Inside-all destination static MYDOMAIN-Employee MYDOMAIN-Employee no-proxy-arp route-lookup nat (Guest_Wireless,outside) source dynamic obj_any interface ! object network obj_any nat (inside,outside) dynamic interface object network CamServer_HTTPS nat (inside,outside) static interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 route inside MYDOMAIN-Old 255.255.254.0 MYDOMAIN-Inside 1 route inside MYDOMAIN_New_IP 255.255.192.0 MYDOMAIN-Inside 1 ... View more

Marius Gunnerud wrote: 1) I currently have a guest network setup from the ASA 5505 giving DHCP  from fa0/3 (on the ASA) and it is just going straight into one of my  cisco 3550's and providing layer 2 only. I can't get it to go to the  vpn.mydomain.com (I have setup this address to go to the outside ip  address of the firewall and it works from everywhere else) to connect to  AnyConnect, and when I ping it, it gives me the outside address that my  firewall is, but it won't connect. I have tried access lists and cannot  figure it out. I am not entirely sure I understand how you are trying to connect to the AnyConnect VPN.  Are you connecting to the VPN from the internet and not able to access the DMZ network?  Or are you trying to connect to the AnyConnect VPN from the DMZ by using the outside interface IP? So basically I have it setup so that my domain network can't talk to my guest network and vice versa as I have my internal network setup with dhcp helper on the switches and a Server 2008 DHCP server on the inside. My outside addresses only get the dhcp from the ASA 5505. The security level on the Guest Network is 10. With anyone else on the outside of my network, they can access the vpn just fine and connect, but from within my network on the guest network, they cannot reach it even though I have checked the box that allows for the vpn on that interface. I am trying to get them to connect to the outside IP address from the guest network and it doesn't reply. I don't know if this is what you were looking for but like I said, I am kind of a novice at this stuff. 2) I have  been wanting to access my camera's web page from outside of my domain,  and I didn't know the best way to do this besides just poking a hole in  the firewall and allowing certain ports open for this one ip address  (the camera server). I thought I had everything correct, but when I try  to check to see if the ports are open from the outside it says they  aren't, and when I try to do the packet trace, it says there is an  access list error. Something about implicit....something or other. The best and most secure way to access your server would be to connect to the VPN and then from there connect to the server.  If you insist on opening up a port from the internet and it is not working, we would need to see your ASA's configuration to troubleshoot further. Here is my config, as I don't really want them to have to connect to the VPN before they connect to the cameras from the outside. A lot of my users are not exactly saavy when it comes to all of this. ASA Version 9.1(3) ! hostname MYDOMAIN-firewall-1 domain-name MYDOMAINNET.local xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names name 10.0.13.1 MYDOMAIN-Inside description MYDOMAIN Inside name 10.0.0.0 MYDOMAIN_New_IP description MYDOMAIN_New name 10.0.0.0 MYDOMAIN-Old description Inside_Old name xxx.xxx.xxx.xx Hunter description Hunter_Wireless name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505 name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests ip local pool MYDOMAIN-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0 ip local pool MYDOMAIN-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside security-level 100 ip address Cisco_ASA_5505 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address xxx.xxx.xxx.xxx 255.255.255.252 ! interface Vlan3 no forward interface Vlan1 nameif Guest_Wireless security-level 10 ip address 192.168.204.1 255.255.255.0 ! boot system disk0:/asa913-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.0.3.21 domain-name MYDOMAINNET.local object network obj_any subnet 0.0.0.0 0.0.0.0 object network MYDOMIN-Employee subnet 192.168.208.0 255.255.255.0 description MYDOMAIN-Employee object network Guest_Network subnet 192.168.204.0 255.255.255.0 description Guest Wireless object network CamServer_HTTPS host 10.0.10.5 description Uiquiti Cam Server object-group network Inside-all description All Networks network-object MYDOMAIN-Old 255.255.254.0 network-object MYDOMAIN_New_IP 255.255.192.0 network-object host MYDOMAIN-Inside object-group service Cam_Server_TCP tcp description All Open Ports Need for Camera Server port-object eq 1935 port-object eq 7080 port-object eq 7443 object-group service Cam_Server_UDP udp description Cam Server UDP Port port-object eq ntp access-list inside_access_in extended permit ip any4 any4 access-list split-tunnel remark New Address Space access-list split-tunnel standard permit 10.0.0.0 255.255.192.0 access-list split-tunnel remark Old Address Space access-list split-tunnel standard permit 10.0.0.0 255.255.254.0 access-list outside_access_in extended permit tcp any4 object CamServer_HTTPS object-group Cam_Server_TCP pager lines 24 logging enable logging buffered errors logging asdm informational mtu inside 1500 mtu outside 1500 mtu Guest_Wireless 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static Inside-all Inside-all destination static MYDOMAIN-Employee MYDOMAIN-Employee no-proxy-arp route-lookup nat (Guest_Wireless,outside) source dynamic obj_any interface ! object network obj_any nat (inside,outside) dynamic interface object network CamServer_HTTPS nat (inside,outside) static interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 route inside MYDOMAIN-Old 255.255.254.0 MYDOMAIN-Inside 1 route inside MYDOMAIN_New_IP 255.255.192.0 MYDOMAIN-Inside 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy action terminate dynamic-access-policy-record "Network Access Policy Allow VPN" description "Must have the Network Access Policy Enabled to get VPN access" aaa-server LDAP_Group protocol ldap aaa-server LDAP_Group (inside) host 10.0.3.21 ldap-base-dn ou=MYDOMAIN,dc=MYDOMAINnet,dc=local ldap-group-base-dn ou=MYDOMAIN,dc=MYDOMAINnet,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MYDOMAIN,dc=MYDOMAINNET,dc=local server-type microsoft user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http MYDOMAIN_New_IP 255.255.192.0 inside http redirect outside 80 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map Guest_Wireless_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Guest_Wireless_map interface Guest_Wireless crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER no validation-usage no accept-subordinates no id-cert-issuer crl configure crypto ca trustpoint VPN enrollment terminal fqdn vpn.MYDOMAIN.com subject-name CN=vpn.MYDOMAIN.com,OU=IT,O=My place,C=US,St=OR keypair vpn.MYDOMAIN.com crl configure crypto ikev2 enable outside client-services port 443 crypto ikev2 enable Guest_Wireless client-services port 443 crypto ikev2 remote-access trustpoint VPN telnet timeout 5 ssh MYDOMAIN_New_IP 255.255.192.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.204.10-192.168.204.254 Guest_Wireless dhcpd dns 8.8.8.8 8.8.4.4 interface Guest_Wireless dhcpd lease 86400 interface Guest_Wireless dhcpd domain MYDOMAIN interface Guest_Wireless dhcpd enable Guest_Wireless ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 dynamic-filter updater-client enable dynamic-filter use-database dynamic-filter enable ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1 ssl trust-point VPN outside ssl trust-point VPN Guest_Wireless webvpn enable outside enable Guest_Wireless anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4 anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 5 anyconnect profiles MYDOMAIN-employee disk0:/MYDOMAIN-employee.xml anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes dns-server value 10.0.3.21 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value MYDOMAINNET.local group-policy MYDOMAIN-Employee internal group-policy MYDOMAIN-Employee attributes wins-server none dns-server value 10.0.3.21 vpn-tunnel-protocol ssl-client default-domain value MYDOMAINNET.local webvpn   anyconnect profiles value MYDOMAIN-employee type user username MYDOMAINadmin password njLcVW6cA/2R64RV encrypted privilege 15 tunnel-group MYDOMAIN-Employee type remote-access tunnel-group MYDOMAIN-Employee general-attributes address-pool MYDOMAIN-Employee-Pool authentication-server-group LDAP_Group LOCAL default-group-policy MYDOMAIN-Employee tunnel-group MYDOMAIN-Employee webvpn-attributes group-alias MYDOMAIN-Employee enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp   inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:53142f41235815a80f44b50e1205aaa2 : end 3) Another very important piece of this is that I only have one static IP address to  work with. The Firewall takes up 80 and 443, the cameras will need TCP  7443, 7080, and 1935. It will also need UDP 123. Are the cameras located on a seperate subnet than the camera server?  Does traffic flow between the cameras and camera server?  Will need more information on how your network looks and exactly what the problem is with regards to point 3. What license are you running on the ASA?  You will need to have a security plus license to get this to work. The Cameras are located on the same subnet as the camera server. Traffic flows easily between the cameras and the server. Everything internal is great, it is the outside to inside that I don't quite understand. I am running the security plus license with 25 SSL VPN users. ... View more