Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About dvargas@nwfcu.org
Stats
Member since
11-01-2017
10
Posts
0
Helpful
0
Solutions
05-11-2019
12:41 AM
I need assistance with Anyconnect VPN for remote users. Im able to connect to the internal services by creating a NAT Exception "Static". But traffic destine to the internet is getting blocked by phase either 3 or 4 depending on the changes i've made. I've created dynamic NATing from any,outside for the anyconnect traffic and nothing - Also, white listed the subnet on the outside interface and nothing. Cloud -->ASA/Anyconnect ---> DMZ & LAN "this piece works. Cloud --> ASA/Anyconnect cloud/internet <-- | "doesnt work" nat (LAN,OUTSITE) source static NAT_SRX_Anyconnect NAT_SRX_Anyconnect destination static NAT_Anyconnect NAT_Anyconnect nat (DMZ,OUTSITE) source static NAT_SYNO_Anyconnect NAT_SYNO_Anyconnect destination static NAT_Anyconnect NAT_Anyconnect webvpn port 444 enable OUTSITE dtls port 444 group-policy GroupPolicy_Dgonit internal group-policy GroupPolicy_Dgonit attributes banner value Authorized users only vpn-simultaneous-logins 3 vpn-tunnel-protocol ssl-client default-domain value dgonit.com split-tunnel-all-dns enable webvpn anyconnect mtu 1406 Users are able to connect just fine.. but when attemting to go to the internet .... no luck. As of now - i've created a proxy server for them to be able to connect. Any thoughts? packet-tracer input OUTSITE tcp 192.168.102.1 443 8.8.8.8 443 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 74.96.178.1 using egress ifc OUTSITE Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.102.1 using egress ifc OUTSITE Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: OUTSITE input-status: up input-line-status: up output-interface: OUTSITE output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule access-list OUTSIDE_access_in extended permit ip object Anyconnect_Subnet any log
... View more
Labels:
Created by
dvargas@nwfcu.o
in Network Security
in Network Security
09-14-2018
08:44 AM
09-14-2018
08:44 AM
I believe I ran into your issue last night. If that happens again double check your service-policy thru CLI
1. Class map "match address"
2. policy-map - apply your class and any other parameters
3. policy-map should be in your service-policy...
If service-policy is gone then you are not inspecting anything and therefore all traffic that is being logged is your NAT traffic... I lost SNMP and Netflow which was a flag of this issue.
... View more
Created by
dvargas@nwfcu.o
in Routing
09-10-2018
05:14 AM
09-10-2018
05:14 AM
NTA shows high bandwidth utilization because the tunnel its self as far as bandwidth is doing 8kbps or 10kbps... if you show your stats with show interfaces tun 0 you can see that the interfa e has a high utilization of 193/255. A bandwidth statement is needed there but I'm not what to put if the physical bandwidth or the actual circuit bandwidth it gets tricky when running two up links with different bandwidth... but that's your answer if you set a different value and no problems please share
... View more
Created by
dvargas@nwfcu.o
in Routing
06-21-2018
08:44 PM
06-21-2018
08:44 PM
Thank you for the info - I did know what my configuration was - Wondering if I could set two next hop one with 100 over other one? Also, missed to mentioned -- if I add ANY as the destination that would include internal traffic as well. we dont want to do that --- i'm assuming your suggested acl would be more like: permit tcp 10.10.10.0 0.0.7.255 0.0.0.0 eq 80, Right?
... View more
Created by
dvargas@nwfcu.o
in Routing
06-21-2018
07:59 PM
06-21-2018
07:59 PM
Hi,
I'm trying to come up with a solution where if traffic that is not being sent to the to proxy and going to port 80 and 443 to send the traffic to the my next-hop which in this is case is my default route.
Example; I have a default route to go to my WAN firewall - However, we do have a GPO to forces the user to send all http https traffic to the proxy but of course there are those tech savy that uses Firefox to bypass the proxy.
We want any traffic from SVI destine to 0.0.0.0 on 80 443 to send that traffic to default gateway..
but what i want in my route map is that if traffic destine to the Defatult gateway let's say 192.168.12.8 is down then to send that matched traffic to another gateway 192.168.200.8
Is that possible to do in a IP match set next-hop route map?
... View more
Labels:
Created by
dvargas@nwfcu.o
in Network Security
01-03-2018
07:39 PM
01-03-2018
07:39 PM
Yes, it appears that my old Verizon router is not properly NATing my traffic from the INSIDE network. After doing dynamic "PAT" NATing on the ASA i was successfully able to reach the internet. Which is a good reason why i got the ASA... to learn it is def' a different beast than the SRX
... View more
Created by
dvargas@nwfcu.o
in Network Security
01-03-2018
07:12 PM
01-03-2018
07:12 PM
Marvin & John. Thank you for your solution but well... not with this particular Verizon router but i have done this setup in the past and has worked as it is. I'm not an expert with NAT but wouldnt/shouldn't that traffic be NAT'ed as well? Are you suggesting that I should run NAT from the ASA on my OUTISDE interface?
... View more
Created by
dvargas@nwfcu.o
in Network Security
01-03-2018
04:36 AM
01-03-2018
04:36 AM
Yes, and it appears that the flow is accepted. I'm wondering if the static route i have in the Verizon router is not being granted. Verizon static route: 192.168.200.0 255.255.255.0 192.168.101.101 From Pc: C:\Users\dgo>ping 192.168.101.1 -S 192.168.200.100 Pinging 192.168.101.1 from 192.168.200.100 with 32 bytes of data: Reply from 192.168.101.1: bytes=32 time=1ms TTL=64 Reply from 192.168.101.1: bytes=32 time<1ms TTL=64 Reply from 192.168.101.1: bytes=32 time<1ms TTL=64 Reply from 192.168.101.1: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.101.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms C:\Users\dgo>ping 8.8.8.8 -S 192.168.200.100 Pinging 8.8.8.8 from 192.168.200.100 with 32 bytes of data: Request timed out. Ping statistics for 8.8.8.8: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss), Control-C ^C From ASA: Packet-tracer provided does go through all Phases and being allowed. What i dont understand is that why may i being able to ping from the host to the gateway but not the internet. Again i'm wondering if the verizon router is not playing nice w/ routing the traffic back but if ping works then it does. the ssm 20 is powered down and dont have any service policy rules in place either...
... View more
Created by
dvargas@nwfcu.o
in Network Security
01-02-2018
08:10 PM
01-02-2018
08:10 PM
I purchased a 5520 with an SSM20. Since day one the configuration "Default" has been blocking traffic from INSIDE to OUTSIDE>. After doing some reasearch i thought that i was getting blocked by the SSM20 but that has been cleared and HW-module module 1 shutdown. So technically nothing should be block the traffic.
For now i have a verizon router with a static route to point the INSIDE Network off of the outside IP address within the ASA. However, I can see that traffic is flowing and being reset but cant figure out what is blocking the traffic.
Can sombody give me a hand... I've been on this for a month now and yet learned a lot with this troublesome ASA.
**Config***
ASAPower# sho run : Saved : : Serial Number: JMX1432L1MR : Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz : ASA Version 9.1(7)11 ! hostname ASAPower domain-name lsvrgs.us enable password hFn6Jz3JWey3cK1i encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface GigabitEthernet0/0 description out to verizon nameif OUTSIDE security-level 0 ip address 192.168.101.101 255.255.255.0 ! interface GigabitEthernet0/1 nameif INSIDE security-level 100 ip address 192.168.200.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif MGMT security-level 100 ip address 192.168.201.1 255.255.255.0 ! banner login *********************************************** banner login *********************************************** banner login *********************************************** banner login *** Authorized users only. Otherwise go away!! *** banner login *********************************************** banner login *********************************************** banner login *********************************************** banner asdm *********************************************** banner asdm *********************************************** banner asdm *********************************************** banner asdm *** Authorized users only. Otherwise go away!! *** banner asdm *********************************************** banner asdm *********************************************** banner asdm *********************************************** boot system disk0:/asa917-11-k8.bin ftp mode passive dns domain-lookup INSIDE dns server-group DefaultDNS name-server 8.8.8.8 domain-name lsvrgs.us same-security-traffic permit inter-interface object network User_Segment_192.168.200.0 subnet 192.168.200.0 255.255.255.0 description User_Segment_192.168.200.0 object network Verizon_Network subnet 192.168.1.0 255.255.255.0 access-list INSIDE_access_in extended permit ip any any access-list INSIDE_access_in extended permit ip 192.168.200.0 255.255.255.0 any inactive access-list INSIDE_access_in extended deny ip any any access-list OUTSIDE_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu OUTSIDE 1500 mtu INSIDE 1500 mtu MGMT 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any INSIDE asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group OUTSIDE_access_in in interface OUTSIDE access-group INSIDE_access_in in interface INSIDE route OUTSIDE 0.0.0.0 0.0.0.0 192.168.101.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.200.100 255.255.255.255 INSIDE http 192.168.201.100 255.255.255.255 MGMT no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 192.168.200.100 255.255.255.255 INSIDE ssh 192.168.201.100 255.255.255.255 MGMT ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access MGMT dhcp-client update dns server both threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept username dihegov password hKOfIhD0/o1ygjAI encrypted privilege 15 ! ! prompt hostname context no call-home reporting anonymous Cryptochecksum:2dea02eaf9833fe05f0025f7670eb80e : end ASAPower#
**END***
... View more
Labels:
05-11-2019
I need assistance with Anyconnect VPN for remote users. Im able to
connect to the internal services ...
Created by
dvargas@nwfcu.org
in Network Security
09-14-2018
09-14-2018
I believe I ran into your issue last night. If that happens again double
check your service-policy t...
09-10-2018
NTA shows high bandwidth utilization because the tunnel its self as far
as bandwidth is doing 8kbps ...
Created by
dvargas@nwfcu.org
in Routing
06-21-2018
06-21-2018
Thank you for the info - I did know what my configuration was -
Wondering if I could set two next ho...
Created by
dvargas@nwfcu.org
in Routing
06-21-2018
06-21-2018
Hi, I'm trying to come up with a solution where if traffic that is not
being sent to the to proxy an...
Created by
dvargas@nwfcu.org
in Network Security
01-03-2018
01-03-2018
Yes, it appears that my old Verizon router is not properly NATing my
traffic from the INSIDE network...
Created by
dvargas@nwfcu.org
in Network Security
01-03-2018
01-03-2018
Marvin & John.Thank you for your solution but well... not with this
particular Verizon router but i ...
Created by
dvargas@nwfcu.org
in Network Security
01-03-2018
01-03-2018
Yes, and it appears that the flow is accepted. I'm wondering if the
static route i have in the Veriz...
Created by
dvargas@nwfcu.org
in Network Security
01-02-2018
01-02-2018
I purchased a 5520 with an SSM20. Since day one the configuration
"Default" has been blocking traffi...
Public Statistics
| Date Registered | 11-01-2017 12:44 PM |
| Date Last Visited | 01-15-2020 12:05 AM |
| Total Messages Posted | 10 |
.jpg "Hall of Fame Guru"){kind=icon}
