Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA route ping but not TCP packets between two internal LANs

I need to connect two internal LANs each of which has ASA as a firewall to outside. One has ASA 5505 with two interfaces and another - ASA 5510 with three interfaces. I managed to pass echo packets from one internal LAN to another, but not the TCP packets. It must be something simple that I missed. Any help will be highly appreciated! Here is the network diagram:

Capture.PNG

Here is Config from ASA 5510 (i removed obvious settings to save space):

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address YY.YY.YY.YY 255.255.255.224 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.35.1 255.255.255.0 
!
interface Ethernet0/2
 nameif a-02
 security-level 100
 ip address 192.168.30.250 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name latista.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any inactive 
access-list a-02_access_in extended permit ip any any 
access-list a-02_access_in extended permit icmp any any inactive 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any inactive 
access-list inside_access_out extended permit ip any any 
access-list inside_access_out extended permit icmp any any inactive 
access-list inside_nat0_outbound_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list a-02_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0 
access-list a-02_nat0_outbound_1 extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu a-02 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (a-02) 0 access-list a-02_nat0_outbound
nat (a-02) 0 access-list a-02_nat0_outbound_1 outside
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group a-02_access_in in interface a-02
!
router rip
 version 1
!
route outside 0.0.0.0 0.0.0.0 205.251.79.33 1
route inside 192.168.30.0 255.255.255.0 192.168.30.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.35.0 255.255.255.0 inside
http 67.208.89.64 255.255.255.224 outside
http 4.26.115.0 255.255.255.240 outside
http 192.168.30.0 255.255.255.0 a-02
http 192.168.20.0 255.255.255.0 a-02
http 96.255.26.199 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect http 
!
service-policy global_policy global

On another ASA (ASA 5505) I only configured the Routing and NAT Exemption. Here is that portion:

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip NET_COLO_INT 255.255.255.0 192.168.35.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 NET_COLO_INT 255.255.255.0 

route inside 192.168.35.0 255.255.255.0 192.168.30.250 1

Please help!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA route ping but not TCP packets between two internal LANs

Hello Anatoly,

So the TCP state-bypass did it!

Great to hear everything is working, please mark the question as answered so as you said future users can view the solution of this.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
39 REPLIES

Re: ASA route ping but not TCP packets between two internal LANs

Hello Anatoly,

I would remove these nat statements and this static route

no nat (a-02) 0 access-list a-02_nat0_outbound_1 outside

no nat (inside) 0 access-list inside_nat0_outbound_1 outside

no route inside 192.168.30.0 255.255.255.0 192.168.30.250 1

Now please provide the following packet tracer outputs from Asa 5510

packet-tracer input inside tcp 192.168.35.15 1025 192.168.30.47 80

packet-tracer input a-02 tcp 192.168.30.47 1025 192.168.35.15 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA route ping but not TCP packets between two internal LANs

Julio, thank you for the answering! Here is the packet tracers info. I ran tracers without removing Route and Nat Exemptions. I will remove them and create another reply with results as well...

Result of the command: "packet-tracer input inside tcp 192.168.35.15 1025 192.168.30.47 80"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.30.0    255.255.255.0   a-02

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list inside_nat0_outbound

  match ip inside 192.168.35.0 255.255.255.0 a-02 192.168.30.0 255.255.255.0

    NAT exempt

    translate_hits = 101, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3230, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: a-02

output-status: up

output-line-status: up

Action: allow

---------------------------- here is the second one ----------------------

Result of the command: "packet-tracer input a-02 tcp 192.168.30.47 1025 192.168.35.15 80"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.35.0    255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group a-02_access_in in interface a-02

access-list a-02_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (a-02) 0 access-list a-02_nat0_outbound

  match ip a-02 192.168.30.0 255.255.255.0 inside 192.168.35.0 255.255.255.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 104

Additional Information:

Phase: 7

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_out out interface inside

access-list inside_access_out extended permit ip any any

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3236, packet dispatched to next module

Result:

input-interface: a-02

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Re: ASA route ping but not TCP packets between two internal LANs

Hello,

I will wait for the other post

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA route ping but not TCP packets between two internal LANs

I was not able to remove ROUTE - ASA gave error stating Cannnot remove Connected Route. Here are results of tracers without NAT rules:

Result of the command: "packet-tracer input inside tcp 192.168.35.15 1025 192.168.30.47 80"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.30.0    255.255.255.0   a-02

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 192.168.35.0 255.255.255.0 a-02 192.168.30.0 255.255.255.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3248, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: a-02

output-status: up

output-line-status: up

Action: allow

-------------------- Here is the second one ---------------------

Result of the command: "packet-tracer input a-02 tcp 192.168.30.47 1025 192.168.35.15 80"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.35.0    255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group a-02_access_in in interface a-02

access-list a-02_access_in extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip a-02 192.168.30.0 255.255.255.0 inside 192.168.35.0 255.255.255.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 1

Additional Information:

Phase: 7

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_out out interface inside

access-list inside_access_out extended permit ip any any

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3250, packet dispatched to next module

Result:

input-interface: a-02

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

ASA route ping but not TCP packets between two internal LANs

hmm on the packet tracer everything is fine.

Lets do a capture from the host 192.168.35.2 to the host 192.168.30.2

access-list capture permit ip host 192.168.35.2 host 192.168.30.2

access-list capture permit ip host 192.168.30.2 host 192.168.35.2

capture capin access-list capture interface inside

capture capa-02 access-list capture interface a-02

Now I want you to generate some TCP traffic between those hosts.

Then please go to a browser on the inside interface and do the following

https://192.168.30.250/capture/capin/pcap

https://192.168.30.250/capture/capa-02/pcap

And please upload to this case the two files you will get.

Regards,

Do rate if helps

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA route ping but not TCP packets between two internal LANs

you mentioned that I should use browser in "inside" interface (which is 192.168.35.0 net) - it didn't connect to the firewall. I did it from a-02 net (192.168.30.0) and it did. Although both files had size 0 (e.g. were empty).

New Member

ASA route ping but not TCP packets between two internal LANs

My bad -  I haven't actually put any traffic through! Let me do that real quick...

New Member

Re: ASA route ping but not TCP packets between two internal LANs

No - still size is 0. I was trying to initiate RDP connection from both sides (TCP 3389) and also did PING. Ping went fine, RDP session timed out. But neither made those pcap had any data in them.

Re: ASA route ping but not TCP packets between two internal LANs

Hello Anatolly,

If you do a sh capture capin and show capture capa-02 on the ASA what do you see?

One question you send the ping and the RDP request ( between hosts 192.168.30.2 and 192.168.35.2)

Can I see the capture and ACL configuration for the capture?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA route ping but not TCP packets between two internal LANs

Good point - it was actually NOT between those. I just did it again for these two IPs. Here is capture for both captures:

asa5510# show capture capa-02

14 packets captured

   1: 13:48:29.135704 192.168.35.2 > 192.168.30.2: icmp: echo request

   2: 13:48:29.136070 192.168.30.2 > 192.168.35.2: icmp: echo reply

   3: 13:48:30.132698 192.168.35.2 > 192.168.30.2: icmp: echo request

   4: 13:48:30.132912 192.168.30.2 > 192.168.35.2: icmp: echo reply

   5: 13:48:34.636853 192.168.35.2.4654 > 192.168.30.2.23: S 1810127933:1810127933(0) win 65535

   6: 13:48:37.507893 192.168.35.2.4654 > 192.168.30.2.23: S 1810127933:1810127933(0) win 65535

   7: 13:48:43.523715 192.168.35.2.4654 > 192.168.30.2.23: S 1810127933:1810127933(0) win 65535

   8: 13:49:15.998681 192.168.30.2.54837 > 192.168.35.2.23: S 4043652038:4043652038(0) win 5840

35 0,nop,wscale 7>

   9: 13:49:15.999093 192.168.35.2.23 > 192.168.30.2.54837: R 661765980:661765980(0) ack 4043652039 win 0

  10: 13:49:20.155768 192.168.30.2.39499 > 192.168.35.2.3389: S 824236920:824236920(0) win 5840

74 0,nop,wscale 7>

  11: 13:49:20.156150 192.168.35.2.3389 > 192.168.30.2.39499: S 1344822113:1344822113(0) ack 824236921 win 16384

ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

  12: 13:49:20.156363 192.168.30.2.39499 > 192.168.35.2.3389: R 2366458597:2366458597(0) win 0

  13: 13:49:22.462607 192.168.35.2.3389 > 192.168.30.2.39499: S 1344822113:1344822113(0) ack 824236921 win 16384

ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

  14: 13:49:23.154151 192.168.30.2.39499 > 192.168.35.2.3389: S 233265947:233265947(0) win 5840

24 0,nop,wscale 7>

14 packets shown

asa5510# show capture capain

ERROR: Capture does not exist

asa5510# show capture capin

15 packets captured

   1: 13:48:29.135552 192.168.35.2 > 192.168.30.2: icmp: echo request

   2: 13:48:29.136208 192.168.30.2 > 192.168.35.2: icmp: echo reply

   3: 13:48:30.132683 192.168.35.2 > 192.168.30.2: icmp: echo request

   4: 13:48:30.132912 192.168.30.2 > 192.168.35.2: icmp: echo reply

   5: 13:48:34.636655 192.168.35.2.4654 > 192.168.30.2.23: S 581861776:581861776(0) win 65535

   6: 13:48:37.507862 192.168.35.2.4654 > 192.168.30.2.23: S 581861776:581861776(0) win 65535

   7: 13:48:43.523669 192.168.35.2.4654 > 192.168.30.2.23: S 581861776:581861776(0) win 65535

   8: 13:49:15.998895 192.168.30.2.54837 > 192.168.35.2.23: S 964875669:964875669(0) win 5840

0,nop,wscale 7>

   9: 13:49:15.999032 192.168.35.2.23 > 192.168.30.2.54837: R 0:0(0) ack 964875670 win 0

  10: 13:49:20.155967 192.168.30.2.39499 > 192.168.35.2.3389: S 2181402077:2181402077(0) win 5840

4674 0,nop,wscale 7>

  11: 13:49:20.156089 192.168.35.2.3389 > 192.168.30.2.39499: S 290418727:290418727(0) ack 2181402078 win 16384

le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

  12: 13:49:22.462561 192.168.35.2.3389 > 192.168.30.2.39499: S 290418727:290418727(0) ack 2181402078 win 16384

le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

  13: 13:49:29.025251 192.168.35.2.3389 > 192.168.30.2.39499: S 290418727:290418727(0) ack 2181402078 win 16384

le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

  14: 13:50:05.156806 192.168.30.2.39499 > 192.168.35.2.3389: S 1438335957:1438335957(0) win 5840

5924 0,nop,wscale 7>

  15: 13:50:05.156928 192.168.35.2.3389 > 192.168.30.2.39499: S 302100830:302100830(0) ack 1438335958 win 16384

le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>

15 packets shown

New Member

ASA route ping but not TCP packets between two internal LANs

Here is the capture ACL info:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any inactive

access-list a-02_access_in extended permit ip any any

access-list a-02_access_in extended permit icmp any any inactive

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any inactive

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit icmp any any inactive

access-list inside_nat0_outbound_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list a-02_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0

access-list a-02_nat0_outbound_1 extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0

access-list capture extended permit ip host 192.168.35.2 host 192.168.30.2

access-list capture extended permit ip host 192.168.30.2 host 192.168.35.2

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu a-02 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (a-02) 0 access-list a-02_nat0_outbound

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group a-02_access_in in interface a-02

ASA route ping but not TCP packets between two internal LANs

Hello Anatoly,

So we are almost done here.

please provide the following capture

capture asp type asp-drop all

then provide the show capture asp | include 192.168.30.2

then provide the show capture asp | include 192.168.35.2

and also :

https://192.168.30.250/capture/capin/pcap

https://192.168.30.250/capture/capa-02/pcap

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA route ping but not TCP packets between two internal LANs

Julio,

Here is printout from capture commands in ASA shell:

asa5510(config)# capture asp type asp-drop all

asa5510(config)# show capture asp | include 192.168.30.2

asa5510(config)# show capture asp | include 192.168.35.2

   1: 14:54:02.191625 192.168.35.2.138 > 192.168.35.255.138:  udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule

asa5510(config)#

Files also attached below (pcap from capin and pcap2 is from capa-02)

Thanks!

- Anatoliy

New Member

Re: ASA route ping but not TCP packets between two internal LANs

Here is some more from those two new captures after generating traffic (I was attempting to telnet from 192.168.30.2 to 192.168.35.2 port 3389):

asa5510# show capture asp | include 192.168.30.2

   2: 14:54:15.457495 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

   3: 14:54:31.464957 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

   4: 14:54:32.656948 192.168.30.9.138 > 192.168.30.255.138:  udp 204 Drop-reason: (acl-drop) Flow is denied by configured rule

   5: 14:54:47.477621 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

   6: 14:55:03.493413 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

   7: 14:55:10.272950 192.168.30.25.138 > 192.168.30.255.138:  udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule

   8: 14:55:19.515583 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

   9: 14:55:35.512088 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  10: 14:55:51.528994 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  11: 14:56:07.551225 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  12: 14:56:23.561860 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  13: 14:56:23.561997 192.168.30.2.138 > 192.168.30.255.138:  udp 236 Drop-reason: (acl-drop) Flow is denied by configured rule

  14: 14:56:39.564271 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  16: 14:56:50.015349 192.168.30.23.138 > 192.168.30.255.138:  udp 215

  17: 14:56:55.586746 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  18: 14:57:05.585602 192.168.30.2.137 > 192.168.30.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  19: 14:57:05.585647 192.168.30.2.137 > 192.168.30.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  20: 14:57:07.585678 192.168.30.2.137 > 192.168.30.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  21: 14:57:07.585724 192.168.30.2.137 > 192.168.30.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  22: 14:57:11.593170 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  23: 14:57:27.600081 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  27: 14:57:43.621977 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  28: 14:57:44.483159 192.168.30.7.138 > 192.168.30.255.138:  udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule

  29: 14:57:54.962505 192.168.30.19.137 > 192.168.30.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  30: 14:57:59.533450 192.168.30.14.137 > 192.168.30.255.137:  udp 50

  31: 14:57:59.629087 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  32: 14:58:01.953945 192.168.30.6.137 > 192.168.30.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  33: 14:58:08.341031 192.168.30.9.138 > 192.168.30.255.138:  udp 201

  34: 14:58:09.391916 192.168.30.11.138 > 192.168.30.255.138:  udp 201

  36: 14:58:15.048200 192.168.30.6.138 > 192.168.30.255.138:  udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule

  37: 14:58:15.636365 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  40: 14:58:31.657818 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  43: 14:58:47.664577 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  46: 14:59:03.670650 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  49: 14:59:19.692331 192.168.30.21.138 > 192.168.30.255.138:  udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule

  52: 14:59:35.700006 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  53: 14:59:51.707284 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  56: 15:00:07.744712 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  57: 15:00:07.744849 192.168.30.8.138 > 192.168.30.255.138:  udp 236

  59: 15:00:23.750052 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  60: 15:00:39.757285 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  61: 15:00:55.779226 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  62: 15:01:11.779653 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  63: 15:01:14.614149 192.168.30.2.51264 > 192.168.35.2.3389: R 3892349827:3892349827(0) win 0

  64: 15:01:17.612135 192.168.30.2.51264 > 192.168.35.2.3389: S 3356852894:3356852894(0) win 5840

3977 0,nop,wscale 7>

  65: 15:01:17.767736 192.168.30.2.51264 > 192.168.35.2.3389: R 4049166377:4049166377(0) win 0

  66: 15:01:23.612471 192.168.30.2.51264 > 192.168.35.2.3389: S 2757161395:2757161395(0) win 5840

5477 0,nop,wscale 7>

  67: 15:01:24.330457 192.168.30.2.51264 > 192.168.35.2.3389: R 3449474878:3449474878(0) win 0

  68: 15:01:27.792561 192.168.30.21.138 > 192.168.30.255.138:  udp 209

  69: 15:01:35.613219 192.168.30.2.51264 > 192.168.35.2.3389: S 2979565878:2979565878(0) win 5840

8477 0,nop,wscale 7>

asa5510# show capture asp | include 192.168.35.2

   1: 14:54:02.191625 192.168.35.2.138 > 192.168.35.255.138:  udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule

  24: 14:57:40.588928 192.168.35.2.137 > 192.168.35.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  25: 14:57:41.338819 192.168.35.2.137 > 192.168.35.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  26: 14:57:42.088862 192.168.35.2.137 > 192.168.35.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule

  63: 15:01:14.614149 192.168.30.2.51264 > 192.168.35.2.3389: R 3892349827:3892349827(0) win 0

  64: 15:01:17.612135 192.168.30.2.51264 > 192.168.35.2.3389: S 3356852894:3356852894(0) win 5840

3977 0,nop,wscale 7>

  65: 15:01:17.767736 192.168.30.2.51264 > 192.168.35.2.3389: R 4049166377:4049166377(0) win 0

  66: 15:01:23.612471 192.168.30.2.51264 > 192.168.35.2.3389: S 2757161395:2757161395(0) win 5840

5477 0,nop,wscale 7>

  67: 15:01:24.330457 192.168.30.2.51264 > 192.168.35.2.3389: R 3449474878:3449474878(0) win 0

  69: 15:01:35.613219 192.168.30.2.51264 > 192.168.35.2.3389: S 2979565878:2979565878(0) win 5840

8477 0,nop,wscale 7>

Re: ASA route ping but not TCP packets between two internal LANs

Hello,

based on the ASA ASP capture, we can see that the ASA is only dropping packets on port 209 and 50 UPD between those two hosts, so no packets being dropped for the RDP or telnet traffic..

Now on the other captures, we can see the host 192.168.30.2 sends a SYN packet, then the 192.168.35.2 responds with a SYN ACK, and the 192.168.30.2 never responds with the ACK so the three way handshake never happens and the connection does not get stablished, this regarding the RDP connection.

On the Telnet connection, we can see that the host 192.168.30.2 sends a SYN packet, and the host 192.168.35.2 responds with a RST ACK so the connection gets closed due to this message from 192.168.35.2

We can see the same packets on both interfaces so that means the ASA is only traversing the traffic at it should in this case..

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA route ping but not TCP packets between two internal LANs

In other words you are saying that from ASA standpoint it works. Then what else can be not working? Why I still can't do RDP or SSH between these two networks? Any suggestions?

ASA route ping but not TCP packets between two internal LANs

Hello,

Correct the ASA is sending the traffic on both interfaces.

Why I still can't do RDP or SSH between these two networks?

Becuase the host are refusing this connection.

You can do a capture on each of the hosts while you send the traffic.

Please install wireshark on both servers and catch the traffic, so then we will see if there is any difference between the traffic capture on the ASA.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA route ping but not TCP packets between two internal LANs

OK. Here are the files. Two first are from ASA (pcap and pcap2 from capin and capa-02) and third one - from Wireshark installed on 192.168.35.2. All three were capturing the same flow which I initiated from 192.168.30.2 by using command "telnet 192.168.35.2 3389".

Re: ASA route ping but not TCP packets between two internal LANs

Hello,

We are missing the capture on the 192.168.30.2!

On these ones I can tell you that there is just a syn, and syn ack. the host 192.168.30.2 is not sending a syn ack. If on the capture on that host we do not see that packet, it will mean the Server (30.2) is not working as properly unless on that particular connection because he is not establishing the connection.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA route ping but not TCP packets between two internal LANs

OK. I am going to use another host instead of 30.2 - it is Linux computer and it will be pain to install Wireshark there. I will re-configure capture on ASA to use another host in 30.x network and re-do the whole capturing thing. Will take a few minutes...

New Member

Re: ASA route ping but not TCP packets between two internal LANs

Here we go. I initiated the RDP on 30.3 to 35.2. Traces from both windows boxes as well as capin and capa-02 (pcap and pcap2). Files from ASA may had some old traces from 30.2, though...

Re: ASA route ping but not TCP packets between two internal LANs

Hello,

I just need it the one on the 30.x network..

As you can see on wireshark.

The host sends a syn packet to the destination, he receives a syn ack.

Then he closes the connection with a RST packet (Reset), that is why we see another SYN ACK from the other site, because the host on the other site is waiting for the final ACK.

Then we see another Syn packet , so the connection is gona be built again until the same happens one more time.

Issue is on host 30.x network. Why are they sending the RST packet, why are they not sending the ACK so the connection get established is not an ASA issue.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA route ping but not TCP packets between two internal LANs

Julio,

Do you think it is ASA 5505 which governs 30.x network? It has quite hairy setup - it manages two site-to-site VPNs as well as L2TP-IPsec Remove Access VPN. I can attach its setup - but it is quite lengthy. Another point might be - the license on that 5505 - it says it only support two interfaces - do you think it might specifically kill TCP packets for the third network? Here is "show version" from ASA 5505:

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders

System image file is "disk0:/asa822-k8.bin"

Config file at boot was "startup-config"

asa-colo up 67 days 23 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0    : address is 0021.a0b4.eecb, irq 11

1: Ext: Ethernet0/0         : address is 0021.a0b4.eec3, irq 255

2: Ext: Ethernet0/1         : address is 0021.a0b4.eec4, irq 255

3: Ext: Ethernet0/2         : address is 0021.a0b4.eec5, irq 255

4: Ext: Ethernet0/3         : address is 0021.a0b4.eec6, irq 255

5: Ext: Ethernet0/4         : address is 0021.a0b4.eec7, irq 255

6: Ext: Ethernet0/5         : address is 0021.a0b4.eec8, irq 255

7: Ext: Ethernet0/6         : address is 0021.a0b4.eec9, irq 255

8: Ext: Ethernet0/7         : address is 0021.a0b4.eeca, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces    : 8        

VLANs                          : 3, DMZ Restricted

Inside Hosts                   : 50       

Failover                       : Disabled

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

SSL VPN Peers                  : 2        

Total VPN Peers                : 10       

Dual ISPs                      : Disabled 

VLAN Trunk Ports               : 0        

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has a Base license.

Re: ASA route ping but not TCP packets between two internal LANs

Hello,

What is the default gateway of the server on the 30.x network. I do not think is the ASA 5505 as we are seeing the packets arriving to the ASA 5510. I do think the problem its on the server as ICMP is working properly between two networks.

I mean we saw the TCP RST being generated on the Server, that is all we need it to know to be 100 % is the Server not any of the ASAs.

As ICMP is working, other protocols are going to work, do not know why that server is sending that reset but you could try to use FTP,SSH,TFTP just to confirm that the connection is okay.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA route ping but not TCP packets between two internal LANs

Julio,

I tried SSH and telnet - neither work with the same result. On 30.x network's ASA (5505) when I initiate connection on 30.3 server in ASA 5505 log I see it builds TCP connection and then almost immediately tears it down (LEELA is a 192.168.30.3 server):

6          Jan 06 2012  20:24:53        302013          LEELA 53370            192.168.35.2 3389   Built inbound TCP connection 19053911 for inside:LEELA/53370 (LEELA/53370) to inside:192.168.35.2/3389 (192.168.35.2/3389)

6          Jan 06 2012  20:24:53        302014          LEELA 53370            192.168.35.2 3389   Teardown TCP connection 19053911 for inside:LEELA/53370 to inside:192.168.35.2/3389 duration 0:00:00 bytes 0 TCP Reset-O

Does this make sense?

30.3 server has 192.168.30.1 as a default gateway (which is "inside" interface of that ASA 5505 in 30.x network).

- Anatoliy

Re: ASA route ping but not TCP packets between two internal LANs

Hello,

Good to know that! that is new info, but the thing is that we still see the reset packet being created on the Server so of course the connection is going to be dropped, the ASA will see the reset and he will drop the connection because he received a Reset packet from the ssh or telnet client.

What if you set the default gateway to be the 5510, can you do it just as a test.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA route ping but not TCP packets between two internal LANs

Ha! It looks like I solved the problem. I manually added route path on that 30.3 server to route 35.0 traffic to 30.250 ip and it started working like charm. Apparently ASA 5505 even it had static route - it ignored it and was not routing packets.

Now another big question - how should I manage that routing? I cannot manually add static route to all servers in 30.0 network...

Re: ASA route ping but not TCP packets between two internal LANs

Hello,

Can I see the ASA 5505 configuration, you can take some information we do not need to make it shorter (VPN,etc)

Edit: Time to troubleshoot the 5505 Think I know what is happening here

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: ASA route ping but not TCP packets between two internal LANs

Here is the most of the config (I took out some sensitive lines - mostly object definitions) - I hope I didn't take lines which are relevant to this problem we are trying to solve :

: Saved

:

ASA Version 8.2(2)

!

!

interface Vlan1

nameif inside

security-level 100

ip address ASA-COLO 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-COLO_EXT 255.255.255.224

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended deny ip object-group DM_INLINE_NETWORK_25 any

access-list outside_access_in remark trusted services

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group TRUSTED any

access-list outside_access_in remark Just in case

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_9 any

access-list outside_access_in remark Web apps front-end apache

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_TCP_7

access-list outside_access_in remark Extranet and Project Server 2010

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_23 eq www

access-list outside_access_in remark Client Hosting HTTP front-end

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_24 object-group DM_INLINE_TCP_11

access-list outside_access_in remark Incoming Mail (spam-filter)

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_12 eq smtp

access-list outside_access_in remark Incoming Mail (spam-filter)

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_20 eq smtp

access-list outside_access_in remark External DNS

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_13

access-list outside_access_in remark FTP

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_29 object-group DM_INLINE_TCP_12 inactive

access-list outside_access_in remark FTP

access-list outside_access_in extended permit udp any object-group DM_INLINE_NETWORK_30 range 30000 30100 inactive

access-list outside_access_in remark FTP temporary

access-list outside_access_in remark Linux SSH access

access-list outside_access_in extended permit tcp object-group TRUSTED object-group DM_INLINE_NETWORK_18 eq ssh

access-list outside_access_in remark All mail services

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_14 object-group DM_INLINE_TCP_8

access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_22 any

access-list outside_access_in extended permit icmp any any

access-list global_access extended permit ip host TISHIN_HOME any

access-list inside_nat0_outbound extended permit ip NET_COLO_INT 255.255.255.0 object-group DM_INLINE_NETWORK_15

access-list inside_nat0_outbound extended permit ip NET_COLO_INT 255.255.255.0 192.168.35.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 NET_COLO_INT 255.255.255.0

access-list outside_cryptomap_1 extended permit ip NET_COLO_INT 255.255.255.0 NET_OFFICE_INT 255.255.255.0

access-list outside_cryptomap_2 extended permit ip NET_COLO_INT 255.255.255.0 NET_OBN_INT 255.255.255.0

access-list outside_cryptomap_3 extended permit ip NET_COLO_INT 255.255.255.0 NET_LT_INT 255.255.255.0

access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_16 NET_COLO_INT 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

pager lines 24

flow-export destination inside NIBBLER 6343

mtu inside 1500

mtu outside 1500

ip local pool l2tp_pool 192.168.30.176-192.168.30.192 mask 255.255.255.224

ip local pool l2tp_pool2 192.168.30.193-192.168.30.209

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 NET_COLO_INT 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

static (inside,outside) WWWWWWWW WWWWWWWW netmask 255.255.255.255

static (inside,outside) WWWWWWWW2 WWWWWWWW netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

!

router rip

version 1

!

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

route inside 192.168.35.0 255.255.255.0 192.168.30.250 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host LEELA

key *****

radius-common-pw *****

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

aaa authentication http console LOCAL

http server enable

http NET_COLO_INT 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association replay disable

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer OB_EXT

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map 3 match address outside_cryptomap_3

crypto map outside_map 3 set peer LT_EXT

crypto map outside_map 3 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.30.129-192.168.30.163 inside

dhcpd dns NIBBLER LISA interface inside

dhcpd wins NIBBLER LISA interface inside

dhcpd enable inside

!

threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server LISA

webvpn

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 10

vpn-tunnel-protocol IPSec svc

password-storage enable

re-xauth enable

ipsec-udp enable

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

  customization value DfltCustomization

group-policy L2TP_Policy internal

group-policy L2TP_Policy attributes

wins-server value 192.168.30.14

dns-server value 192.168.30.14

vpn-tunnel-protocol l2tp-ipsec

password-storage enable

split-tunnel-network-list none

address-pools value l2tp_pool

tunnel-group DefaultRAGroup general-attributes

address-pool l2tp_pool

authentication-server-group RADIUS

default-group-policy L2TP_Policy

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

isakmp keepalive disable

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group XX.XX.XX.XX type ipsec-l2l

tunnel-group XX.XX.XX.XX ipsec-attributes

pre-shared-key *****

tunnel-group XX.XX.XX.XX type ipsec-l2l

tunnel-group XX.XX.XX.XX ipsec-attributes

pre-shared-key *****

tunnel-group XX.XX.XX.XX type ipsec-l2l

tunnel-group XX.XX.XX.XX ipsec-attributes

pre-shared-key *****

no tunnel-group-map enable peer-ip

!

class-map global-class

match default-inspection-traffic

class-map type inspect ftp match-all FTP-class-map

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect ftp

  inspect http

!

service-policy global-policy global

smtp-server 192.168.30.23 192.168.30.2

prompt hostname context

service call-home

2430
Views
0
Helpful
39
Replies
CreatePlease to create content