Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2853
Views
0
Helpful
8
Replies

ASA5510 TCP Deny no connection and 0 SYN timeout

Go to solution
Brian Beaman
Level 1
Level 1

‎09-04-2014 05:58 AM - edited ‎03-11-2019 09:42 PM

After a recent firewall cleanup we now are failing a PCI Scan from Trustwave. I have created a rule to allow their IP's to come in any port and I am still getting a "Network Service Stopped Responding" on there end while they are going to our Public IP address on port 443. Since I have allowed their IP's to come in any port I'm not sure what the problem is.

 

Here are some logs from the firewall.

Early on in the scan I am seeing a bunch of these for different internal IPs but I can't ping any of them internally so I think they are trying to go to some devices that don't exist anymore.

 

6|Sep 03 2014|15:19:20|302014|64.37.231.144|40312|10.1.20.133|22361|Teardown TCP connection 185611354 for Outside:64.37.231.144/40312 to Inside:10.1.20.133/22361 duration 0:00:30 bytes 0 SYN Timeout

 

About the same time the test fails I see this in the logs. It's them coming to our public IP on port 443 but it keeps getting a TCP deny (No Connection)

 

6Sep 03 201416:03:1530201364.37.231.14452986207.140.152.66443Built inbound TCP connection 185701488 for Outside:64.37.231.144/52986 (64.37.231.144/52986) to identity:207.140.152.66/443 (207.140.152.66/443)
6Sep 03 201416:03:1572500164.37.231.14452986  

Starting SSL handshake with client Outside:64.37.231.144/52986 for TLSv1 session.

6Sep 03 201416:03:1672500264.37.231.14452986  

Device completed SSL handshake with client Outside:64.37.231.144/52986

6Sep 03 201416:03:1672500764.37.231.14452986  SSL session with client Outside:64.37.231.144/52986 terminated.
6Sep 03 201416:03:1630201464.37.231.14452986207.140.152.66443Teardown TCP connection 185701488 for Outside:64.37.231.144/52986 to identity:207.140.152.66/443 duration 0:00:00 bytes 717 TCP Reset-O
4Sep 03 201416:03:1610601564.37.231.14452986207.140.152.66443Deny TCP (no connection) from 64.37.231.144/52986 to 207.140.152.66/443 flags PSH ACK on interface Outside
4Sep 03 201416:03:1610601564.37.231.14452986207.140.152.66443Deny TCP (no connection) from 64.37.231.144/52986 to 207.140.152.66/443 flags FIN ACK on interface Outside
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7
In response to Brian Beaman

‎09-04-2014 01:06 PM

Looks like the ASA is not dropping the connection , maybe the server / ISP is cutting off the connection. 

 

I would check that part first , before doing any changes on the ASA.

 

-Randy -

 

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
rvarelac
Level 7
Level 7

‎09-04-2014 11:07 AM

Hi Bryan ,

 

Looks like the tcp connection is denied on the outside interface . Check your policy for the traffic coming from outside to inside.

 

Can you please share your  configuration to cehck your policies , also you can try the command "sysopt connection timewait" on the ASA and check if the behavior changes,

 

Hope this helps

 

-Randy -

0 Helpful

Go to solution
Brian Beaman
Level 1
Level 1
In response to rvarelac

‎09-04-2014 11:25 AM

Sorry I don't know much about the ASA. I assume you want the Access-list? The rule I made for them is in bold

 

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list splittunnel; 1 elements; name hash: 0x907b5bd
access-list splittunnel line 1 standard permit 10.0.0.0 255.0.0.0 (hitcnt=0) 0x0336c9eb
access-list http-list2; 1 elements; name hash: 0xd06c9445
access-list http-list2 line 1 extended permit tcp any host 160.109.103.49 (hitcnt=4579) 0x34d298fd
access-list Web_filter; 4 elements; name hash: 0x607b0795
access-list Web_filter line 1 remark denys HTTP access to Intranet
access-list Web_filter line 2 extended deny ip host 10.1.21.10 any (hitcnt=0) 0xf6050e57
access-list Web_filter line 3 remark denys HTTP access to Esales
access-list Web_filter line 4 extended deny ip host 10.1.21.34 any (hitcnt=1173) 0xb6b80a52
access-list Web_filter line 5 remark denys Web access to Stanion.com
access-list Web_filter line 6 extended deny ip host 10.1.21.7 any (hitcnt=4745) 0xd13f029b
access-list Web_filter line 7 extended permit ip any any (hitcnt=1194557283) 0xe91822f1
access-list ironport_nat; 1 elements; name hash: 0xb93ecc1d
access-list ironport_nat line 1 extended permit ip object Ironport_Email any (hitcnt=0) 0xabf503fb
  access-list ironport_nat line 1 extended permit ip host 10.1.21.8 any (hitcnt=0) 0xabf503fb
access-list nonat; 3 elements; name hash: 0x13e041bf
access-list nonat line 1 extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0x51aa1a9a
access-list nonat line 2 extended permit ip 10.1.0.0 255.255.0.0 10.1.100.0 255.255.255.0 (hitcnt=0) 0x64e430e9
access-list nonat line 3 extended permit ip 10.0.0.0 255.0.0.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0x9aa0760e
access-list internet_ironport; 2 elements; name hash: 0xda435661
access-list internet_ironport line 1 extended permit ip host 10.1.21.9 any (hitcnt=0) 0xb6bf9d94
access-list internet_ironport line 2 extended permit ip 10.20.0.0 255.255.0.0 any (hitcnt=0) 0x36e2177a
access-list IN; 85 elements; name hash: 0x9f2434aa
access-list IN line 1 extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_3 any 0xbe6e62f4
  access-list IN line 1 extended permit ip 204.13.201.0 255.255.255.0 any (hitcnt=0) 0x91d0f650
  access-list IN line 1 extended permit ip 64.37.231.0 255.255.255.0 any (hitcnt=44587) 0x24912041
access-list IN line 2 extended permit tcp any any eq https (hitcnt=322454) 0x73ce9627
access-list IN line 3 extended permit gre object Public_Corp-Main_Router object Corp-Main_Router (hitcnt=0) 0xf4ff3cf8
  access-list IN line 3 extended permit gre host 207.140.152.78 host 10.1.2.253 (hitcnt=0) 0xf4ff3cf8
access-list IN line 4 extended permit tcp any object SWECOFTP eq ftp (hitcnt=0) 0x50c59ab3
  access-list IN line 4 extended permit tcp any host 10.1.21.62 eq ftp (hitcnt=94) 0x50c59ab3
access-list IN line 5 extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_6 0xe2a3d5b7
  access-list IN line 5 extended permit tcp any host 10.1.20.2 eq smtp (hitcnt=0) 0x7bb9f254
  access-list IN line 5 extended permit tcp any host 10.1.20.2 eq ssh (hitcnt=0) 0x0f6c8f93
  access-list IN line 5 extended permit tcp any host 10.1.21.8 eq smtp (hitcnt=299568) 0x52abd338
  access-list IN line 5 extended permit tcp any host 10.1.21.8 eq ssh (hitcnt=0) 0x3485919c
access-list IN line 6 extended permit tcp any object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_1 0x8b9eb238
  access-list IN line 6 extended permit tcp any host 10.1.21.24 eq www (hitcnt=722) 0xb0e5957b
  access-list IN line 6 extended permit tcp any host 10.1.21.24 eq https (hitcnt=0) 0xcc6cacc0
  access-list IN line 6 extended permit tcp any host 10.1.21.34 eq www (hitcnt=10479) 0xd31dfe76
  access-list IN line 6 extended permit tcp any host 10.1.21.34 eq https (hitcnt=0) 0x2939fa74
  access-list IN line 6 extended permit tcp any host 10.1.21.64 eq www (hitcnt=21909) 0xd0da46a1
  access-list IN line 6 extended permit tcp any host 10.1.21.64 eq https (hitcnt=3) 0xf9224ad7
access-list IN line 7 extended permit tcp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_5 0x64977d1a
  access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.35 eq ssh (hitcnt=0) 0xdcf294e6
  access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.35 eq telnet (hitcnt=0) 0x3bb1a012
  access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.35 eq 3389 (hitcnt=0) 0x412f51e3
  access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.57 eq ssh (hitcnt=0) 0x59328191
  access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.57 eq telnet (hitcnt=0) 0x70c9e5e0
  access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.57 eq 3389 (hitcnt=0) 0xb383b91d
  access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.35 eq ssh (hitcnt=0) 0xe621ebc3
  access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.35 eq telnet (hitcnt=0) 0x04cbc347
  access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.35 eq 3389 (hitcnt=0) 0x1b956387
  access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.57 eq ssh (hitcnt=0) 0x726ff458
  access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.57 eq telnet (hitcnt=0) 0x109c30be
  access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.57 eq 3389 (hitcnt=23) 0x0137d171
  access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.35 eq ssh (hitcnt=0) 0xf4027db3
  access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.35 eq telnet (hitcnt=0) 0x59df8576
  access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.35 eq 3389 (hitcnt=0) 0x19a30c88
  access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.57 eq ssh (hitcnt=0) 0x20ab6579
  access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.57 eq telnet (hitcnt=0) 0x95cba548
  access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.57 eq 3389 (hitcnt=4) 0xafa35c82
  access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.35 eq ssh (hitcnt=0) 0xfee128cb
  access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.35 eq telnet (hitcnt=0) 0x2de86bf5
  access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.35 eq 3389 (hitcnt=0) 0x7265e777
  access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.57 eq ssh (hitcnt=0) 0xb7d86182
  access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.57 eq telnet (hitcnt=0) 0xc95b6f56
  access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.57 eq 3389 (hitcnt=6) 0x0b13aeba
  access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.35 eq ssh (hitcnt=0) 0x1983ab13
  access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.35 eq telnet (hitcnt=0) 0xbba32c43
  access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.35 eq 3389 (hitcnt=0) 0x3e0d9824
  access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.57 eq ssh (hitcnt=0) 0x59537353
  access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.57 eq telnet (hitcnt=0) 0x4e0c0cb3
  access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.57 eq 3389 (hitcnt=9) 0x77641b36
  access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.35 eq ssh (hitcnt=0) 0xcb6b4ed8
  access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.35 eq telnet (hitcnt=0) 0x539015d5
  access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.35 eq 3389 (hitcnt=0) 0xd4aa4a32
  access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.57 eq ssh (hitcnt=0) 0x2edb1e3c
  access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.57 eq telnet (hitcnt=0) 0xb8d08c18
  access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.57 eq 3389 (hitcnt=0) 0x27b8dff3
  access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.35 eq ssh (hitcnt=0) 0x7d90e69d
  access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.35 eq telnet (hitcnt=0) 0x587f5840
  access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.35 eq 3389 (hitcnt=0) 0x894d6af4
  access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.57 eq ssh (hitcnt=0) 0x64427444
  access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.57 eq telnet (hitcnt=0) 0x0428511a
  access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.57 eq 3389 (hitcnt=0) 0x68c6adac
  access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.35 eq ssh (hitcnt=0) 0x5b5eadce
  access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.35 eq telnet (hitcnt=0) 0x9b1f6ec0
  access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.35 eq 3389 (hitcnt=0) 0x77d58097
  access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.57 eq ssh (hitcnt=0) 0x6001f207
  access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.57 eq telnet (hitcnt=0) 0x79b2c587
  access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.57 eq 3389 (hitcnt=0) 0x8e9d71b8
access-list IN line 8 extended permit tcp object-group DM_INLINE_NETWORK_9 object TSE1 eq 3389 0xedd3c6d8
  access-list IN line 8 extended permit tcp host 116.75.164.101 host 10.1.21.42 eq 3389 (hitcnt=0) 0xda1d3af8
  access-list IN line 8 extended permit tcp host 69.15.189.147 host 10.1.21.42 eq 3389 (hitcnt=0) 0x207ccbf8
access-list IN line 9 extended permit tcp any object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_10 0xf8839a3b
  access-list IN line 9 extended permit tcp any host 10.1.21.100 eq www (hitcnt=73980) 0xd8756829
  access-list IN line 9 extended permit tcp any host 10.1.21.100 eq https (hitcnt=43714) 0xe1ff17e3
  access-list IN line 9 extended permit tcp any host 10.1.21.101 eq www (hitcnt=558) 0x8883195e
  access-list IN line 9 extended permit tcp any host 10.1.21.101 eq https (hitcnt=40) 0x4665009f
access-list IN line 10 extended permit object-group DM_INLINE_SERVICE_1 host 24.159.99.28 object Infor (hitcnt=0) 0x21f8274b
  access-list IN line 10 extended permit ip host 24.159.99.28 host 10.1.21.15 (hitcnt=0) 0x152a9951
  access-list IN line 10 extended permit tcp host 24.159.99.28 host 10.1.21.15 eq 3389 (hitcnt=0) 0x241955b4
access-list IN line 11 extended permit ip any object-group DM_INLINE_NETWORK_2 0x26b701af
  access-list IN line 11 extended permit ip any host 10.1.21.7 (hitcnt=231906) 0x703f53dc
  access-list IN line 11 extended permit ip any host 10.1.21.6 (hitcnt=226353) 0x538e3514
access-list IN line 12 extended permit object-group DM_INLINE_SERVICE_3 any object-group DM_INLINE_NETWORK_7 0x2185238d
  access-list IN line 12 extended permit tcp any host 10.6.20.2 eq www (hitcnt=302) 0x6b752058
  access-list IN line 12 extended permit tcp any host 10.6.20.3 eq www (hitcnt=171) 0x5676723e
  access-list IN line 12 extended permit tcp any host 10.18.20.2 eq www (hitcnt=332) 0x4e028ace
  access-list IN line 12 extended permit tcp any host 10.3.20.2 eq www (hitcnt=643) 0x140eaec7
  access-list IN line 12 extended permit udp any host 10.6.20.2 eq www (hitcnt=0) 0x5179f1de
  access-list IN line 12 extended permit udp any host 10.6.20.3 eq www (hitcnt=0) 0x92eda56e
  access-list IN line 12 extended permit udp any host 10.18.20.2 eq www (hitcnt=0) 0x4b9c6dfc
  access-list IN line 12 extended permit udp any host 10.3.20.2 eq www (hitcnt=0) 0xe776756d
access-list IN line 13 extended permit tcp object WSUS any object-group DM_INLINE_TCP_4 (hitcnt=0) 0x407a23d4
  access-list IN line 13 extended permit tcp host 10.1.21.65 any eq www (hitcnt=0) 0xb9c45cc1
  access-list IN line 13 extended permit tcp host 10.1.21.65 any eq https (hitcnt=0) 0x5e88e4c5
access-list AnyConnect_Client_Local_Print; 8 elements; name hash: 0xe76ce9d1
access-list AnyConnect_Client_Local_Print line 1 extended deny ip any any (hitcnt=0) 0x08993d53
access-list AnyConnect_Client_Local_Print line 2 extended permit tcp any any eq lpd (hitcnt=0) 0xc2390719
access-list AnyConnect_Client_Local_Print line 3 remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print line 4 extended permit tcp any any eq 631 (hitcnt=0) 0x73a9536a
access-list AnyConnect_Client_Local_Print line 5 remark Windows' printing port
access-list AnyConnect_Client_Local_Print line 6 extended permit tcp any any eq 9100 (hitcnt=0) 0x57c0d3e3
access-list AnyConnect_Client_Local_Print line 7 remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print line 8 extended permit udp any host 224.0.0.251 eq 5353 (hitcnt=0) 0x97c694f8
access-list AnyConnect_Client_Local_Print line 9 remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print line 10 extended permit udp any host 224.0.0.252 eq 5355 (hitcnt=0) 0xa7d3d944
access-list AnyConnect_Client_Local_Print line 11 remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print line 12 extended permit tcp any any eq 137 (hitcnt=0) 0x5f84372c
access-list AnyConnect_Client_Local_Print line 13 extended permit udp any any eq netbios-ns (hitcnt=0) 0xb541e0fb

 

0 Helpful

Go to solution
rvarelac
Level 7
Level 7
In response to Brian Beaman

‎09-04-2014 12:43 PM

Hi Brian , 

 

I mean the "Show run" of the ASA , however can you try this command on your ASA and post the result. 

 

Packet-tracer input outiside 64.37.231.144 52986 207.140.152.66 443 detailed 

 

-Randy- 

0 Helpful

Go to solution
Brian Beaman
Level 1
Level 1
In response to rvarelac

‎09-04-2014 12:52 PM

Here is the output of "Packet-tracer input outside tcp 64.37.231.144 52986 207.140.152.66 443 detailed"  and below that is the show run

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad640000, priority=1, domain=permit, deny=false
        hits=4552253758, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   207.140.152.66  255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae13a448, priority=119, domain=permit, deny=false
        hits=71322, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
        input_ifc=Outside, output_ifc=identity

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad781d40, priority=8, domain=conn-set, deny=false
        hits=71322, user_data=0xadff1d50, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=207.140.152.66, mask=255.255.255.255, port=443, dscp=0x0
        input_ifc=Outside, output_ifc=identity

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad644af0, priority=0, domain=inspect-ip-options, deny=true
        hits=183370301, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae297338, priority=18, domain=flow-export, deny=false
        hits=26629132, user_data=0xae39f468, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: TCP-MODULE
Subtype: webvpn
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad697210, priority=13, domain=soft-np-tcp-module, deny=false
        hits=71324, user_data=0xadfee528, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=207.140.152.66, mask=255.255.255.255, port=443, dscp=0x0
        input_ifc=Outside, output_ifc=identity

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae0cba70, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=19557028, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 186590309, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_mod
snp_fp_adjacency
snp_fp_fragment
snp_fp_drop

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

 

 

 

Show run

 

 

ASA Version 8.4(2)
!
hostname CorpASA
domain-name stanion.com
enable password 33cPxp7pgqfEVuzl encrypted
passwd OWIlx1L56vEezdTg encrypted
no names
dns-guard
!
interface Ethernet0/0
 description Connected to the Internet Router
 nameif Outside
 security-level 0
 ip address 207.140.152.66 255.255.255.192
!
interface Ethernet0/1
 description Connected to Internal LAN
 nameif Inside
 security-level 100
 ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0/2
 description Connected to Internal DMZ network
 nameif dmz
 security-level 50
 ip address 172.16.2.254 255.255.255.0
!
interface Ethernet0/3
 nameif Oustside_Test
 security-level 0
 ip address 192.168.1.2 255.255.0.0
!
interface Management0/0
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 10.1.21.60
 domain-name stanion.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.20.0.0
 subnet 10.20.0.0 255.255.0.0
object network obj-10.1.0.0
 subnet 10.1.0.0 255.255.0.0
object network obj-10.1.100.0
 subnet 10.1.100.0 255.255.255.0
object network obj-10.0.0.0
 subnet 10.0.0.0 255.0.0.0
object network CAS1
 host 10.1.21.100
object network obj-10.1.21.100-01
 host 10.1.21.100
object network CAS2
 host 10.1.21.101
object network obj-10.1.21.101-01
 host 10.1.21.101
object network Esales
 host 10.1.21.34
object network Tarantella1
 host 10.1.21.24
object network NS2
 host 10.1.21.6
object network Staging
 host 10.1.21.57
object network TSE1
 host 10.1.21.42
object network Web1
 host 10.1.21.64
object network Unform
 host 10.1.21.20
object network NS1
 host 10.1.21.7
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.1.100.0_24
 subnet 10.1.100.0 255.255.255.0
object network SWECOFTP
 host 10.1.21.62
 description FTP Server
object network Public_SWECOFTP
 host 207.140.152.92
 description Public IP for FTP Server
object network Manhattan_Cameras1
 host 10.6.20.2
object network Public_Manhattan_Cameras
 host 207.140.152.94
object network KC_Cameras
 host 10.18.20.2
 description Cameras for Kansas City
object network Public_KC_Cameras
 host 207.140.152.96
 description Public address Kansas City Cameras
object network WSUS
 host 10.1.21.65
object network Infor
 host 10.1.21.15
object network Public_Infor
 host 207.140.152.76
object network 173.8.235.158
 host 173.8.235.158
object network Manhattan_Cameras2
 host 10.6.20.3
object network Public_Manhattan_Cameras2
 host 207.140.152.97
object network Portal
 host 10.1.21.24
 description Help Desk
object network Public_Portal
 host 207.140.152.85
 description Public HelpDesk
object network test_Internet_gateway
 host 172.16.8.2
object network Corp-Main_Router
 host 10.1.2.253
object network Testsvr
 host 207.140.152.79
object network GB_Cameras
 host 10.3.20.2
object network public_GB_Cameras
 host 207.140.152.98
object network NXT
 host 10.1.21.35
object network Public_Esales
 host 207.140.152.70
object network Public_NXT
 host 207.140.152.68
object network Public_Tarantella
 host 207.140.152.77
object network Public_Unform
 host 207.140.152.83
object network Ironport_Email
 host 10.1.21.8
object network Public_CAS1
 host 207.140.152.69
object network Public_CAS2
 host 207.140.152.95
object network Public_Corp-Main_Router
 host 207.140.152.78
object network Public_NS1
 host 207.140.152.71
object network Public_NS2
 host 207.140.152.73
object network Public_Staging
 host 207.140.152.86
object network Public_TSE1
 host 207.140.152.87
object network Public_Web1
 host 207.140.152.74
object network obj-10.1.21.8
 host 10.1.21.8
object network obj-10.21.8-01
object network obj-10.1.21.8-01
 host 10.1.21.8
object-group service DM_INLINE_SERVICE_3
 service-object tcp destination eq www
 service-object udp destination eq www
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object host 10.1.20.2
 network-object object Ironport_Email
object-group network DM_INLINE_NETWORK_12
 network-object object CAS1
 network-object object CAS2
object-group network DM_INLINE_NETWORK_2
 network-object object NS1
 network-object object NS2
object-group network DM_INLINE_NETWORK_3
 network-object 204.13.201.0 255.255.255.0
 network-object 64.37.231.0 255.255.255.0
object-group service RDP tcp
 port-object eq 3389
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp destination eq 3389
object-group network Trustwave
 network-object 204.13.201.0 255.255.255.0
 network-object 64.37.231.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object tcp destination eq ssh
object-group network DM_INLINE_NETWORK_5
 network-object 206.114.9.0 255.255.255.0
 network-object object 173.8.235.158
 network-object host 173.178.135.243
 network-object host 173.178.146.44
 network-object host 173.178.148.247
 network-object host 184.158.74.194
 network-object 207.54.32.0 255.255.255.0
 network-object 65.241.101.0 255.255.255.128
object-group service DM_INLINE_TCP_5 tcp
 port-object eq ssh
 port-object eq telnet
 port-object eq 3389
object-group network DM_INLINE_NETWORK_6
 network-object object NXT
 network-object object Staging
object-group network DM_INLINE_NETWORK_7
 network-object object Manhattan_Cameras1
 network-object object Manhattan_Cameras2
 network-object object KC_Cameras
 network-object object GB_Cameras
object-group network DM_INLINE_NETWORK_8
 network-object object Portal
 network-object object Esales
 network-object object Web1
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_9
 network-object host 116.75.164.101
 network-object host 69.15.189.147
object-group service DM_INLINE_TCP_6 tcp
 port-object eq smtp
 port-object eq ssh
object-group service DM_INLINE_TCP_10 tcp
 port-object eq www
 port-object eq https
access-list splittunnel standard permit 10.0.0.0 255.0.0.0
access-list http-list2 extended permit tcp any host 160.109.103.49
access-list Web_filter remark denys HTTP access to Intranet
access-list Web_filter extended deny ip host 10.1.21.10 any
access-list Web_filter remark denys HTTP access to Esales
access-list Web_filter extended deny ip host 10.1.21.34 any
access-list Web_filter remark denys Web access to Stanion.com
access-list Web_filter extended deny ip host 10.1.21.7 any
access-list Web_filter extended permit ip any any
access-list ironport_nat extended permit ip object Ironport_Email any
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.100.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.20.0.0 255.255.0.0
access-list internet_ironport extended permit ip host 10.1.21.9 any
access-list internet_ironport extended permit ip 10.20.0.0 255.255.0.0 any
access-list IN extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_3 any
access-list IN extended permit tcp any any eq https
access-list IN extended permit gre object Public_Corp-Main_Router object Corp-Main_Router
access-list IN extended permit tcp any object SWECOFTP eq ftp
access-list IN extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_6
access-list IN extended permit tcp any object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_1
access-list IN extended permit tcp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_5
access-list IN extended permit tcp object-group DM_INLINE_NETWORK_9 object TSE1 eq 3389
access-list IN extended permit tcp any object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_10
access-list IN extended permit object-group DM_INLINE_SERVICE_1 host 24.159.99.28 object Infor
access-list IN extended permit ip any object-group DM_INLINE_NETWORK_2
access-list IN extended permit object-group DM_INLINE_SERVICE_3 any object-group DM_INLINE_NETWORK_7
access-list IN extended permit tcp object WSUS any object-group DM_INLINE_TCP_4
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
!
tcp-map mss-map
!
pager lines 24
logging enable
logging buffer-size 10000
logging monitor informational
logging buffered notifications
logging trap informational
logging history errors
logging asdm informational
logging host Inside 10.1.21.62
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 338303
no logging message 304001
logging message 106015 level warnings
flow-export destination Inside 10.1.21.55 2055
flow-export destination Inside 10.1.21.30 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu Outside 1500
mtu Inside 1500
mtu dmz 1500
mtu Oustside_Test 1500
ip local pool vpn-pool 10.1.100.1-10.1.100.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.20.0.0 obj-10.20.0.0 no-proxy-arp
nat (Inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.1.100.0 obj-10.1.100.0 no-proxy-arp
nat (Inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.20.0.0 obj-10.20.0.0 no-proxy-arp
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.1.100.0_24 NETWORK_OBJ_10.1.100.0_24 no-proxy-arp route-lookup
nat (Inside,Outside) source static SWECOFTP Public_SWECOFTP description FTP1
nat (Inside,Outside) source static Manhattan_Cameras2 Public_Manhattan_Cameras2
nat (Inside,Outside) source static Portal Public_Portal
nat (Inside,Outside) source static Manhattan_Cameras1 Public_Manhattan_Cameras
nat (Inside,Outside) source static KC_Cameras Public_KC_Cameras
nat (Inside,Outside) source static Infor Public_Infor
!
object network obj-10.20.0.0
 nat (Outside,Outside) dynamic interface
object network CAS1
 nat (Inside,Outside) static 207.140.152.69 service tcp www www
object network obj-10.1.21.100-01
 nat (Inside,Outside) static 207.140.152.69 service tcp https https
object network CAS2
 nat (Inside,Outside) static 207.140.152.95 service tcp www www
object network obj-10.1.21.101-01
 nat (Inside,Outside) static 207.140.152.95 service tcp https https
object network Esales
 nat (Inside,Outside) static Public_Esales
object network Tarantella1
 nat (Inside,Outside) static Public_Tarantella
object network NS2
 nat (Inside,Outside) static Public_NS2
object network Staging
 nat (Inside,Outside) static Public_Staging
object network TSE1
 nat (Inside,Outside) static Public_TSE1
object network Web1
 nat (Inside,Outside) static Public_Web1
object network Unform
 nat (Inside,Outside) static Public_Unform
object network NS1
 nat (Inside,Outside) static Public_NS1
object network obj_any
 nat (Inside,Outside) dynamic interface
object network SWECOFTP
 nat (Inside,Outside) static Public_SWECOFTP
object network Corp-Main_Router
 nat (Inside,Outside) static Public_Corp-Main_Router
object network GB_Cameras
 nat (Inside,Outside) static public_GB_Cameras
object network NXT
 nat (Inside,Outside) static Public_NXT
object network obj-10.1.21.8
 nat (Inside,Outside) static 207.140.152.69 service tcp smtp smtp
object network obj-10.1.21.8-01
 nat (Inside,Outside) dynamic 207.140.152.69
access-group IN in interface Outside
route Outside 0.0.0.0 0.0.0.0 207.140.152.65 1
route Inside 10.0.0.0 255.0.0.0 10.1.2.253 1
route Inside 70.252.185.124 255.255.255.252 10.1.2.253 1
route Inside 70.252.185.128 255.255.255.252 10.1.2.253 1
route Inside 0.0.0.0 0.0.0.0 10.1.2.253 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record "Deny Access"
 user-message "NO VPN Access"
 action terminate
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol ldap
aaa-server AD (Inside) host 10.1.21.60
 ldap-base-dn DC=sweco,DC=corp
 ldap-group-base-dn DC=sweco,DC=corp
 ldap-scope subtree
 ldap-login-password *****
 ldap-login-dn CN=ldapuser,CN=users,DC=sweco,DC=corp
 server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.20.0 255.255.255.0 Inside
http 10.1.21.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 10.20.0.0 255.255.0.0 Outside
snmp-server host Inside 10.1.21.30 community ***** version 2c udp-port 161
snmp-server host Inside 10.1.21.55 community ***** version 2c udp-port 161
snmp-server location Corp
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
sysopt connection timewait
crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set mystanion esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map client-vpn 10 set ikev1 transform-set myset
crypto dynamic-map mymap 1 set ikev1 transform-set mystanion ESP-3DES-SHA
crypto dynamic-map mymap 1 set reverse-route
crypto map StanionVPN 10 ipsec-isakmp dynamic client-vpn
crypto map dyn-map 10 ipsec-isakmp dynamic mymap
crypto map dyn-map interface Outside
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.20.0.0 255.255.0.0 Outside
ssh 10.0.0.0 255.0.0.0 Inside
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wccp web-cache redirect-list Web_filter
wccp interface Inside web-cache redirect in
ntp server 10.1.254.1 source Inside prefer
webvpn
 enable Outside
 anyconnect-essentials
 anyconnect image disk1:/anyconnect-dart-win-2.5.3055-k9.pkg 1
 anyconnect image disk1:/anyconnect-win-3.1.03103-k9.pkg 2
 anyconnect enable
 tunnel-group-list enable
group-policy split-tunnel internal
group-policy split-tunnel attributes
 vpn-idle-timeout 30
group-policy GroupPolicy_StanionAny internal
group-policy GroupPolicy_StanionAny attributes
 wins-server value 10.1.21.60
 dns-server value 10.1.21.60 10.1.21.25
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value stanion.com
group-policy clientvpn internal
group-policy clientvpn attributes
 dns-server value 10.1.21.60 10.1.21.25
 vpn-idle-timeout 20
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value Stanion.com
group-policy clientgroup internal
username StanionAny password y9al.Ax396eTnCwt encrypted
username stanion password jzeq0YLBbw50qQPY encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group clientvpn type remote-access
tunnel-group clientvpn general-attributes
 address-pool vpn-pool
 authorization-server-group LOCAL
 default-group-policy clientvpn
tunnel-group clientvpn ipsec-attributes
 ikev1 pre-shared-key *****
 ikev1 user-authentication none
tunnel-group split-tunnel type remote-access
tunnel-group split-tunnel general-attributes
 default-group-policy split-tunnel
tunnel-group StanionAny type remote-access
tunnel-group StanionAny general-attributes
 address-pool vpn-pool
 authentication-server-group AD
 default-group-policy GroupPolicy_StanionAny
tunnel-group StanionAny webvpn-attributes
 group-alias StanionAny enable
!
class-map global-class
 match any
class-map Outside-ips-class
 match any
class-map inspection_default
 match default-inspection-traffic
class-map http-map1
 match access-list http-list2
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 ras
  inspect netbios
  inspect rtsp
  inspect icmp error
  inspect icmp
  inspect ftp
  inspect ip-options
 class http-map1
  set connection advanced-options mss-map
 class global-class
  flow-export event-type all destination 10.1.21.30 10.1.21.55
policy-map Outside-IPS-Policy
 description Outside IPS Rule sends traffic to ips for inspection
 class Outside-ips-class
  ips inline fail-open
!
service-policy global_policy global
service-policy Outside-IPS-Policy interface Outside
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:22033f54e5f5d2eb77a8f018b1f5443c
: end

 

0 Helpful

Go to solution
rvarelac
Level 7
Level 7
In response to Brian Beaman

‎09-04-2014 01:06 PM

Looks like the ASA is not dropping the connection , maybe the server / ISP is cutting off the connection. 

 

I would check that part first , before doing any changes on the ASA.

 

-Randy -

 

 

0 Helpful

Go to solution
Brian Beaman
Level 1
Level 1
In response to rvarelac

‎09-08-2014 08:12 AM

Is there a command to see what our PAT rule for our general public IP is translating to on the inside so I could find the devices that trustwave is actually talking to?

0 Helpful

Go to solution
rvarelac
Level 7
Level 7
In response to Brian Beaman

‎09-09-2014 09:47 AM

Hi Brian.

 

"Show xlate " is the command your looking for. 

 

Use show xlate | incl (server ip ) to filter the results and see the public/private IP.

 

Hope this helps

 

-Randy- 

0 Helpful

Go to solution
Brian Beaman
Level 1
Level 1
In response to rvarelac

‎09-08-2014 10:08 AM

Never mind I found it. I discovered that DNS had a bad record that was pointing the scan to a device that didn't exist. Thanks for the help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card