Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Security plus license for ASA5505 (SOLVED)

Hi Y'all,

I have Cisco ASA5505 8.2(5) connected with Cisco 5520 8.2(1) via IPSEC tunnel, I was able to SSH from the inside 5520 to inside IP of the asa5505. but I after I upgrade the license to security plus at 5505 I lost the SSH and ASDM to inside IP of 5505 from the inside network of the 5520. however I still can use SSH and ASDM on outside IP of 5505.

I did a lot of testing to make it work but I couldn't I added SSH 0.0.0.0/0 inside and outside also I added acl on both interfaces. when I did a trace on the outside interface from the private network of 5520 to 5505 inside IP I got IPSEC spoofed

by the way that trace only works with security plus because I try to test on all my other firewalls 8.2(5) it shows nothing

and all my firewalls can accessed from the private network 5520 except the one with the security plus!

Any one face like a such problem.? any idea?

BR

Mike

Everyone's tags (3)
11 REPLIES
Cisco Employee

Security plus licnense for ASA5505

pls share the config

Community Member

Security plus licnense for ASA5505

Here You go, I'm usign ISP2 as a outside because ISP1 we disconnect it

here u go

: Saved
:
ASA Version 8.2(5)
!

names
name X.X.X.X ISP1subnet
name 192.168.13.0 ISP1VPN
name 192.168.14.0 ISP2VPN
name 172.25.13.4 File-Server
name 172.25.3.0 Fibertown_Private
name 208.85.40.0 pandora-subnet
name 208.80.52.0 streamtheworld-subnet
!
interface Ethernet0/0
switchport access vlan 5
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif ISP1
security-level 0
ip address X.X.X.X 255.255.255.192
no pim
!
interface Vlan2
  nameif ISP2
security-level 0
ip address Y.Y.Y.Y 255.255.255.240
no pim
!
interface Vlan3
no forward interface Vlan5
nameif wguest
security-level 90
ip address 192.168.1.1 255.255.255.0
!
interface Vlan5
  nameif inside
security-level 100
ip address 172.25.13.1 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive

dns domain-lookup inside
dns server-group DefaultDNS
name-server File-Server
domain-name ZZZZZZZZZ
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_3
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list DDDDDDDD-vpn-isp1_splitTunnelAcl standard permit 172.25.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.13.0 255.255.255.0 ISP1VPN 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.13.0 255.255.255.0 Fibertown_Private 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.13.0 255.255.255.0 ISP2VPN 255.255.255.128
access-list DDDDDDDD-vpn-isp2_splitTunnelAcl standard permit 172.25.13.0 255.255.255.0
access-list ISP1_access_in remark permit ping over ISP1 network
access-list ISP1_access_in extended permit icmp any ISP1subnet 255.255.255.192 object-group DM_INLINE_ICMP_1
access-list ISP1_access_in remark permit ping over ISP1 network
access-list ISP2_access_in remark permit ping over ISP2 network
access-list ISP2_access_in extended permit icmp any Y.Y.Y.Y 255.255.255.248 object-group DM_INLINE_ICMP_2
access-list ISP2_access_in remark permit ping over ISP2 network
access-list wguest_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list DDDDDDDDD-vpn-isp2_splitTunnelAcl_1 standard permit 172.25.13.0 255.255.255.0
access-list wguest_mpc extended permit ip any any
access-list wguest_access_in extended deny ip any pandora-subnet 255.255.248.0
access-list wguest_access_in extended deny ip any streamtheworld-subnet 255.255.252.0
access-list wguest_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list ISP2_access_in_1 remark permit ping over ISP1 network
access-list ISP2_access_in_1 extended permit icmp any Y.Y.Y.Y 255.255.255.240 object-group DM_INLINE_ICMP_3
access-list ISP2_1_cryptomap extended permit ip 172.25.13.0 255.255.255.0 Fibertown_Private 255.255.255.0
pager lines 24
logging enable
logging monitor warnings
logging trap notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305006
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 172.25.3.53 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu ISP1 1500
mtu wguest 1500
mtu inside 1500
mtu ISP2 1500
ip local pool DDDDDDDDDD-vpn-isp1 192.168.13.10-192.168.13.90 mask 255.255.255.0
ip local pool DDDDDDDDDD-vpn-isp2 192.168.14.10-192.168.14.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat-control
global (ISP1) 1 interface (EVEN I removed this but no success)
global (ISP2) 1 interface
nat (wguest) 1 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.25.13.0 255.255.255.0
access-group ISP1_access_in in interface ISP1
access-group wguest_access_in in interface wguest
access-group ISP2_access_in_1 in interface ISP2
route ISP2 0.0.0.0 0.0.0.0 Y.Y.Y.Y 128 track 102
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host File-Server
key *****
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 ISP1
http 0.0.0.0 0.0.0.0 ISP2
snmp-server host inside 172.25.3.52 community ***** version 2c
snmp-server host inside 172.25.3.53 poll community ***** version 2c
snmp-server location DDDDDDDD
snmp-server contact MR.Uknown
snmp-server community *****
snmp-server enable traps snmp linkup linkdown coldstart
snmp-server enable traps entity config-change
snmp-server enable traps remote-access session-threshold-exceeded
sla monitor 102
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP2
sla monitor schedule 102 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ISP2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ISP2_map0 1 match address ISP2_1_cryptomap
crypto map ISP2_map0 1 set pfs group1
crypto map ISP2_map0 1 set peer S.S.S.S
crypto map ISP2_map0 1 set transform-set ESP-3DES-SHA
crypto map ISP2_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ISP2_map0 interface ISP2
crypto isakmp enable ISP1 (Disabled this too)
crypto isakmp enable ISP2
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 102 rtr 102 reachability
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 ISP1
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 ISP2
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config inside
dhcpd option 3 ip 172.25.13.1
!
dhcpd address 192.168.1.10-192.168.1.200 wguest
dhcpd dns S.S.S.S 8.8.8.8 interface wguest
dhcpd option 3 ip 192.168.1.1 interface wguest
dhcpd enable wguest
!
dhcpd address 172.25.13.20-172.25.13.240 inside
dhcpd dns S.S.S.S S.S.S.S interface inside
dhcpd domain ZZZZZZZZZ interface inside
dhcpd option 3 ip 172.25.13.1 interface inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn
group-policy DDDDDDDDDD-vpn-isp2 internal
group-policy DDDDDDDDDD-vpn-isp2 attributes
dns-server value 172.25.13.4 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DDDDDDDDDD-vpn-isp2_splitTunnelAcl_1
default-domain value ZZZZZZZZZZZZZ
group-policy DDDDDDD-vpn-isp1 internal
group-policy DDDDDDD-vpn-isp1 attributes
dns-server value 172.25.13.4 S.S.S.S
vpn-simultaneous-logins 20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DDDDDDDDD-vpn-isp1_splitTunnelAcl
default-domain value ZZZZZZZZZZZZZ
tunnel-group DDDDDDD-vpn-isp1 type remote-access
tunnel-group DDDDDDD-vpn-isp1 general-attributes
address-pool DDDDDDD-vpn-isp1
authentication-server-group vpn LOCAL
default-group-policy DDDDDDD-vpn-isp1
password-management
tunnel-group DDDDDDD-vpn-isp1 ipsec-attributes
pre-shared-key *****
tunnel-group DDDDDDD-vpn-isp2 type remote-access
tunnel-group DDDDDDD-vpn-isp2 general-attributes
address-pool DDDDDDD-vpn-isp2
authentication-server-group vpn
default-group-policy DDDDDDD-vpn-isp2
tunnel-group DDDDDDD-vpn-isp2 ipsec-attributes
pre-shared-key *****
tunnel-group S.S.S.S type ipsec-l2l
tunnel-group S.S.S.S ipsec-attributes
pre-shared-key *****
!
class-map wguest-class
description bandwidth limit for Wguest
match access-list wguest_mpc
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all htp
class-map qos
match port tcp eq https
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 4096
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rtsp
  inspect sqlnet
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ip-options
  inspect rsh
class global-class
  flow-export event-type all destination 172.25.3.53
policy-map wguest-policy
class wguest-class
  police input 307000 1500
  police output 307000 1500
!
service-policy global_policy global
service-policy wguest-policy interface wguest


Community Member

Security plus licnense for ASA5505

any Idea?

Cisco Employee

Security plus licnense for ASA5505

Can't see why you are not able to SSH to the inside interface if the VPN tunnel is UP.

Can you ping 172.25.13.1 from the remote LAN?

Is the VPN tunnel up?

Can you share the output of:

show cry isa sa

show cry ipsec sa

And can you share the config from the remote ASA.

Community Member

Security plus licnense for ASA5505

Tunnel up and all my tunnels up and running, I can ping 13.1 and everything working as expected except I cant access my firewall via 172.25.13.1. Will share the sh crypt commands when I back to office

Mike

Cisco Employee

Security plus licnense for ASA5505

Pls share config on the other end too, and ensure there is no ACL that might be blocking the SSH/HTTP access.

Security plus licnense for ASA5505

Hello,

Please share the following commands:

-   show asp table socket

- capture asp type asp-drop all circular-buffer

Then try to connect to the ASA on the inside interface across the VPN tunnel and:

share the following output

          -show cap asp

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: Security plus licnense for ASA5505

ok, I can ssh and 443 172.25.13.6 its an AP and I can do anything with the subnet 172.25.13.0 except the .1

here some info below and about the main ASA it has alot of conf and private I can't paste here and I checked it 5 times nothing wrong and the configuration same as other working tunnels.

Protocol  Socket    Local Address               Foreign Address         State

SSL       0002837f  172.25.13.1:443             0.0.0.0:*               LISTEN

TCP       000dcb4f  172.25.13.1:22              0.0.0.0:*               LISTEN

SSL       05e6b4af  Y.Y.48.163:443           0.0.0.0:*               LISTEN

TCP       05ec59cf  Y.Y.48.163:22            0.0.0.0:*               LISTEN

TCP       39f86018  Y.Y.48.163:22            X.X.106.6:53166      ESTAB

I attached two txt files  5520.txt captured the 172.25.3.52 putty client and 172.25.13.1 as you will see there are some packets for netflow and ssh

5505.txt is for droped packet and nothing there. I configured to capture 13.1 and 3.52 on 5505 it return no data either weird or I did somthing wrong

Mike

----------------------------

Community Member

Re: Security plus licnense for ASA5505

Ok, because I have another ISP and this went away today, I did another test. I use the ISP1 on vlan 1 and everything works normally I just creat the tunnel on that ISP and default route on it. but when I switch back to ISP2 with vlan 2 the problem happened, any limitation on vlan with accessing the fw for managment ?

Community Member

Re: Security plus licnense for ASA5505

Finally I fix it,

I run the command no managment-access inside and thats make the ping to the 13.1 stops and no ssh and 443, then I rerun the command again managment-access inside, and that did the trick.

I have no clue what was that and why this happened on ISP2 only and after applying the new licnese.

Thank you folks

Re: Security plus licnense for ASA5505

Hello,

Thank you for let us know the resolution,

Yeah a weird behave of the ASA on this scenario.

Please mark the question as answered so future users having the same issue can learn from your answer.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
2237
Views
0
Helpful
11
Replies
CreatePlease to create content