Sorry I was under the impression you saw the config I posted. There are only 2 interfaces on the ASA, an inside & an outside. The server & inside devices I am reffering to are utilizing inside addresses from the inside interface 10.0.1.0/24. These are the IP’s that I cant ping as well as anything outside on the Internet such as 126.96.36.199
I ran captures on my server & other inside devices, pinging them and telneting to open ports on these inside devices, while successfully connected with anyconnect. The captures show no attempts from my anyconnect IP address pool (10.0.2.0/24) while doing this.
Not to get off path but I also tried anyconnecting in from another PC which has anyconnect client version 3.1 & got mixed results, all bad I should say. When this happened the anyconnect client gave me an error saying the certificate on the secure gateway is not valid (something to that effect) & from the same PC/client another error saying I need to get on a web browser first & my provider is not online (something to that affect also). I was able to successfully anyconnect to other ASA’s from the same PC/client. Dont know if this helps. Not sure what else to do.
... View more
I am able to connect with the AnyConnect client version 4.5 but im not able to access anything inside or out. Im trying to access my switch & server via SSH & RDP but cannot get to or ping anything. What do you think is going on.
... View more
After making a successful connection when I try to ping any LAN resource or telnet to a port on a LAN resource I am not successful. Does the config look right? Does the version on Anyconnect work with my ASA/License? I am certainly not an expert at this but in my mind this may be a compatiblity issue with Anyconnect versions & ASA or the config is botched. Should I try Version 3.x? Here is the ASA info below...
Mario365# sh version
Cisco Adaptive Security Appliance Software Version 9.2(4) Device Manager Version 5.2(4)
Compiled on Tue 14-Jul-15 22:19 by builders System image file is "disk0:/asa924-k8.bin" Config file at boot was "startup-config"
Mario365 up 1 day 21 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz, Internal ATA Compact Flash, 128MB BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.06 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09 Number of accelerators: 1
0: Int: Internal-Data0/0 : address is c84c.7527.bcfb, irq 11 1: Ext: Ethernet0/0 : address is c84c.7527.bcf3, irq 255 2: Ext: Ethernet0/1 : address is c84c.7527.bcf4, irq 255 3: Ext: Ethernet0/2 : address is c84c.7527.bcf5, irq 255 4: Ext: Ethernet0/3 : address is c84c.7527.bcf6, irq 255 5: Ext: Ethernet0/4 : address is c84c.7527.bcf7, irq 255 6: Ext: Ethernet0/5 : address is c84c.7527.bcf8, irq 255 7: Ext: Ethernet0/6 : address is c84c.7527.bcf9, irq 255 8: Ext: Ethernet0/7 : address is c84c.7527.bcfa, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255 10: Int: Not used : irq 255 11: Int: Not used : irq 255
Licensed features for this platform: Maximum Physical Interfaces : 8 perpetual VLANs : 3 DMZ Restricted Dual ISPs : Disabled perpetual VLAN Trunk Ports : 0 perpetual Inside Hosts : Unlimited perpetual Failover : Disabled perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 10 perpetual Total VPN Peers : 12 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1422Z1SF Running Permanent Activation Key: hid key dont know if it should be seen? Configuration register is 0x1 Configuration last modified by mmarquez at 00:21:20.398 UTC Wed Mar 14 2018
... View more
Here are the outputs you requested. The packet tracer output shows I can ping from the Anyconnect subnet to the inside subnet. I always try to ping the inside gateway 10.0.1.1 once I establish an Anyconnect connection & never get a reply. As far as I know the inside interface does reply to pings. I am having an inside user try it now. I also try to ping 188.8.131.52 once a connection is established & get no reply. I can ping 184.108.40.206 normally when I am on the inside with a 10.0.1.x address.
I also tried to connect from my work laptop using Anyconnect version 3.1 but I got denied after entering my local login attempt. I assume that version 3.1 is not compatible with the .pkg file I have loaded onto the ASA & that only versions in the 4.x range would work. Is that correct?
Mario365# sh run all sysopt no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 sysopt connection permit-vpn sysopt connection reclassify-vpn no sysopt connection preserve-vpn-flows no sysopt radius ignore-secret no sysopt noproxyarp inside no sysopt noproxyarp outside Mario365#
Mario365# packet-tracer input outside icmp 10.0.2.1 8 0 10.0.1.2 detail
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 10.0.1.0 255.255.255.0 inside
Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static any any destination static ANYCONNECT_REMOTENET ANYCONNECT_REMOTENET no-proxy-arp route-lookup Additional Information: NAT divert to egress interface inside Untranslate 10.0.1.2/0 to 10.0.1.2/0
Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group acl-outside in interface outside access-list acl-outside extended permit icmp any any Additional Information: Forward Flow based lookup yields rule: in id=0xcd104c00, priority=13, domain=permit, deny=false hits=16076, user_data=0xca2b0e80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any
Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static any any destination static ANYCONNECT_REMOTENET ANYCONNECT_REMOTENET no-proxy-arp route-lookup Additional Information: Static translate 10.0.2.1/0 to 10.0.2.1/0 Forward Flow based lookup yields rule: in id=0xccd0bbb8, priority=6, domain=nat, deny=false hits=0, user_data=0xc90b0758, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.0.2.0, mask=255.255.255.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=inside
Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcbc8cfe0, priority=0, domain=nat-per-session, deny=true hits=523671, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any
Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcc329f08, priority=0, domain=inspect-ip-options, deny=true hits=494425, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any
Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcc3299a8, priority=66, domain=inspect-icmp-error, deny=false hits=111288, user_data=0xcc328fb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any
Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static any any destination static ANYCONNECT_REMOTENET ANYCONNECT_REMOTENET no-proxy-arp route-lookup Additional Information: Forward Flow based lookup yields rule: out id=0xccc5ce08, priority=6, domain=nat-reverse, deny=false hits=1, user_data=0xccd1df88, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.0.2.0, mask=255.255.255.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=inside
Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 514905, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat
Module information for reverse flow ...
Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
... View more
I am trying to configure anyconnect for an ASA 5505 running version 9.2.4. My goal is to successfully install anyconnect so that I can log into my network from anywhere in the world. My activation key says that I can have up to 2 anyconnect premium peers at the same time. I found a "how to" on the link below & the .pkg file the instructions are showing displays version 2.x.x of any connect for windows which leads me to wonder the following...
1) How can I confirm the highest version compatible for the firewall im using?
2) Where can I find cisco documentation for installing anyconnect the way I want to utilize it?
Here's the non cisco website instructions I found on a google search below. Can someone please point me in the right direction. I'm & new to cisco & the support site.
... View more
Would the configuration I showed here work in gaining the same results as I mentioned with the Edgewater device?
That is when devices on the lan begin to generate internet traffic they will not be able to saturate the Internet link because class-default traffic would be capped at 80% of the overall bandwidth leaving 20% unutilized. This means if I were to do a speed test directly connected to the ISP modem & got 10Mbps UP & 10Mbps DOWN, than I should get 8Mbps UP & 8Mbps DOWN when I do the same speed test behind the router, on a users work station for instance. Would the config I showed get these same results? If not is it possible to get that affect with cisco IOS 15.2 on a 1941 router? How does the config I showed actually work in real life?
... View more
Just some background info first. I used to install Edgewater routers on the network edge to do traffic shaping both upstream & downstream for voice. The affects of configuring traffic shaping on the Edgewater device from a workstation on the LAN perspective was that when speed tests were ran on the work station PC both the up & down speed to the internet would be capped at 80% of the actual bandwidth leaving 20% up & 20% down unutilized to gaurentee bandwidth for voice traffic.
I am looking at some Class map & Policy map configs I got a hold of and most of it makes sense. What does not make sense on the config below is how this cisco router can achieve the functionality I mentioned above with the Edgewater device?
Also could someone tell me if the "priority percent 80"statement in the Policy Map named
CL-VOICE_AND_DATA auto compares & calculates with the "bandwidth" statement on the interface shown below? Which is configured as "bandwidth 10000". I though the bandwidth statement was only for SNMP polling or am I wrong?
I don't think there are other parts of the show running config I am missing that applies to this context.
class-map match-any RATELIMIT_CLASS_1 match access-group name VSPHERE_REPL_HOSTS class-map match-any Voice match dscp ef match ip precedence 5 match protocol rtp ! policy-map CL-VOICE_AND_DATA class Voice priority percent 80 set ip precedence 5 class RATELIMIT_CLASS_1 police rate percent 50 peak-rate percent 60 conform-action transmit exceed-action drop violate-action drop class class-default fair-queue random-detect set ip precedence 0 queue-limit 256 packets policy-map CL-ETH-SHAPING class class-default shape average 10000000 service-policy CL-VOICE_AND_DATA
interface GigabitEthernet0/0 description 10M MPLS bandwidth 10000 ip address 220.127.116.11 255.255.255.252 duplex full speed 100 service-policy output CL-ETH-SHAPING
... View more
Thanks Dennis. Do you perceive any potential pitfalls that could lead no access? Also could you explain your testing method “test this by plugging a laptop in back to back and see if your local password works.”
... View more
My company has a multisite enviorment with all remote sites connecting to an MPLS cloud via point to point circuits. Each remote site can only connect to the internet through our HQ datacenter via BGP & none of the remote sites has direct access to the internet.
One of our remote sites is relocating & moving into an office with a new circuit/router & although the router & circuit configuration is pretty straight forward I was told that I should avoid configuring tacacs+ settings until after the circuit is live & I know that I can SSH into the router because I might have issues logging into the router. This was kinda a buzz kill to me because I currently have the router on my desk connected via a private IP directly connecting to our switch. I can currently SSH into the router using the local username & password no problem at all even though aaa is properly configured because my router cant access the tacacs server the way its configured & its defaulting to local.
My idea is that I ship the router to the new site the way its configured below & once the circuit is turned up I should just be able to log in to the router with my tacacs creds & everything is all well and good. The only reason why I question this is because I've never configured AAA on a remote router & I remember hearing the same kind of warning from different people in the past regarding an install like this.
What are some opinions on this situation from people with experience? An office manager at the new site will power up the router & connect it to the circuit. I will not have the luxury of having a tech onsite with a laptop & console cable. Here is my config...
chisalesr2#sh run Building configuration...
Current configuration : 4673 bytes ! version 15.2 no service pad service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers service counters max age 5 ! hostname chisalesr2 ! boot-start-marker boot system flash0:/c1900-universalk9-mz.SPA.152-3.T.bin boot-end-marker ! ! logging buffered 16384 informational logging console critical enable secret 5 $1$3nnl$ZpcI/ikt4pouXKnTTi74Q/ ! aaa new-model ! ! aaa authentication login default group tacacs+ local aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ ! ! ! ! ! aaa session-id common clock timezone EST -5 0 clock summer-time EDT recurring ! no ipv6 cef ! ! ! ip dhcp excluded-address 10.222.137.1 10.222.137.30 ip dhcp excluded-address 10.223.137.1 10.223.137.30 ! ip dhcp pool DHCP_Address_LAN_Pool_New network 10.222.137.0 255.255.255.0 dns-server 18.104.22.168 192.168.150.51 netbios-name-server 22.214.171.124 192.168.150.51 domain-name arifleet.com default-router 10.222.137.1 lease 30 ! ip dhcp pool DHCP_Address_VoIP_Pool network 10.223.137.0 255.255.255.0 dns-server 126.96.36.199 192.168.150.51 default-router 10.223.137.1 ! ! no ip domain lookup ip domain name arifleet.com ip cef multilink bundle-name authenticated ! password encryption aes ! ! license udi pid CISCO1941/K9 sn FTX161180EN ! ! username administrator privilege 15 secret 5 $1$hP1C$5bae2E1S.N8Xj5eBYiv1e. ! ! ip ssh time-out 20 ip ssh version 2 ! class-map match-any Voice match dscp ef match ip precedence 5 match protocol rtp match access-group 20 ! policy-map CL-VOICE_AND_DATA class Voice priority percent 80 set ip precedence 5 class class-default fair-queue random-detect set ip precedence 0 queue-limit 256 packets ! ! ! ! ! interface Loopback0 ip address 10.220.0.49 255.255.255.255 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description chisalessw1 p28 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.15 description VLAN 15 Data encapsulation dot1Q 15 ip address 10.222.137.1 255.255.255.0 ! interface GigabitEthernet0/0.20 description VLAN 20 Voice encapsulation dot1Q 20 ip address 10.223.137.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 10.222.58.6 255.255.255.252 duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown !
router bgp 65137 network 10.220.0.49 mask 255.255.255.255 network 10.222.137.1 mask 255.255.255.0 network 10.223.137.1 mask 255.255.255.0 neighbor 10.222.58.5 remote-as 123
! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip tacacs source-interface Loopback0 ! ip access-list standard RemoteUsers permit 188.8.131.52 permit 10.220.112.109 remark hosts that have access to manage devices remotely permit 184.108.40.206 permit 192.168.210.96 permit 192.168.210.91 permit 192.168.210.95 permit 192.168.116.224 0.0.0.31 permit 10.222.58.240 0.0.0.15 ! logging facility local4 logging source-interface Loopback0 logging 192.168.201.23 logging 220.127.116.11 logging 192.168.152.36 access-list 20 permit 10.223.137.0 0.0.0.255 access-list 50 permit 18.104.22.168 access-list 50 permit 192.168.152.187 access-list 50 permit 10.220.112.109 ! ! snmp-server community 36crackerDD RO 50 snmp-server location Chicago snmp-server contact IT-DataCommunications@arifleet.com snmp-server enable traps entity-sensor threshold tacacs-server host 192.168.210.26 key 7 15260A2F05096F012627273B41534E tacacs-server host 192.168.210.27 key 7 012707275A28422A2F585C104B514F tacacs-server directed-request ! ! ! control-plane ! ! banner login ^CC UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. ^C ! line con 0 exec-timeout 5 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class RemoteUsers in exec-timeout 20 0 transport input ssh line vty 5 15 access-class RemoteUsers in exec-timeout 20 0 transport input ssh ! scheduler allocate 20000 1000 ntp server 22.214.171.124 ! end
... View more
Thanks Paul! I disabled STP cause I got the following Log ....
*Mar 1 01:01:00.796: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk GigabitEthernet1/0/3 VLAN1058. *Mar 1 01:01:00.796: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking GigabitEthernet1/0/3 on VLAN1058. Inconsistent port type.
Adding STP did not work originally maybe cause the new 3750 is connected to another managed switch/port with vlan 1058 (untagged) & 2058(tagged) which may have inspired the syslogs above. I added the following to the interface/uplink & have been pinging for over 5 minutes now.
interface GigabitEthernet1/0/3 switchport access vlan 1058 switchport trunk encapsulation dot1q switchport trunk native vlan 1058
... View more
Here's my config. I disabled ip routing cause I'm am only trying to give a management IP to the device. I also disabled spanning tree on the upstream switch and can access devices fine from vlan 1058 with my PC. Again I can ping the switch & my pc which is on the same subnet/vlan only when I unplug the switch and reconnect it. And at that I get about 10 replys then it drops. The syslog shows interface vlan 1058 and Gi1/0/1 up/up then I can ping, then 10 seconds later the syslog shows them both go down and immeadielty back up. When they go back up I stop being able to ping the switch. When I first started configuring the syslog gave me VTP error for creating vlan 1058 which I fixed and spanning tree bpdu errors too which I also corrected. After those 2 corrections I was then able to ping but these are the results I'm experiencing now. This is a brand new switch by the way.
Switch#sh run Building configuration...
Current configuration : 4416 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! ! ! ! no aaa new-model switch 1 provision ws-c3750x-48 system mtu routing 1500 ! ! vtp mode transparent ! ! crypto pki trustpoint TP-self-signed-1947457536 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1947457536 revocation-check none rsakeypair TP-self-signed-1947457536 ! ! crypto pki certificate chain TP-self-signed-1947457536 certificate self-signed 01 3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31393437 34353735 3336301E 170D3933 30333031 30303031 33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39343734 35373533 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100EDD2 157040C8 48803735 703D927F 3C720144 F6B1F0D0 BE615E21 28530DF3 8DE5632F 033C519B CDAD018F E1381750 FD517C66 0001DF94 AEC67D4F D485D7E4 1A152131 93BE5501 D675BDB5 FAAB4CF0 5A7D09E4 6A0E17EB B464E9E6 27BF9794 2A7D47F0 FC2BD158 748237FC EF3F87E4 50389BF4 F5164B3B A024EED1 6AA9F5C2 BAEB0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 14F9C064 58B978E4 60EBD61E 36F04A51 A8271265 63301D06 03551D0E 04160414 F9C06458 B978E460 EBD61E36 F04A51A8 27126563 300D0609 2A864886 F70D0101 04050003 8181001A 07BE8845 A5506D48 EEF48BF1 F4AF6EA9 2753C74E 3F0E893B E1896511 56AB1C0B 931DDBDE 8392C2BF 03C48DE6 7205FF16 FD86F917 89AF1A4E D8457591 E10BDEA2 9B82B9A3 2D5318BB 37DE5F43 E1419F86 B33FFF1D 670C5AB9 95C450F0 CFAC75D1 E02C9D2F 0060A605 BCCBF336 61A14E2F 37A73BA0 8F3CE29A DF6AE0CB 08DFF9 quit license boot level ipservices ! spanning-tree mode pvst spanning-tree extend system-id no spanning-tree vlan 1,1058 ! ! ! ! vlan internal allocation policy ascending ! vlan 1058 ! ! ! interface FastEthernet0 no ip address no ip route-cache no ip mroute-cache ! interface GigabitEthernet1/0/1 switchport access vlan 1058 ! interface GigabitEthernet1/0/2 ! interface GigabitEthernet1/0/3 ! interface GigabitEthernet1/0/4 ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface GigabitEthernet1/0/29 ! interface GigabitEthernet1/0/30 ! interface GigabitEthernet1/0/31 ! interface GigabitEthernet1/0/32 ! interface GigabitEthernet1/0/33 ! interface GigabitEthernet1/0/34 ! interface GigabitEthernet1/0/35 ! interface GigabitEthernet1/0/36 ! interface GigabitEthernet1/0/37 ! interface GigabitEthernet1/0/38 ! interface GigabitEthernet1/0/39 ! interface GigabitEthernet1/0/40 ! interface GigabitEthernet1/0/41 ! interface GigabitEthernet1/0/42 ! interface GigabitEthernet1/0/43 ! interface GigabitEthernet1/0/44 ! interface GigabitEthernet1/0/45 ! interface GigabitEthernet1/0/46 ! interface GigabitEthernet1/0/47 ! interface GigabitEthernet1/0/48 ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface TenGigabitEthernet1/1/1 ! interface TenGigabitEthernet1/1/2 ! interface Vlan1 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Vlan1058 ip address 10.222.58.5 255.255.255.0 no ip route-cache no ip mroute-cache ! ip default-gateway 10.222.58.1 ip classless ip http server ip http secure-server ! ip sla enable reaction-alerts ! ! line con 0 line vty 0 4 login line vty 5 15 login ! end
... View more
I am connecting a 3750 switch directly to another switch. The switch I am connecting to has vlan 1058 untagged on all ports and I can access the internet and ping the default gateway from it. It has no connection issues.
I have configured vlan 1058 on the 3750, disabled spanning tree on all interfaces/vlans, shut down vlan 1, no shut down vlan 1058/ interface & configured an unused IP and the correct default gateway on vlan 1058. I
I can ping it from my PC but the port goes down and interface vlan 1058 both go down after about 10 pings.
The syslogs were giving me errors and I adjusted configurations which allowed me to ping. I also enabled IP Routing but that didn't work. I even cleared the arp cache on the Core switch/router. I'm not sure what I'm doing wrong. I'm just trying to get this switch online.
... View more
What shotuld the interface status show when troubleshooting a bad T1 serial card with a loopback plug? I had a guy disconnect the T1 cable from the router, plug in the loopback and did a show interface brief and saw the interface in question (s0/0/0) showing UP/DOWN. I did have the guy unplug everything and when I checked again the same interface was DOWN/DOWN. I expected to see it show UP/UP with the loopback so I could run extended pings but obviously when an interface is UP/DOWN you cannot ping the interface IP address and expect replys. Why would a serial interface show UP/DOWN with a loopback plug in the serial port? Could the loopback plug be improperly terminated? or does UP/DOWN mean something?
... View more
I have 2 ASA's that I set up which I cant ping to the lan gateways (10.10.10.1 & 10.20.10.1) from either ASA. Both ASA's are directly connected & I setup extended access lists/groups to permit any ip inbound for the inside and the outside interfaces. When I do a show access list I see the hitcounts acrue on the ASA that I am pinging to (pinging to lan gateway of the ASA from the other ASA) The hitcounts on the outside acl grow by 5 everytime I ping but im not sure if thats because that acl is blocking the pings or is simply seeing them. I assume hits on a hit count on an acl that is permitting ip any any is simply showing that traffic that matches that allow rule is being seen by the acl. In short do hit counts on a given acl specifically mean that the acl is blocking the traffic specified by that acl? Here is a config for both ASA's & the acl hit. access-list Primary_In line 1 extended permit ip any any(hitcnt=5) Mario-Guitars-2#sh run : Saved : ASA Version 8.4(2) ! hostname Mario-Guitars-2 names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 126.96.36.199 255.255.255.248 ! object network net-local subnet 10.10.10.0 255.255.255.0 object network net-remote subnet 10.20.10.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 188.8.131.52 1 ! access-list outside_1_cryptomap extended permit ip object net-local object net-remote access-list Primary_In extended permit ip any any ! ! access-group Primary_In in interface outside access-group lan_in in interface inside ! ! ! ! ! ! ! telnet timeout 5 ssh timeout 5 ! ! ! crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 184.108.40.206 crypto map outside_map 1 set security-association lifetime seconds 86400 crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 10 encr 3des authentication pre-share group 2 ! tunnel-group 220.127.116.11 type ipsec-l2l tunnel-group 18.104.22.168 ipsec-attributes ikev1 pre-shared-key g0disg00d ! Mario-Guitars-2# ____________________________________________________________________________ ciscoasa#sh run : Saved : ASA Version 8.4(2) ! hostname ciscoasa names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.20.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 22.214.171.124 255.255.255.248 ! object network net-local subnet 10.20.10.0 255.255.255.0 object network net-remote subnet 10.10.10.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 126.96.36.199 1 ! access-list outside_1_cryptomap extended permit ip object net-local object net-remote access-list Primary_In extended permit ip any any ! ! access-group Primary_In in interface outside access-group lan_in in interface inside ! ! ! ! ! ! ! telnet timeout 5 ssh timeout 5 ! ! ! crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 188.8.131.52 crypto map outside_map 1 set security-association lifetime seconds 86400 crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 10 encr 3des authentication pre-share group 2 ! tunnel-group 184.108.40.206 type ipsec-l2l tunnel-group 220.127.116.11 ipsec-attributes ikev1 pre-shared-key g0disg00d ! ciscoasa#
... View more
Both pc's are able to ping their own gateway. One pc is on vlan 2 the other vlan 3. I also attached the topology. The funny thing is everything was pinging with no access lists/groups & at some point I restarted GNS3 & it never work after that. Thats when I made this post. I reverted back to the config I ran prior to it breaking still notihing. The ASA is doing Qemu from my laptop no VM. I have windows 10 so I'm not sure if the issue is due to my GNS3 setup or maybe the ASA image itself is corrupt. Seems like I can save everything and entering commands have been an issue up to this point. Perhaps im just another horror story running ASA Qemu on Windows 10. I just dont know. I also pasted a copy of the boot up outputs which I do see errors on. Mario-Guitar-Shop-HQ# sh run : Saved : ASA Version 8.4(2) ! hostname Mario-Guitar-Shop-HQ enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0 nameif outside security-level 0 ip address 18.104.22.168 255.255.255.248 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 10.20.10.1 255.255.255.0 ! interface GigabitEthernet1.2 vlan 2 nameif vlan2 security-level 100 ip address 10.0.0.1 255.255.255.0 ! interface GigabitEthernet1.3 vlan 3 nameif vlan3 security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet2 nameif wireless security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface GigabitEthernet3 shutdown no nameif no security-level no ip address ! ftp mode passive same-security-traffic permit intra-interface access-list VLAN-2-IN extended permit icmp any any echo access-list VLAN-2-IN extended permit icmp any any echo-reply access-list VLAN-2-IN extended permit ip any any access-list VLAN-3-IN extended permit icmp any any echo access-list VLAN-3-IN extended permit icmp any any echo-reply access-list VLAN-3-IN extended permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 mtu vlan2 1500 mtu vlan3 1500 mtu wireless 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 access-group VLAN-2-IN in interface vlan2 access-group VLAN-3-IN in interface vlan3 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd lease 7200 ! dhcpd address 10.20.10.11-10.20.10.100 inside dhcpd dns 10.20.10.1 interface inside dhcpd enable inside ! dhcpd address 192.168.10.10-192.168.10.100 wireless dhcpd dns 192.168.10.1 interface wireless dhcpd enable wireless ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email firstname.lastname@example.org destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily crashinfo save disable Cryptochecksum:454258ae9a77bdf6d523f589a3f1a682 : end Mario-Guitar-Shop-HQ# ____________________________________________________________________________ Initializing cgroup subsys cpu Linux version 22.214.171.124 (builders@bld-releng-05a) (gcc version 4.3.4 (crosstool-NG-1.5.0) ) #1 PREEMPT Wed Jun 15 17:19:01 MDT 2011 KERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD NSC Geode by NSC Cyrix CyrixInstead Centaur CentaurHauls Transmeta GenuineTMx86 Transmeta TransmetaCPU UMC UMC UMC UMC BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 000000003ffe0000 (usable) BIOS-e820: 000000003ffe0000 - 0000000040000000 (reserved) BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved) last_pfn = 0x3ffe0 max_arch_pfn = 0x100000 RAMDISK: 3e985000 - 3ffef637 Allocated new RAMDISK: 003a1000 - 01a0b637 Move RAMDISK from 000000003e985000 - 000000003ffef636 to 003a1000 - 01a0b636 615MB HIGHMEM available. 407MB LOWMEM available. mapped low ram: 0 - 197fe000 low ram: 00000000 - 197fe000 bootmap 00001000 - 00004300 (7 early reservations) ==> bootmem [0000000000 - 00197fe000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000] #1 [0000100000 - 000039ed10] TEXT DATA BSS ==> [0000100000 - 000039ed10] #2 [000039f000 - 00003a1000] INIT_PG_TABLE ==> [000039f000 - 00003a1000] #3 [000009fc00 - 0000100000] BIOS reserved ==> [000009fc00 - 0000100000] #4 [0000007000 - 0000008000] PGTABLE ==> [0000007000 - 0000008000] #5 [00003a1000 - 0001a0b637] NEW RAMDISK ==> [00003a1000 - 0001a0b637] #6 [0000001000 - 0000005000] BOOTMAP ==> [0000001000 - 0000005000] Zone PFN ranges: DMA 0x00000000 -> 0x00001000 Normal 0x00001000 -> 0x000197fe HighMem 0x000197fe -> 0x0003ffe0 Movable zone start PFN for each node early_node_map active PFN ranges 0: 0x00000000 -> 0x0000009f 0: 0x00000100 -> 0x0003ffe0 Allocating PCI resources starting at 50000000 (gap: 40000000:bffc0000) Built 1 zonelists in Zone order, mobility grouping on. Total pages: 259967 Kernel command line: ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 ide1=noprobe no-hlt Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 PID hash table entries: 2048 (order: 11, 8192 bytes) Fast TSC calibration using PIT Detected 999.979 MHz processor. Console: colour dummy device 80x25 console [ttyS0] enabled Dentry cache hash table entries: 65536 (order: 6, 262144 bytes) Inode-cache hash table entries: 32768 (order: 5, 131072 bytes) allocated 5242240 bytes of page_cgroup please try cgroup_disable=memory option if you don't want Memory: 745612k/1048448k available (1715k kernel code, 301528k reserved, 623k data, 156k init, 630664k highmem) virtual kernel memory layout: fixmap : 0xfffed000 - 0xfffff000 ( 72 kB) pkmap : 0xff800000 - 0xffc00000 (4096 kB) vmalloc : 0xf7ffe000 - 0xff7fe000 ( 120 MB) lowmem : 0xde000000 - 0xf77fe000 ( 407 MB) .init : 0xde34c000 - 0xde373000 ( 156 kB) .data : 0xde2acca6 - 0xde348938 ( 623 kB) .text : 0xde100000 - 0xde2acca6 (1715 kB) Checking if this processor honours the WP bit even in supervisor mode...Ok. Calibrating delay loop (skipped), value calculated using timer frequency.. 1999.95 BogoMIPS (lpj=999979) Security Framework initialized Mount-cache hash table entries: 512 Initializing cgroup subsys cpuacct Initializing cgroup subsys memory CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line) CPU: L2 Cache: 512K (64 bytes/line) Intel machine check architecture supported. Intel machine check reporting enabled on CPU#0. CPU: AMD QEMU Virtual CPU version 2.1.0 stepping 03 Checking 'hlt' instruction... disabled Freeing SMP alternatives: 0k freed net_namespace: 668 bytes NET: Registered protocol family 16 PCI: PCI BIOS revision 2.10 entry at 0xfd456, last bus=0 PCI: Using configuration type 1 for base access bio: create slab <bio-0> at 0 PCI: Probing PCI hardware pci 0000:00:01.3: quirk: region 0600-063f claimed by PIIX4 ACPI pci 0000:00:01.3: quirk: region 0700-070f claimed by PIIX4 SMB pci 0000:00:01.0: PIIX/ICH IRQ router [8086:7000] NET: Registered protocol family 2 IP route cache hash table entries: 16384 (order: 4, 65536 bytes) TCP established hash table entries: 65536 (order: 7, 524288 bytes) TCP bind hash table entries: 65536 (order: 6, 262144 bytes) TCP: Hash tables configured (established 65536 bind 65536) TCP reno registered NET: Registered protocol family 1 Unpacking initramfs... done Freeing initrd memory: 22953k freed platform rtc_cmos: registered platform RTC device (no PNP device found) Machine check exception polling timer started. highmem bounce pool size: 64 pages HugeTLB registered 4 MB page size, pre-allocated 0 pages bigphysarea: Allocated 65536 pages at 0xe0400000. msgmni has been set to 271 io scheduler noop registered io scheduler anticipatory registered (default) io scheduler deadline registered io scheduler cfq registered pci 0000:00:00.0: Limiting direct PCI/PCI transfers pci 0000:00:01.0: PIIX3: Enabling Passive Release pci 0000:00:01.0: Activating ISA DMA hang workarounds Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A loop: module loaded pcnet32.c:v1.35 21.Apr.2008 email@example.com tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <firstname.lastname@example.org> Uniform Multi-Platform E-IDE driver ide_generic: enforcing probing of I/O ports upon user request ide: forcing hda as a disk (980/16/32) hda: QEMU HARDDISK, ATA DISK drive ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 ide-gd driver 1.18 hda: max request size: 512KiB hda: 1048576 sectors (536 MB) w/256KiB Cache, CHS=980/16/32 hda: cache flushes supported hda: hda1 TCP cubic registered NET: Registered protocol family 17 RPC: Registered udp transport module. RPC: Registered tcp transport module. 802.1Q VLAN Support v1.8 Ben Greear <email@example.com> All bugs added by David S. Miller <firstname.lastname@example.org> TIPC: Activated (version 1.6.4 compiled Jun 15 2011 17:18:15) NET: Registered protocol family 30 TIPC: Started in single node mode Using IPI Shortcut mode Freeing unused kernel memory: 156k freed Write protecting the kernel text: 1716k Write protecting the kernel read-only data: 504k Starting kernel event manager... Loading hardware drivers... Intel(R) PRO/1000 Network Driver - version 7.3.21-k3-NAPI Copyright (c) 1999-2006 Intel Corporation. e1000 0000:00:03.0: found PCI INT A -> IRQ 11 e1000: 0000:00:03.0: e1000_probe: (PCI:33MHz:32-bit) 00:00:ab:28:f5:00 e1000: eth0: e1000_probe: Intel(R) PRO/1000 Network Connection e1000 0000:00:04.0: found PCI INT A -> IRQ 11 e1000: 0000:00:04.0: e1000_probe: (PCI:33MHz:32-bit) 00:00:ab:cc:5e:01 e1000: eth1: e1000_probe: Intel(R) PRO/1000 Network Connection e1000 0000:00:05.0: found PCI INT A -> IRQ 10 pci 0000:00:01.3: IRQ routing conflict: have IRQ 9, want IRQ 10 e1000: 0000:00:05.0: e1000_probe: (PCI:33MHz:32-bit) 00:00:ab:7d:2c:02 e1000: eth2: e1000_probe: Intel(R) PRO/1000 Network Connection e1000 0000:00:06.0: found PCI INT A -> IRQ 10 e1000: 0000:00:06.0: e1000_probe: (PCI:33MHz:32-bit) 00:00:ab:1d:4f:03 e1000: eth3: e1000_probe: Intel(R) PRO/1000 Network Connection e100: Intel(R) PRO/100 Network Driver, 3.5.23-k6-NAPI e100: Copyright(c) 1999-2006 Intel Corporation loaded. Initializing random number generator... done. Starting network... device eth0 entered promiscuous mode device eth1 entered promiscuous mode device eth2 entered promiscuous mode device eth3 entered promiscuous mode e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX e1000: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX e1000: eth3 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX dosfsck 2.11, 12 Mar 2005, FAT32, LFN Starting check/repair pass. Starting verification pass. /dev/hda1: 128 files, 100/65499 clusters dosfsck(/dev/hda1) returned 0 FAT: "posix" option is obsolete, not supported now TIPC: Started in network mode TIPC: Own node address <1.1.1>, network identity 1234 TIPC: Enabled bearer <eth:tap0>, discovery domain <1.1.0>, priority 10 msrif: module license 'Cisco Systems, Inc' taints kernel. msrif module loaded. Clocksource tsc unstable (delta = 132008317 ns) Starting Likewise Service Manager Processor memory 650117120, Reserved memory: 62914560 WARNING: LINA Monitor notification queue not created No such file or directory IMAGE ERROR: An error occurred when reading the controller type Total NICs found: 4 secstore_buf_fill: Error reading secure store - buffer 0xddfffb18, size 0x14 key_nv_init: read returned error 1, len 129 L4TM: Unknown ASA Model Verify the activation-key, it might take a while... Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6 Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 5 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 25 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 5000 perpetual Total VPN Peers : 0 perpetual Shared License : Enabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Enabled perpetual UC Phone Proxy Sessions : 10 perpetual Total UC Proxy Sessions : 10 perpetual Botnet Traffic Filter : Enabled perpetual Intercompany Media Engine : Enabled perpetual This platform has an ASA 5520 VPN Plus license. Cisco Adaptive Security Appliance Software Version 8.4(2) _le_open: fd:4, name:eth0 ---Device eth0 (fd: 4) opened succesful! _le_open: fd:8, name:eth1 ---Device eth1 (fd: 8) opened succesful! _le_open: fd:9, name:eth2 ---Device eth2 (fd: 9) opened succesful! _le_open: fd:10, name:eth3 ---Device eth3 (fd: 10) opened succesful! ****************************** Warning ******************************* This product contains cryptographic features and is subject to United States and local country laws governing, import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to email@example.com. ******************************* Warning ******************************* Copyright (c) 1996-2011 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 ERROR: Flash datafile is corrupt. Found magic number 0x0, but expected to find 0x1234567a. Ignoring the rest of the file Reading from flash... !!.Crashinfo is NOT enabled on Full Distribution Environment *** Output from config line 107, "crashinfo save disable" Cryptochecksum (unchanged): 454258ae 9a77bdf6 d523f589 a3f1a682 COREDUMP UPDATE: open message queue fail: No such file or directory/2 Type help or '?' for a list of available commands.
... View more
Julio are the access rules you listed usually neccesary? Is it hit or miss depending on the ASA version? I am trying to lab this out in GNS3 1.0.3 & had the devices on different vlans pingning each other without the commands. I restarted the lab & I cannot ping. I copy pasted the commands & could not get it to work even closing GNS3 & roopening the program. I know that sometimes ASA 8.4 can be a pain in GNS so im not sure what the problem is. I checked that the config was saved and everything. Im starting to lose faith in ASA8.4/GNS3. The commands you gave seem to make sense to me. They are all Permit Ingress to each vlan.
... View more
I just sat through a teaching where the instructor gave an example of a security issue & how to resolve it. A server on a LAN behind an ASA had 350 IP Addresses attempting to SSH into it over night (brute force attack). The instructer then checked the Ingress ACL on the WAN interface & he found an Permit Any eq SSH rule in the ACL (which was the problem). His solution was to create a Network Object & he put the 350 addresses into it. He told us it was too cumbersome to add 350 Deny rules for each address in the ACL which I agreed. He proceeded to add a Permit rule for one address (126.96.36.199) which is the remote management IP (wouldnt want to block support) & a Deny rule for the Network Object containing the 350 addresses. Here is my issue... 1) Doesnt an ACL have an Implicit Deny at the bottom? If so wouldnt it be sufficient enough to just have your allow rule for the remote support IP (188.8.131.52) & nothing else? The Implicit Deny would take care of denying the 350 addresses or any other address not specified with a permit rule correct? I included a snapshot of the putty session which shows everything I mentioned in this post. I sure could use some help because I am pretty confused about Deny rules in an ACL being that there is already an Implicit Deny.
... View more
I am trying to get a lab going in gns3. I created 2 subinterfaces (vlan 2 & 3) with the intension of running a cisco switch having one pc on one vlan & one pc on the other. I learned that there are no cisco switches in gns3 (whatever..) Anyway I just created to interfaces with IP addresses (LAN's) and connected 2 pc's directly to the ASA to fulfill my goals. My problem is I cannot ping from pc1 to pc2. Both pc's can ping there own gateways and I added the command.... "same-security-traffic permit intra-interface" which I was lead to believe would allow both networks to talk. I know ASA on gns3 is hit or miss so i've rebooted/started all devices after writing the commands which has not worked. Would appreciate some help. Here is my config... Mario-Guitar-Shop-HQ# sh run : Saved : ASA Version 8.4(2) ! hostname Mario-Guitar-Shop-HQ enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0 nameif outside security-level 0 ip address 184.108.40.206 255.255.255.248 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 10.20.10.1 255.255.255.0 ! interface GigabitEthernet1.2 vlan 2 nameif vlan2 security-level 100 ip address 10.0.0.1 255.255.255.0 ! interface GigabitEthernet1.3 vlan 3 nameif vlan3 security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet2 nameif wireless security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface GigabitEthernet3 shutdown no nameif no security-level no ip address ! ftp mode passive same-security-traffic permit intra-interface pager lines 24 mtu outside 1500 mtu inside 1500 mtu vlan2 1500 mtu vlan3 1500 mtu wireless 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd lease 7200 ! dhcpd address 10.20.10.11-10.20.10.100 inside dhcpd dns 10.20.10.1 interface inside dhcpd enable inside ! dhcpd address 192.168.10.10-192.168.10.100 wireless dhcpd dns 192.168.10.1 interface wireless dhcpd enable wireless ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email firstname.lastname@example.org destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily crashinfo save disable Cryptochecksum:2c391b206dfd8073446c7b05db3d6b73 : end
... View more