there is an issue with tracroute from ASA 5505 with 9.0(2) - here is the running configuration [code] with this running configuration - from the LAN tracerouet to public IP, it is working fine. but once I traceroute from the LAN 192.168.225.x to the corporate networks via the IPSec l2l tunnel - it does not show any hop at all - even the inside interface of the ASA does not show in the traceroute.
View 4 RepliesWe have a ASA 5505 and a 5510, that we are using site to site..I need to traceroute from the 5505-5510.. From the outside interfaces.. Don't want to do this through the site-to-site.I have temporarily added a few acl on the outside interfaces..
-access-list outside_in extended permit icmp any any unreachable
-access-list outside_in extended permit icmp any any time-exceeded
-access-list outside_in extended permit icmp any any echo-reply
when i traceroute it only goes one hop.. Maybe thats the way it suppose to be? I need to know all the hops between the outside interfaces on the 5505 to the outside interface on the 5510.
My setup is :
Source--- Router 1 ( ip 1.1.1.1) --ACE---router---cloud---customer---router--destination( ip 99.99.99.99).
Traceroute from client to destination shows the following:
traceroute 99.99.99.99
traceroute to 99.99.99.99 (99.99.99.99), 30 hops max, 40 byte packets
1 1.1.1.1 (1.1.1.1) 1.10 ms 1.78 ms
2 99.99.99.99 (99.99.99.99) 1.01 ms 1.97 ms 2.511 ms
3 99.99.99.99 (99.99.99.99) 2.01 ms * 99.99.99.99 (99.99.99.99) 2.330 ms
[code]....
So on this, the destination is 99.99.99.99.The first hop is the default gateway, which is 1.1.1.1.After that, the next step is the Cisco ACE.After that there are several hops to the destination.Looks like for some reason the Cisco ACE is not recording his ip.( For any destination traceroute result is the saame.ICMP is allowed in the access list and also ther is ICMP inspect in my config. access-list ICMP line 10 extended permit icmp any
class-map type management match-any abc
201 match protocol ssh source-address X.X.0.0 x.x.0.0
class-map match-all ICMP_allow
2 match access-list ICMP
[code]....
Version running on ACE is Version A2(3.3)
I have been searching to find out how to allow traceroute from an inside host to an outside IP address. I have found a few articles for IOS versions prior to 8.4 but nothing for 8.4. I can traceroute from the CLI of the 5510 just fine but from a windows host on the inside network all I get is Request timed out
View 1 Replies View RelatedI've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?
View 2 Replies View RelatedI've read through netpro and found everyone points to this doc.
[url]....
However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations.
[code]....
To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.How can I configure the ASA to show up as a hop in an IPv6 traceroute?The ASA is a 5520 with v8.4(1) installed.
I recently acquired a used ASA 5505 and have encountered issues with getting the PoE output on Ports 6 & 7 working. Theese two PoE ports are behaving like all the other ports (100mbit, Vlan 1). Per the best I could Google, I made sure the all relevant ports are set to "auto" for duplex and link speed. Again, the ports do work for data - just not PoE. The LEDs light up ok.
I've tested four different working devices that can be powered off PoE with it, and all failed to power up using a straight-thru Ethernet cable connected to ports 6 & 7.
Ubiquiti PicoStation M2
MikroTik OmniTik
MikroTik RB450G
MikroTik RB433
What should I do to get PoE working? Is it a defective unit?
: Saved
: Written by enable_15 at 18:56:43.926 CDT Sun Jun 3 2012
!
ASA Version 8.4(4)
[Code].....
i'm trying to setup my 5505 for SSH but it seem doesn't work. console and HTTPS/ASDM are working.
my teraterm is just stuck with the user/password screen. also tried using putty but still failed.
ciscoasa# exit
Logoff
Username: admin
[Code].....
When i install my ASA5505 i get the following message? "This platform has a Base license.
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
i2c_write_byte_w_suspend() error, slot = 0x0, device = 0x40, address = 26 byte
count = 1. Reason: I2C_UNPOPULATED_ERROR"
i have 2 internal server sitting in inside interface
inside network vlan 1 ip address 192.168.0.20, and 192.168.0.22
i going to map 192.168.0.20 to public ip routable address 203.117.124.180 and 192.168.0.22 to public ip routable address 203.117.124.181
the purpose is to make those 2 server 192.168.0.20, and .22 to be able to access remotely using public routable ip address,
however, after done the configuration i still not able to ping or access the public IP Address mention above. my both server are turn on and can access internally.both server are also able to access internet. See below partial configuration retrieve from Show Run.
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Antlab) 1 0.0.0.0 0.0.0.0
[Code].....
I'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues). One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines. I'm having trouble getting that working properly with the new device.
After a lot of trial and error, I finally got some ports working, but only for some IP addresses. In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189). For historical reasons, the external IP of the device is .178. Only those NAT entries for .177, .178 and .179 are currently working. I've attached the configuration of the ASA, as well as the configuration of the old 1841. As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it. And it was working with the 1841 in place before its untimely demise.
One note - I am also having trouble getting the VPNs working, so they are a work in progress. That will account for some of the differences in the configs.
I am trying to set up a SLA statement on an ASA 5505 version 8.2(5). When I enter the command "sla monitor schedule 1 life forever start-time now" I get a message stating "%Entry not configured."
View 1 Replies View RelatedI have an ASA 5505 running 8.4(3) at home and I'm banging my head against the wall trying to get the PCTV working from my local ISP.Basically I open a web page for the service and I can stream all the basic TV channels to my PC screen.
I just simply cant get this working through the ASA.. I know absolutely nothing about voice/video in networking.
My setup regarding ASA configurations are as follows
interface Vlan1
description LAN
nameif LAN
security-level 100
ip address 10.0.0.1 255.255.255.0
igmp forward interface WAN
[code....
I can get the PCTV working if i bypass the ASA. I can for example get the PCTV working on PC2 if I simply change the port Ethernet0/2 to access vlan 10. So theres just simply something that I havent configured on the ASA or the ASA doesnt support something?I took a capture from my PC2 just as I opened the browser and connected to the PCTV url (opens our local channe 1 right away)Only thing I can see in the capture at that point is:
- V2 Membership report / Join group 232.1.3.1
- Right after a remote host from the ISP networks starts sending the stream with the destination port udp/2000 with the destination address of 232.1.3.1
what I could check in my configuration? Or is there something that I have simply configured wrong already on the partial configuration shown above?
I have a base 5505 and would like to get AnyConnect working. To do that, would I have to first purchase either an essentials or premium license and then purchase the AnyConnect Mobile license?
View 1 Replies View RelatedI need to allow traceroute traffic through ASA running version 8.0.2.This traffic is natted. what configuration is required on ASA to allow this natted traceroute traffic.Traffic is coming from inside and going outside.Also can we capture this traceroute traffic on asa using capture feature.
View 12 Replies View RelatedWe all know that MS traceroute and *nix traceroute work a bit differently. *nix works by sending UDP packets with low ttls to random high UDP ports.
Of course this creates a problem when trying to create an ip6tables rule where I want to allow traceroute. Anyone got something clean that will make this work? This is an example of current drops in my firewall log:
Here are two traceroutes both to 82.195.128.132. One results in the name ns1.hosting 365.ie and the other in the name mail.hosting365.ie. Why the difference? [code]
View 2 Replies View RelatedI'm working as a network engineer for a service provider, and we had just gone through a pretty large scale upgrade throughout our network and service.But not long after the upgrade (or maybe ever since the upgrade, we can't confirm this because we probably missed it out due to many other links to be tested), we met a peculiar problem.Everything seems to be running fine most of the time, but there has been some weird 'ghost-like' activity which have been causing inconsistent network disruptions. At times, certain portions of the network can't communicate with other subnets.And most obviously is the problem with a continuous ping and a traceroute simultaneously. Ping is usually normal, but until a traceroute is attempted, it times out at the same time as tracert fails to obtain the route.Besides, performing a ping from the 2nd closest hop address, 10.250.253.251, which is a cisco layer 3 switch also has problems, the results shown are as belowType escape sequence to abort[CODE]
View 1 Replies View RelatedI am encountering an issue with IPv6 trace route both from within LAN as well as on the Cisco router is unable to function beyond the WAN interface of my Cisco 1941 router with IOS v15.x.
Below is the IPv6 Access List:
[code]
sequence 410 remark Allow Specific Inbound ICMP Types
permit icmp any 2001:D98:XXXX::/64 1 3
permit icmp any 2001:D98:XXXX::/64 packet-too-big
[Code].....
=>Routing Protocol in Question EIGRP.
=>Two equal metric routes for destination A(through R1 and R2-SVIs on two upstream 6500s)
Traceroute Output, is the output that alternates between 1.1=>10.1=>1.1 normal granted the two routes are "equal metric routes for the same routing procotol in use" or is that "round robin behavior" indicative of a routing problem?
Why does the sx300 series only displays ping and traceroute results in 20ms intervals (see below)? The example in the CLI manual shows "regular" results. These 20ms intervals are not useful for troubleshooting. This is version 1.1.0.73 on an sf300-24. [code]
View 2 Replies View RelatedI configured a VPN on my ASA5505 and it seems to be working just fine if I connect with my i Pad or iPhone. But if I use the Cisco VPN Client, I can authenticate but can't get to any other the server that I can access just fine from my i Pad.
I can RDP from my i Pad to servers but I can't RDP from my laptop to the same servers.
I have setup a ASA and everything but ipsec seems to be working. I was able to use the clientless ssl but I need ipsec working. I'm at a loss. config is a little sloppy and i will be cleaning it up but would like to get this working first.
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
[Code].....
I was installing a IIS server to our client and created access - rules for http server and port translations. After that i noticed i lost local lan access trough vpn. Anyconnect and ipsec vpn. No other changes made to asa than those access-rules and nat changes. I'm trying to find out what is wrong, vpn connects okay, i can ping ASA but nothing else on inside network (for example dns server). Dns is not either working. When i ping local server, i can see in log.
View 8 Replies View RelatedHow I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies View RelatedI have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies View Relatedsetting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I was logged into our ASA 5505 via ASDM-IDM Launcher (everything was working) and when I tried to update a change later on today it was unable to send the request. I tried to ping the device and the request timed out. The internet is still working, the VPN connections are still up. But I cannot connect into it anymore.
View 4 Replies View RelatedWe're trying to get a new ASA 5505 put in place on our network after the untimely demise of our 1841 router. One of the functions of the router that we need to get back up and running is a pair of VPNs to employees that we have working from offsite. These are site-to-site VPNs.
They worked with the 1841 in place, so I know that the other end works. I'm just having trouble configuring the ASA to match. I've been through the wizard in ASDM a couple of times, but have yet to have any luck getting it to connect.
Attached are config files for the 1841 (with both VPNs) and the 5505 (with only 1 VPN in place). What I may be missing in order to get this working?
One note - I am having some trouble with my NAT configurations (another post pending), but I think they are close enough that I hope it's not interfering with the VPNs.
If I can get one running, the other has a nearly identical set up, so I should be able to get the second pretty easily.
Trying to set up a asa 5505 in transparent firewall mode. I cannot set the management ip address:
ciscoasa> enable
Password:
ciscoasa# config term
[Code].....