Cisco Firewall :: ASA5505 And Asterisk Remote Softphone Doesn't Work
Jan 5, 2012
I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www access-list 101 deny tcp host 10.0.2.2 any access-list 101 permit tcp any any
route-map proxy-redirect permit 101 match ip address 101 set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
I have a brand new ASA 5505 running version 8.2(5). Got connected with the ASDM and ran the setup wizard and the remote access VPN wizard. I am not able to ping the outside interface from the internet, and my VPN client gets no response when trying to connect.
I am setting up a simple remote IPsec VPN with a ASA 8.4. All I want to do is the remote user can VPN into the ASA, from there, he can browse the outside Web pages in the internet. and we'd like not to use split-tunneling. The outside infterface is 192.168.1.155/24, which is inside our network and this subnet works fine to outside. The pool for vpn is 192.168.0.0./24 (please pay attention to the 3r octet)
I configured and the remote user can vpn in and get an IP from the pool. but it seems that he cannot do anything. he cannot ping anything.I suspected the NATTing that i use. What is configured wrong? What traffic need to be natted and what need not.
======:ASA Version 8.4(2) ! !interface GigabitEthernet0description VPN interfacenameif outsidesecurity-level 0ip address 192.168.1.156 255.255.255.0 !interface GigabitEthernet1description VPN interfacenameif insidesecurity-level 100ip address 192.168.0.1 255.255.255.0 !ftp mode passiveobject network obj-192.168.0.0subnet 192.168.0.0 255.255.255.0object network obj-192.168.1.155host 192.168.1.155access-list EXTERNAL extended permit ip any any access-list EXTERNAL extended permit icmp any any access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 pager lines 24mtu outside 1500mtu inside 1500ip local pool testpool 192.168.0.10-192.168.0.15ip verify reverse-path interface outsideicmp unreachable rate-limit 1 burst-size 1icmp permit any outsideicmp permit any insideno asdm history enablearp timeout
I am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is
- a host (e.g. 192.168.5.10) under Inside interface can contact to outside without any problem. - however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out. [code]
I am trying to configure RemoteDesktop on a home lab ASA5505 with IOS 8.4.1 and no matter what I tried, I am unable to remote into a local server behind the firewall. I've searched online and found several threads with solutions online including here at Cisco Support Community forum and have tried them all, but have no success. I'm sure it may be something very simple that I've missed.
I have setup a Remote access VPN on my ASA5505 firewall through the ASDM wizard.I can successfully connect with the Cisco VPN client. My firewall also shows me the VPN session and shows incoming Rx packets. However, Tx packets remain 0, so no traffic is going out. My ASA5505 is configured as router on a stick with 25 different VLAN's. I want to restrict traffic to one specific VLAN using a crypto map.When I issue a ping -t command on my connected Windows box, the firewall log shows me the following message:
"This message indicates that the IPSec fast path processed a packet that triggered IKE, but IKE's policy lookup failed. This error could be timing related. The ACLs that triggered IKE might have been deleted before IKE processed the initiation request. This problem will most likely correct itself." [code] I have really no idea what's going on. I have setup a Remote access VPN countless times but this time it shows me the error as described above.
I have a customer with an ASA5505 where it will not reply to SNMP polls from any source, i have followed the configuration guide [URL].at and tested another ASA in our internal network and i have that working fine on our LAN, here is the snmp and logging sections of the show-run on the ASA, it there anything obvious im missing to make the SNMP work on this device?
snmp-server host outside 203.XX.75.122 community XXXX snmp-server host outside 203.XX.84.196 community XXXX snmp-server host outside 203.XX.86.82 community XXXX snmp-server host outside 82.XX.244.3 community XXX
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I have a network with 3 sites that are on different subnets. Each site has an ASA Right now, I am only able to connect to the ASA that is connected to the subnet I am connected to.I want to be able to connect to the ASA that are on the remote subnets on the address of the inside interface.The sites are connected all together by site-to-site VPN.Is there any way I can achieve that without opening the outside interface directly on the Internet?
I installed a CISCO ASA5505 with 50 user license to my network as the gateway firewall. So ASA is acting as the gaeway router which is connected to a fibre circuit and also it gives DHCP to the network. The strange thing is that except for two computers rest does not have internet. I also have an asterisk phone system which works fine..
I tried everything.... static IP's DHCP, DNS nothing worked. But strange enough two computers works fine and have internet.. but are no special computers. One is Win XP and the other one is Win7. When I troubleshoot the problem in win 7 on one of the computers it says
"The remote device or resource won't accept the connection"
I ve configures an asa 5505 for remote vpn with anyconnect. it works just fíne - from remote i can ping the Clients and Server inside, i can do RDP or Connect via SSH to any machine, map some volumes local and so on but: I can not connect microsoft sql server. It uses port 1433 for the first connect and establishes then a dynamic connection. So i am a Newbie - what rules or configs do i miss?
We have an Asterisk/FreePBX phone system located behind an ASA 5505 device where we are having problems with sip inspection.
We connect to three different phone providers, and things works as expected for 2 of the 3 providers,but for the last one (Draytel) we are having problems with sip inspection.
The key difference about the VoIP provider where we are having problems is that they are using differetn servers for the voice (RTP) traffic than the server we are registered with to establish SIP sessions.
sip inspection is configured with the default out of the box options.The problems we see are this:
1. For ingoing calls sip inspection does not open the required pinhole to allow the traffic to flow through. As a result we can not hear the voice of the calling party, but voice from our side is passed through ok.As a workaround we have added and ACE allowing traffic in the used UDP (RTP) range from this VoIP providers ip addresses to pass through the ASA, and with that in place incoming calls work.
2. Outgoing calls doesn't work because sip inspection doesn't kick in, and as a result of this we forward internal ip addresses in the SIP / SDP body to the VoIP provider. I'm not sure whether this is a consequence of sip inspection not kicking in for this provider, or a result of having added the ACE for an ip ragnge that covers the ip address we register with.
As stated above sip inspection does work as expected for two other providers where all traffic goes through a single server.We actually have had this working with ASA firmware 7.2(4), but as that version intermittently had a problem where sip inspection would stop working (fixable by power off/on or a clear command), then we decided to upgrade.
I am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24 Local network : 10.10.1.0/24 Transport network : 10.10.99.0/24
I have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.
I have a server in a network DMZ (IP 192.168.40.43) need to do discovery of other IP address to update the IPAM tool. It should not be done source NAT so I´m trying to use the configuration below with Policy NAT but isn´t working:
It´s following message appears "% PIX-3-305005: No translation group found for icmp dmz8 srv: 192.168.40.43 dst inside: 10.38.36.50 (type 13, code 0)".
I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run : Saved : ASA Version 8.3(1) ! hostname CaaaA01 domain-name example.com
I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).I'm using the newest Releases:Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.3(5)
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
I see that Phase 1/2 are working with debug: Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
Then I see this "Error":
Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
I don't understand why it doens't work....I tried many templates from the net but nothings works.
I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.
since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.
what´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA# JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA# JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
FWSM/xxx03(config)# no access-list ? configure mode commands/options: alert-interval Specify the alert interval for generating syslog message 106001 which alerts that the system has reached a deny
[code]...
How can I remove a line from the access-list without clearing the entire access-list?
I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.
I have a directly connected server behind the ASA and I can ping the server without a problem.
The VPN client reports packets being encrypted and decrypted
However when I try to RDP to the server the encyrpted packets keep incrementing but the decrypted packets do not.
I am also not seeing any RDP traffic hit the server (verified by ethereal)
I have done a packet tracer and it suceeds but ends with an IP spoof which I believe is correct as it is vpn traffic and not actually being encrypted.
This is the debug from the RDP session, I am confused by a Denied ICMP on line 2 as I am able to ping the server?
%ASA-6-302013: Built inbound TCP connection 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) to internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl) %ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.4 on interface external to 192.168.100.146: no matching session
[Code].....
The only logical bit to this is flow closed by inspection? Does this mean the server has not responded?
And the decrypt packets not increasing when trying to RDP Does this mean that I have reached the end of my ASA knowledge on this one!
I am trying to configure dual ISP on my ASA5505.I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn't route any traffic.The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I'm doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router. [code]
I have been searching for days trying to find out what could be wrong with the configuration of an ASA5505 running Firmware version 7.2(2). I am trying to set up a hairpin connection between my laptop on the VPN tunnel (192.168.25.12) to access the server across the L2L VPN (192.168.1.10) on the diagram below.
The remote VPN function is working, as I can RDP to the 192.168.25.10 server from my laptop, and the L2L VPN is working since I can RDP from server 192.168.25.10 to server 192.168.1.10. I am trying specifically to run RDP from my laptop without having to log into the .25 network.
I have tried multiple changes to my NAT tables and my ACL configurations to no avail.[code]
We currently have a few 5505s installed at client sites which are connected via s2s ipsec VPN to our datacenter's 5510. We are using Nagios to monitor the local data center and remote client infrastructure (over the VPNs) which has been working well.
We would like to also monitor the remote 5505s using SNMP over the s2s tunnels but it doesn't seem to be working, the connection is timing out. We've configured the remote 5505s with the same snmp statement we used on the 5510 (snmp-server host inside <remote datacenter IP> poll community ***** version 2c) yet the Nagios SNMP check cannot connect to the remote 5505s. We've also tried the command using 'outside' without any luck, not sure how to get SNMP to route over the VPN.
I have a ASA 5505.|I configured it for remote access VPN from cisco VPN client.the ASA receives a public ip address on outside interface via PPPoE.I can connect to public ip of outside interface and address 10.1.1.2 is assigned to my Cisco vpn client.the problem is that I Cannot ping or reach ASA internal IP address 172.16.29.1 in any way when I am in VPN from outside,while I Can ping other hosts on 172.16.29.0/24 when connected in VPN.this is a problem brcause when I am connected in VPN to ASA I Cannot configure it..Then I Wanted to ask if it is possible a configuration which gives addresses from network 172.16.29.0/24 (the same as inside network) to VPN clients instead of another network (10.1.1.0/24) [code]
