Cisco VPN :: Verify NAT On ASA 5510 Working?
Aug 16, 2011
I'm working on setting up a site-to-site VPN connection that requires us to NAT an internal address. Typically, this would be no big deal, but for some reason, it's not working for us. The remote site is reporting that they are seeing the original IP address and not the mapped address coming across. I've monitored the connection and base on our ASA logs, I too see the un-mapped address.
Is there a quick and easy way of verifying that NAT is working? Logs, etc.?
Unfortunately I don't currently have the remote side's configuration, as they are an external business, but I can provide ours: [code]
Based on the above, it sounds as if our configs aren't jibing, which I would think could be caused by the NAT configuration not working, right? I mean if the VPN applicance on the remote end is expecting a NAT-ed address of 12.131.67.247 and they are receiving 12.10.127.108, that could cause this issue, couldn't it?
View 2 Replies
ADVERTISEMENT
Feb 24, 2011
I have disabled Unicast RPF on a Cisco ASA 5510 for one specific interface. However, how do I verify that RPF indeed has been disabled on that particular interface? It doesn't show up in the config, neither does it up when I issue the command "sh int interface'.
To disable the RPF feature, I issued the following command: no ip verify reverse-path interface interface_name
View 1 Replies
View Related
Apr 13, 2011
How to verify on the asa 5510 , the vpn-idle timeout,is running on default setting(30mts)
View 3 Replies
View Related
Apr 8, 2011
when u use the debug cryoto isakmp 127 on the asa 5510, in order to troubleshhot remote access vpn users,to which entry r u looking in the debug to see if the user enter wrong password?
View 1 Replies
View Related
Apr 11, 2013
how do I verify if CG-NMS is enabled on ASA5520. I just need to know if it's enable/install to be enabled and used?Cisco Adaptive Security Appliance Software Version 8.0(5)28..Device Manager Version 6.1(5)51
View 1 Replies
View Related
Feb 12, 2013
I have installed Cisco Prime LMS 4.2 via OVA image with Linux Kernal. Is there any command or set of commands so that i can verfiy the installation are done correctly except show application.
View 1 Replies
View Related
Dec 25, 2012
I used the wlc 5508 GUI to enable multicast in the CONTROLLER section, AP Multicast mode "Multicast" with a group address 239.1.1.1. Also in the "Multicast" section enabled Global Multicast Mode and IGMP Snooping.
My wired network is using a bsr and pim sparse-mode all around. My wlc is connected to a core 6513 L3 switch and on a neighbor L3 switch I can see a shared tree mroute entry and a source based entry for the wlc multicast group I created,
sh ip mroute
( *, 239.1.1.1 )
( 192.168.0.1, 239.1.1.1 )
I can't ping 239.1.1.1 though from anywhere, even the wlc's gui using the ping tool.I can do an ip igmp join on a loopback and ping from a neighbor device and get a reply.
In the monitor multicast section of the gui I can see some Layer2 MGID entries and one in the Layer3 MGID section but not for the 239.1.1.1 address.How do I verify my multicast over wireless setup is working correctly?
View 6 Replies
View Related
Mar 14, 2012
is there a way to verify how much licensed features are used?If the usage is far or near to the limit?
View 4 Replies
View Related
Feb 16, 2011
Getting this error on the data center 2581 (12.4(24)T) from a GRE/IPSEC tunnel, remote branch is 2811 running 12.4(25d)
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=
The tunnel has been up and working okay for months, nothing has changed on the config and the key is correct. Traffic is following but remote users are complaining of performance issues. A wireshark shows checksum errors and lots of packet resends. Remote ISP has checked the circuit and says its clean.The data centre router has quite a few tunnels but only 1 causing this issue. From the head end router -
sh crypto ips sa | b x.x.x.x
current_peer x.x.x.xport 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 15129, #pkts encrypt: 15129, #pkts digest: 15129 #pkts decaps: 13346, #pkts decrypt: 13346, #pkts verify: 13346 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 1992
Can a VPN module go bad like this? I've tried disabling the branch onboard engine and using software but it doesn't work.
View 1 Replies
View Related
Apr 23, 2013
What is the correct command to check the hardware of a Nexus 5020, like the show Inventori, show diag etc Used the same or is there a specific one for these items?
View 2 Replies
View Related
May 24, 2012
someone at work sent me an e-mail they claim was forwarded. I don't think it was, and I need to know before I ask, because accusing someone of making it look forwarded, I viewed the source code, but I can't tell, it was sent through a microsoft exchange server.I think they copied and pasted and changed dates, is there anyway to tell from the source code?
View 2 Replies
View Related
Feb 8, 2011
How to verify router's wireless set up is secured ( and encrypted) from Admin GUI ?Which menu to look at in Admin GUI ?
View 3 Replies
View Related
Sep 14, 2012
I have a Cisco3800 with IOS Version 12.3(14)T2 and I have an HWIC-1GE-SFP module inserted on it.
I need to know if there is a command to verify optical power level in this module inserted in the Cisco 3800 router?
Something similar to the following command that I can execute in an Cisco ASR9K:
show controllers Te0/0/0/1 phy | i Rx
View 4 Replies
View Related
Dec 11, 2012
i am trying to validate an email address through telnet connection, i followed these steps How to Verify an Email Address and Find if it is Real or Fake? sadly when i try the "telnet gmail-smtp-in.l.google.com 25"
View 1 Replies
View Related
Mar 12, 2013
The network gods recently updated our 6500 and upon reboot, the FWSM booted to CF:1 maintence partition,which caused an immediate outage. On the router, I ran the following command to set the default FWSM boot partition to the configuration with:Router#boot device module 4 cf:5 However, it appears the "show boot device" command has been replaced with "show bootvar" which doesn't show me which partition the router will boot the FWSM to. Is there a command I can run from the Router that will actually confirm the boot partition for the FWSM if the router reloads.
View 1 Replies
View Related
Mar 23, 2012
we got a dark fiber betwwen two sites away from each other 30 Km,i need to connect this sites acts as backup dc to main dc in main site using cisco 4900 Switches in BK-DC anf 6513 in the main site,how can i verfiy if this fiber oparates as L2 and i can extend vlan servers,is it via "sh cdp neigh" and "sh vlan br"?
View 2 Replies
View Related
May 9, 2012
I config mdix on port gi1/0/7 as mdix auto IT does not show in running config.Is there any way or command which i can use to verify mdix on port?
View 2 Replies
View Related
Jul 1, 2011
I configured ASA 5510 with IOS 8.4.2 version. I configured SSH to outside and backup interface with any any permission.
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 backup
configured password with command
passwd < Password>
While connecting from outside through Putty i am not able to authenticate the password.
Aftter entering user name as pix its asking password. After entering its not authenticating.
I taken output by telnetting to inside after connecting to the firewall from outside and entering username as pix
PM-ASA-5510# sh ssh sessions
SID Client IP Version Mode Encryption Hmac State Username1 122.169.252.112 2.0 IN aes256-cbc sha1 KeysExchanged pix OUT aes256-cbc sha1 KeysExchanged pixSPM-ASA-5510#
View 5 Replies
View Related
Aug 22, 2012
Our NOC is trying to configure a site to site tunnel to one of our customers. The tunnel is up and operational, however we can't get our NAT rules to match what we want.
We are running ASA version 8.4(3)
The traffic is sourced from 172.16.1.50 (inside1) and destined to192.168.2.9 (outside), the nat configuration is posted below:
NOC-ASA5510-01# show run nat
nat (inside1,inside2) source static ng-noc-networks ng-noc-networks destination static ng-inside2-networks ng-inside2-networks
nat (inside1,outside) source static test test-EXT destination static otherside otherside
object network obj_any
nat (inside1,outside) dynamic interface dns
object network servers-noc
nat (inside1,outside) static 192.168.1.68
Here is the output from the show nat detailed:
NOC-ASA5510-01# show nat detail
Manual NAT Policies (Section 1)
I left off entry 1 but it doesnt have any translated hits either
2 (inside1) to (outside) source static test test-EXT destination static otherside otherside
translate_hits = 0, untranslate_hits = 624
Source - Origin: 172.16.1.50/32, Translated: 192.168.1.67/32
Destination - Origin:192.168.2.9/32, Translated:192.168.2.9/32
Auto NAT Policies (Section 2)
1 (inside1) to (outside) source static servers-noc 192.168.1.68
translate_hits = 0, untranslate_hits = 187
Source - Origin: 172.16.1.101/32, Translated: 192.168.1.68/32
2 (inside1) to (outside) source dynamic obj_any interface dns
translate_hits = 58417, untranslate_hits = 1511
Source - Origin: 0.0.0.0/0, Translated: 192.168.1.66/29
Here are the network objects:
object network test
host 172.16.1.50
object network test-EXT
host 192.168.1.67
[Code]...
View 2 Replies
View Related
Feb 3, 2013
I had installed the aheros AR5B97 wireless network adapter in wondows 7, but it was not properly installed and the wireless service icon is not displayed in the network profiles.when i checked it in the device manager it showed a device status that:Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)
View 1 Replies
View Related
Jul 19, 2012
I recently setup a site to site vpn between a asa 5510 and router 1921. It was working great all night and this morning. When traffic stopped rolling through for a few hours the tunnel shutdown. I checked the router using cisco configuration and tells me the tunnel is up. When I check the asa it does not show up in the active tunnels. Any know what would cuase it to drop? and if so what can I do to avoid it.
View 6 Replies
View Related
Mar 8, 2012
I've got an ASA 5510 running 8.4.I have a host on an inside interface, with a static NAT configured on the ASA. The inbound/return half of the NAT doesn't appear to be working. [code] I run a ping from the host (192.168.100.98) to something on the outside (1.2.3.4)Running captures, I can see the outbound ping leaving, having been NATed OK. I can see the reply coming back in to the outside interface with the correct IP address, but I never get the final NATed packet appear on the inside interface. The packet just disappears inside the ASA.
View 2 Replies
View Related
Nov 14, 2011
I implemented a ASA5510 with latest software version. I configured outside interface, default route, PAT to the outside interface. I am able to ping and telnet to the inside interface of the ASA.But internet is not working.Did i miss any configuration?i enabled icmp to outside,. i did a ping to the next hop from ASA. but it is not working.
View 6 Replies
View Related
Jun 8, 2011
i've an Cisco ASA 5510 with Security Appliance Software Version 8.0(2), in this ASA i've many L2L tunnels to this ASA, anda sometims new tunnels can't connect, the older tunnels still ok and working, yesterday this situation occured again and i've tried to clear all ipsec tunnels and try to reconnect again no one cames up again. At the time of this situation memory usage was about 78% and CPU is was around 5%. I've made a reload without changes and the situation returns to the normality.
At the time of the fail i've collect the outpu from debug crypto isakmp 255, the outpu was in the annexed file.
View 1 Replies
View Related
Nov 30, 2011
I have a an issue with one particular VPN user. They are using the built in Windows Vista client to connect to my ASA 5510.
All other users do not have an issue and i receive the following error at roughly the same time of day when the drop happens. Authentication is done by my AD Server which handles all logins.
[code]...
View 2 Replies
View Related
May 9, 2010
I have the ASA 5510, I just upgraded to Windows 7 and installed the ASDM software. The installation went smoothly but when I launch ASDM all that comes up is the top right of a window, here is a screenshot of what happens.
View 15 Replies
View Related
Feb 5, 2013
I find are steps to turn on SSH access. I have quite a few customers with ASA5510's installed. SSH is set up and working fine on every one. After a period of time, you are no longer able to SSH into the firewall. Using Putty, it just sits there on a blank screen without giving a "denied access" message or a login prompt. Rebooting the firewall will solve the issue and SSH access works again. Today, I had a customer with and active/standby configuration where I had to reboot both of them to be able to log in. Most of my customers are on 8.2.software as most don't want to reconfigure for the new NAT, etc.
I'm sure others have seen this before since it appears to be occuring on almost every ASA that I have access to. Is there any fix to eliminate this or is there something that can be run from the ASDM that will grant SSH access again without just doing a reboot?
View 4 Replies
View Related
Nov 19, 2012
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2) TREV is the network of this location.Company1,2,3 are remote locations.
: Saved
:
ASA Version 8.2(5)
!
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
[code]....
View 3 Replies
View Related
Sep 24, 2012
We have 2 ASA5510 and 2 ASA5525. Got a very weird error; up to release 8.4 eigrp works fine, after upgrading to 8.6 eigrp stops working.Can't see any neighbors; but same command from another asa on same network but with release 8.4: [code] I want to put the 5525 on production but would like to do it with latest release; could this be a bug on 8.6?
View 12 Replies
View Related
Jun 2, 2011
we recently upgraded our ASA 5510 active/standby cluster from ASA Version 8.3.2 to 8.4.1(11). Unfortunately the standby ASA is now crashing a few seconds after the configuration was synchronized from the active ASA.
Also completely disabling HA, bringing the default config to standby ASA again and activating HA afterwards did not work. Also tried through the Wizard provided by ASDM to be sure to have no errors with requirements.
How to solve this without doing a downgrade back to 8.3.2. ?
View 4 Replies
View Related
May 9, 2013
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 5 Replies
View Related
Dec 5, 2012
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 1 Replies
View Related
Jun 11, 2013
I have an ASA with an outside ACL that is configured to allow 208.84.248.95 SIP/5060 to 1x.x.x.46. I show no hits. I added an ACL to do a packet capture, it sees the packet coming into the ASA but not going to the Serv Prov interface. I see hits on the vuong ACL but not the production acl_out ACL.. What is up?
NOTE:ACL_out is the ACL we use to allow outside traffic to enter our network.
FW1(config)# sh access-list | i 1.x.x.46
access-list acl_out line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0xc09a9387 (*NO HITS)
access-list acl_out line 658 extended permit udp host 208.84.248.95 host 1x.x.x.46 eq sip (hitcnt=0) 0x0f327179 (NO HITS)
[code]...
It was tested and verified from the inside network to make sure the server is listening on that port. Below we created an ACL to allow all IP from another test PC to the Server IP 1x.x.x.46. We did a telnet to port 5060 and it showed hits but not on the acl_out ACL.
ccess-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0x2759fa92
FW1(config)# q
FW1# capture capture1 access-list vuong interface outside
[code]...
Below we applied the same ACL to the ServProv interface to see if traffic was going where it was supposed to . By trying to telnet to the 1x.x.x46 IP from 63.x.x.140 IP. Looking below, no traffic appeared on the capture2.
FW1# capture capture2 access-list vuong interface ServProv
FW1# sh capture capture2
0 packet captured
0 packet shown
[code]...
Capture 1 above shows the last 3 incoming messages initiated from 63.x.x.140 to the 1x.x.x.46! Vuong ACL belows shows 3 more hits.....nothing on the acl_out ACL???
FW1# sh access-list vuong
access-list vuong; 1 elements; name hash: 0x29df3e90
access-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=6) 0x2759fa92
[code]...
View 1 Replies
View Related
