Microsoft
Software
Hardware
Network
Question : Problem: we have a ASA5505 connecting to a ASA5520. the asa5505 drop links and no traffic can pass over the vpn
we have a ASA5505 connecting to a ASA5520. the asa5505 drop links and no traffic can pass over the vpn. Have to log into the asa5505 on external interface and reload it. This then solves the problem. Behine the ASA5502 are three sateliites.
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name domain.com.au
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.*.*.8 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address 58.*.*.113 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone WST 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.230.0.1
domain-name domain.com.au
same-security-traffic permit intra-interface
access-list OUTSIDE-ACCESS-IN extended permit tcp any host 58.*.*.113 eq ssh
access-list OUTSIDE-ACCESS-IN extended permit tcp any host 58.*.*.113 eq telnet
access-list nonat extended permit ip 10.250.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip host 192.*.*.8 host 10.230.0.224
access-list nonat extended permit ip host 192.*.*.8 host 10.200.0.21
access-list nonat extended permit ip host 58.*.*.113 host 10.200.0.21
access-list VPNtoDC extended deny ip 192.*.*.0 255.255.255.248 10.202.0.0 255.255.0.0
access-list VPNtoDC extended deny ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list VPNtoDC extended permit ip 10.250.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip 10.250.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip 10.250.3.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip 10.250.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list VPNtoDC extended permit ip host 192.*.*.8 host 10.230.0.224
access-list VPNtoDC extended permit ip host 58.*.*.113 host 10.200.0.21
access-list INSIDE-IN extended permit ip any any
access-list OUTSIDE-IN extended permit ip host 203.*.*.74 interface outside
access-list OUTSIDE-IN extended permit tcp host 203.*.*.65 host 58.*.*.113 eq ssh
access-list OUTSIDE-IN extended permit tcp host 218.*.*.186 host 58.*.*.113 eq ssh
access-list OUTSIDE-IN extended deny ip any any log
access-list VPN-TO-202 extended permit ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any eq domain log
access-list test extended permit udp 10.250.3.0 255.255.255.0 any eq domain log
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any eq 445 log
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any eq netbios-ssn log
access-list test extended permit tcp 10.250.1.0 255.255.255.0 any eq domain log
access-list test extended permit udp 10.250.1.0 255.255.255.0 any eq domain log
access-list test extended permit tcp 10.250.3.0 255.255.255.0 any log
access-list test extended permit udp 10.250.3.0 255.255.255.0 any log
access-list test extended permit ip any any
access-list test1 extended permit tcp any eq 445 10.250.3.0 255.255.255.0 log
access-list test1 extended permit tcp any eq netbios-ssn 10.250.3.0 255.255.255.0 log
access-list test1 extended permit tcp any 10.250.3.0 255.255.255.0 log
access-list test1 extended permit udp any 10.250.3.0 255.255.255.0 log
access-list test1 extended permit ip any any
access-list test2 extended permit ip host 10.220.10.62 host 10.250.1.10
access-list test2 extended permit ip host 10.250.1.10 host 10.220.10.62
access-list test2 extended permit ip host 10.220.10.62 host 10.250.2.10
access-list test2 extended permit ip host 10.250.2.10 host 10.220.10.62
access-list test2 extended permit ip host 10.220.10.62 host 10.250.3.10
access-list test2 extended permit ip host 10.250.3.10 host 10.220.10.62
access-list test2 extended permit ip host 10.250.1.10 host 10.230.0.1
access-list test2 extended permit ip host 10.230.0.1 host 10.250.1.10
access-list test2 extended permit ip host 10.230.0.1 host 10.250.2.10
access-list test2 extended permit ip host 10.250.2.10 host 10.230.0.1
access-list test2 extended permit ip host 10.250.3.10 host 10.230.0.1
access-list test2 extended permit ip host 10.230.0.1 host 10.250.3.10
access-list VPNtoPerthDC extended deny ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list VPNtoPerthDC extended permit ip 10.250.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list vpntoPerth extended deny ip 10.250.0.0 255.255.0.0 10.202.0.0 255.255.0.0
access-list vpntoPerth extended permit ip 10.250.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list vpntoPerth extended permit ip 10.250.3.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 32000
logging console emergencies
logging monitor alerts
logging buffered debugging
logging trap debugging
logging asdm notifications
logging host inside 10.250.1.10
logging host outside 10.200.0.21
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE-IN in interface inside
access-group OUTSIDE-IN in interface outside
route inside 10.250.1.0 255.255.255.0 192.168.240.1 1
route inside 10.250.2.0 255.255.255.0 192.168.240.1 1
route inside 10.250.3.0 255.255.255.0 192.168.240.1 1
route outside 0.0.0.0 0.0.0.0 58.84.215.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-cache dst 1
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strongdes esp-3des esp-md5-hmac
crypto ipsec transform-set strongaes esp-aes-256 esp-sha-hmac
crypto map outside 10 match address VPNtoDC
crypto map outside 10 set peer 203.25.27.74
crypto map outside 10 set transform-set strongdes strongaes
crypto map outside 20 match address VPN-TO-202
crypto map outside 20 set peer 203.*.*.130
crypto map outside 20 set transform-set strongaes
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet 10.250.1.0 255.255.255.0 inside
telnet 203.*.*.74 255.255.255.255 outside
telnet timeout 5
ssh 10.250.1.0 255.255.255.0 inside
ssh 10.230.0.0 255.255.0.0 inside
ssh 10.200.0.0 255.255.0.0 inside
ssh 218.*.*.186 255.255.255.255 outside
ssh 203.*.*.65 255.255.255.255 outside
ssh 203.*.*.74 255.255.255.255 outside
ssh 203.*.*.201 255.255.255.255 outside
ssh 209.*.*.96 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
dhcpd auto_config outside
!
tunnel-group 203.*.*.74 type ipsec-l2l
tunnel-group 203.*.*.74 ipsec-attributes
pre-shared-key *
tunnel-group 203.*.*.130 type ipsec-l2l
tunnel-group 203.*.*.130 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
ciscoasa#
Answer : Problem: we have a ASA5505 connecting to a ASA5520. the asa5505 drop links and no traffic can pass over the vpn
the cause of the problem turned out to be a faulty port on the isp's switch. Our asa was at their data centre, found it by accident, switched ports and all fixed.
Random Solutions
Problem: VPN connection timeout
Problem: Airport Extreme: No IP address from Comcast cable modem
Problem: Two Dell XPS One side to side
Problem: Cisco Aironet Signal Strength Between AP's
Problem: ISCSI Freenas setup
Problem: How to tell which device wireless adapter connected to: Access Point or Router
Problem: VS 2005, Windows Mobile 5, Compact framework 2.0, vb.net open weblink?
Problem: Computer Found New Hardware, but My Computer does not see it.
Problem: ITE IDE On New Motherboard
Problem: Does new macbook / macbook pro support windows xp and vista 64 bit?
