Lotus Notes VPN problems started when Cisco PIX 506E replaced by ASA 5505
Our company has a site-to-site VPN with our mother company in Japan, primarily for connectivity with the Lotus Notes Domino server there. The VPN is hosted by a Cisco PIX 515E in Japan, and we were using a Cisco PIX 506E here in the states.
However, about a month ago, I unplugged our PIX 506E to plug it into our new UPS unit, and I couldn't get it to boot back up. So we purchased a new Cisco ASA 5505 to replace it.
I reloaded the old PIX ver. 6.3 config as best I could into the new ASA Version 7.2, (I obtained the pre-shared key info from Japan) and suprisingly enough, the VPN was re-established! I can put Japan IP addresses into my Explorer address field and enter the access username and password and then browse files over there.
However, the problem is that our Lotus Notes connectivity is now limited. Before when we were using our PIX 506E, Lotus Notes users here could connect to all databases, send and receive Lotus mail, and write to the database with no problems. Now that we are VPN'ed through the ASA 5505 on our end, Lotus Notes users can connect to most - but not all - databases, and can read mail but not send it, and can read from but not write to any databases.
We are using Lotus Notes domino client version 4.6.5a here. I don't know anything about what Lotus Notes server they are running in Japan.
However, about a month ago, I unplugged our PIX 506E to plug it into our new UPS unit, and I couldn't get it to boot back up. So we purchased a new Cisco ASA 5505 to replace it.
I reloaded the old PIX ver. 6.3 config as best I could into the new ASA Version 7.2, (I obtained the pre-shared key info from Japan) and suprisingly enough, the VPN was re-established! I can put Japan IP addresses into my Explorer address field and enter the access username and password and then browse files over there.
However, the problem is that our Lotus Notes connectivity is now limited. Before when we were using our PIX 506E, Lotus Notes users here could connect to all databases, send and receive Lotus mail, and write to the database with no problems. Now that we are VPN'ed through the ASA 5505 on our end, Lotus Notes users can connect to most - but not all - databases, and can read mail but not send it, and can read from but not write to any databases.
We are using Lotus Notes domino client version 4.6.5a here. I don't know anything about what Lotus Notes server they are running in Japan.
ASKER
Here is the PIX 515E config in Japan:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 jnx security10
enable password abracadabra encrypted
passwd opensesame encrypted
hostname xx-fw
domain-name intra.xx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 80 permit icmp any any
access-list 80 permit ip any any
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit icmp any any
pager lines 24
logging on
logging trap debugging
logging host inside 192.1.1.251
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu jnx 1500
ip address outside pppoe setroute
ip address inside 192.1.1.253 255.255.255.0
ip address jnx xxx.xxx.xxx.238 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 yyy.yyy.yy.242
global (jnx) 1 xxx.xxx.xxx.241
nat (inside) 0 access-list 101
nat (inside) 1 192.1.1.0 255.255.255.0 0 0
nat (inside) 1 192.1.2.0 255.255.255.0 0 0
nat (inside) 1 192.1.3.0 255.255.255.0 0 0
nat (inside) 1 192.1.4.0 255.255.255.0 0 0
static (inside,outside) yyy.yyy.yy.243 192.1.1.251 netmask 255.255.255.255 0 0
static (inside,jnx) xxx.xxx.xxx.242 192.1.1.251 netmask 255.255.255.255 0 0
access-group 80 in interface inside
conduit permit icmp any any
conduit permit tcp host yyy.yyy.yy.243 eq telnet host bbb.bbb.bb.2
conduit permit tcp host xxx.xxx.xxx.242 eq telnet zzz.zzz.zzz.224 255.255.255.248
conduit permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
route jnx ccc.cc.248.0 255.255.255.0 xxx.xxx.xxx.233 1
route inside 192.1.2.0 255.255.255.0 192.1.1.254 1
route inside 192.1.3.0 255.255.255.0 192.1.1.254 1
route inside 192.1.4.0 255.255.255.0 192.1.1.254 1
route jnx eee.ee.eee.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx fff.ff.23.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ggg.ggg.20.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx hhh.hhh.119.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.130.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.131.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.132.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.133.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.134.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.135.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.136.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.137.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.140.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.141.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.142.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.143.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.144.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.145.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.146.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.147.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.149.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx zzz.zzz.zzz.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.151.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx iii.iii.110.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.216.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.217.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.218.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.219.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.220.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.221.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.222.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.160.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.164.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.224.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.225.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.226.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.228.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.229.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.230.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.231.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx lll.lll.97.0 255.255.255.0 xxx.xxx.xxx.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set test1 esp-des esp-md5-hmac
crypto map kawasaki 1 ipsec-isakmp
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer aa.aaa.aa.145
crypto map kawasaki 1 set transform-set test1
crypto map kawasaki interface outside
isakmp enable outside
isakmp key ******** address aa.aaa.aa.145 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group kawasaki request dialout pppoe
vpdn group kawasaki localname c086111116@xyz.com
vpdn group kawasaki ppp authentication pap
vpdn username c086111116@xyz.com password ********
terminal width 80
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 jnx security10
enable password abracadabra encrypted
passwd opensesame encrypted
hostname xx-fw
domain-name intra.xx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 80 permit icmp any any
access-list 80 permit ip any any
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit icmp any any
pager lines 24
logging on
logging trap debugging
logging host inside 192.1.1.251
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu jnx 1500
ip address outside pppoe setroute
ip address inside 192.1.1.253 255.255.255.0
ip address jnx xxx.xxx.xxx.238 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 yyy.yyy.yy.242
global (jnx) 1 xxx.xxx.xxx.241
nat (inside) 0 access-list 101
nat (inside) 1 192.1.1.0 255.255.255.0 0 0
nat (inside) 1 192.1.2.0 255.255.255.0 0 0
nat (inside) 1 192.1.3.0 255.255.255.0 0 0
nat (inside) 1 192.1.4.0 255.255.255.0 0 0
static (inside,outside) yyy.yyy.yy.243 192.1.1.251 netmask 255.255.255.255 0 0
static (inside,jnx) xxx.xxx.xxx.242 192.1.1.251 netmask 255.255.255.255 0 0
access-group 80 in interface inside
conduit permit icmp any any
conduit permit tcp host yyy.yyy.yy.243 eq telnet host bbb.bbb.bb.2
conduit permit tcp host xxx.xxx.xxx.242 eq telnet zzz.zzz.zzz.224 255.255.255.248
conduit permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
route jnx ccc.cc.248.0 255.255.255.0 xxx.xxx.xxx.233 1
route inside 192.1.2.0 255.255.255.0 192.1.1.254 1
route inside 192.1.3.0 255.255.255.0 192.1.1.254 1
route inside 192.1.4.0 255.255.255.0 192.1.1.254 1
route jnx eee.ee.eee.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx fff.ff.23.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ggg.ggg.20.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx hhh.hhh.119.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.130.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.131.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.132.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.133.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.134.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.135.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.136.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.137.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.140.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.141.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.142.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.143.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.144.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.145.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.146.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.147.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.149.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx zzz.zzz.zzz.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.151.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx iii.iii.110.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.216.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.217.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.218.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.219.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.220.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.221.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.222.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.160.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.164.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.224.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.225.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.226.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.228.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.229.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.230.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.231.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx lll.lll.97.0 255.255.255.0 xxx.xxx.xxx.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set test1 esp-des esp-md5-hmac
crypto map kawasaki 1 ipsec-isakmp
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer aa.aaa.aa.145
crypto map kawasaki 1 set transform-set test1
crypto map kawasaki interface outside
isakmp enable outside
isakmp key ******** address aa.aaa.aa.145 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group kawasaki request dialout pppoe
vpdn group kawasaki localname c086111116@xyz.com
vpdn group kawasaki ppp authentication pap
vpdn username c086111116@xyz.com password ********
terminal width 80
ASKER
Now here is my new Cisco ASA 5505 config, translated from the old PIX 506E:
ASA Version 7.2(2)
!
terminal width 60
hostname pixfirewall <--I was trying to impersonate a PIX, but I don't think this matters...
domain-name ciscopix.com
enable password prettyplease encrypted
names
!
interface Vlan100
nameif outside
security-level 0
ip address aa.aaa.aa.145 255.255.255.248
!
interface Vlan200
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 100
switchport protected
!
interface Ethernet0/1
switchport access vlan 200
switchport protected
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd abcdefg encrypted
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name ciscopix.com
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.2
55.0
pager lines 20
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) aa.aaa.aa.149 192.168.2.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aaa.aa.150 1
route inside 192.168.0.0 255.255.255.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set p2policy esp-des esp-md5-hmac
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer jjj.jjj.jj.240
crypto map kawasaki 1 set transform-set p2policy
crypto map kawasaki interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
tunnel-group jjj.jjj.jj.240 type ipsec-l2l
tunnel-group jjj.jjj.jj.240 ipsec-attributes
pre-shared-key *
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 50
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.2.100-192.168.2.15
!
!
class-map inspect_default
class-map class_sip_udp
match port udp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sip
inspect http
inspect ils
inspect esmtp
class class_sip_udp
inspect sip
!
service-policy global_policy global
prompt hostname context
ASA Version 7.2(2)
!
terminal width 60
hostname pixfirewall <--I was trying to impersonate a PIX, but I don't think this matters...
domain-name ciscopix.com
enable password prettyplease encrypted
names
!
interface Vlan100
nameif outside
security-level 0
ip address aa.aaa.aa.145 255.255.255.248
!
interface Vlan200
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 100
switchport protected
!
interface Ethernet0/1
switchport access vlan 200
switchport protected
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd abcdefg encrypted
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name ciscopix.com
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.2
55.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.2
55.0
pager lines 20
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) aa.aaa.aa.149 192.168.2.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aaa.aa.150 1
route inside 192.168.0.0 255.255.255.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set p2policy esp-des esp-md5-hmac
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer jjj.jjj.jj.240
crypto map kawasaki 1 set transform-set p2policy
crypto map kawasaki interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
tunnel-group jjj.jjj.jj.240 type ipsec-l2l
tunnel-group jjj.jjj.jj.240 ipsec-attributes
pre-shared-key *
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 50
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.2.100-192.168.2.15
!
!
class-map inspect_default
class-map class_sip_udp
match port udp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sip
inspect http
inspect ils
inspect esmtp
class class_sip_udp
inspect sip
!
service-policy global_policy global
prompt hostname context
You need to open up 1532 on both routers.
I hope this helps !
I hope this helps !
ASKER
Do you mean port 1352? Lotus' port?
1. How would I do this?
2. Then why did Lotus connect previously across the PIX 506E - PIX 515E VPN? (And it still connects right now using the ASA, just for read-only, it seems).
Thanks for your help.
1. How would I do this?
2. Then why did Lotus connect previously across the PIX 506E - PIX 515E VPN? (And it still connects right now using the ASA, just for read-only, it seems).
Thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the output of show conn (non-port 1352 lines removed):
# show conn
33 in use, 80 most used
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2099 idle 0:02:27 bytes 1256 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2085 idle 0:02:52 bytes 41084 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2084 idle 0:04:06 bytes 40766 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2083 idle 0:04:43 bytes 14450 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2081 idle 0:06:04 bytes 41084 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.51:1534 idle 0:07:15 bytes 596288 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.31:1282 idle 0:04:45 bytes 692442 flags UIO
Please correct me if I'm wrong, but I believe this shows that I already have traffic across (at least out of) port 1352.
# show conn
33 in use, 80 most used
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2099 idle 0:02:27 bytes 1256 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2085 idle 0:02:52 bytes 41084 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2084 idle 0:04:06 bytes 40766 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2083 idle 0:04:43 bytes 14450 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.30:2081 idle 0:06:04 bytes 41084 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.51:1534 idle 0:07:15 bytes 596288 flags UIO
TCP out xxx.1.1.10:1352 in xxx.yyy.2.31:1282 idle 0:04:45 bytes 692442 flags UIO
Please correct me if I'm wrong, but I believe this shows that I already have traffic across (at least out of) port 1352.
ASKER
One of the Japanese Lotus users in my company today gave me a breakdown of what currently can and can't be done in Lotus Notes right now:
He can access all databases expect for one. He can both read and send mail messages, however, he cannot send messages with files attached, nor can he open attachments in messages he has received. He also cannot request renewal of his security certificate (this needs to be done annually? I'm not very Lotus-savvy).
He can access all databases expect for one. He can both read and send mail messages, however, he cannot send messages with files attached, nor can he open attachments in messages he has received. He also cannot request renewal of his security certificate (this needs to be done annually? I'm not very Lotus-savvy).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
(Note: This is coming from a non-network guy, but I do have some experience working with network guys to resolve these issues.)
I agree that it could be an issue with the Local machine.
Is this affecting the entire Japan Offfice ?
Have you tried updating to a newer client ?
Can you check the MTU on the client machine ?
See dslreports.com for utilities and tools to test connectivity.
Is it possible that there is an issue between your router configs ?
I hope this helps !
Is this affecting the entire Japan Offfice ?
Have you tried updating to a newer client ?
Can you check the MTU on the client machine ?
See dslreports.com for utilities and tools to test connectivity.
Is it possible that there is an issue between your router configs ?
I hope this helps !
ASKER
Thank you all for your comments.
This problem is affecting multiple client machines at our location (all in the same way), and is not affecting anyone Japan-side. So I do not think it is a problem with the client machines. I think it is something having to do with this new ASA I'm using, because that is when the problem started.
I'd love to think it may be a hardware problem, and this will just go away if I replace it (I put the ASA under the SmartNet agreement).
The MTU settings on the ASA (as you can see from the configs) are set the same as they were on the original PIX (which, when we were using, we had no Lotus Notes connectivity issues).
I believe the problem lies in some additional secutiry measures put in place by default on the ASA that were not existent on the PIX.
I appreciate the insights about why packets may be fragmenting under certain conditions. I will look in to that.
Thanks all. Solution still pending, but I'll keep looking in to things to see if one of you has led me down the right path.
This problem is affecting multiple client machines at our location (all in the same way), and is not affecting anyone Japan-side. So I do not think it is a problem with the client machines. I think it is something having to do with this new ASA I'm using, because that is when the problem started.
I'd love to think it may be a hardware problem, and this will just go away if I replace it (I put the ASA under the SmartNet agreement).
The MTU settings on the ASA (as you can see from the configs) are set the same as they were on the original PIX (which, when we were using, we had no Lotus Notes connectivity issues).
I believe the problem lies in some additional secutiry measures put in place by default on the ASA that were not existent on the PIX.
I appreciate the insights about why packets may be fragmenting under certain conditions. I will look in to that.
Thanks all. Solution still pending, but I'll keep looking in to things to see if one of you has led me down the right path.
ASKER
Here's something I found out today:
The ASA OS no longer uses the 'conduit' command. Perhaps the conduit commands on the Japan-side config are causing some strange things to happen...
The ASA OS no longer uses the 'conduit' command. Perhaps the conduit commands on the Japan-side config are causing some strange things to happen...
Like I said, You will need to find a networking guy, since this does not appear to be a Notes issue.
If you explicitly open the 1352 port, the problem may be resolved.
I hope this helps !
If you explicitly open the 1352 port, the problem may be resolved.
I hope this helps !
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
ASKER
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Alohomora encrypted
passwd hocuspocus encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp any any eq pptp
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.255.0
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside aa.aaa.aa.145 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aa.aaa.aa.149 192.168.2.10 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aaa.aa.150 1
route inside 192.168.0.0 255.255.255.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set p2policy esp-des esp-md5-hmac
crypto map kawasaki 1 ipsec-isakmp
crypto map kawasaki 1 match address 101
crypto map kawasaki 1 set peer jjj.jjj.jj.240
crypto map kawasaki 1 set transform-set p2policy
crypto map kawasaki interface outside
isakmp enable outside
isakmp key ******** address jjj.jjj.jj.240 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 50
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.100-192.168.2.15
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80