?
Solved

cisco ASA 5505 - HELP !!!

Posted on 2010-01-07
26
Medium Priority
?
368 Views
Last Modified: 2012-05-08
I can not connect to i just run class-map inspection_default by error, how ca i remove it ?

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 193.242.107.242 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.239.134.83
 name-server 193.162.153.164
 domain-name default.domain.invalid
dns server-group OPENDNS
 name-server 208.67.222.222
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 800
access-list outside_access_in extended permit tcp any interface outside eq 366
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 5500
access-list outside_access_in extended permit tcp any interface outside eq 1200
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.100 eq ftp
access-list 100 extended permit tcp any host 192.168.1.100 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.100 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 800 192.168.1.100 800 netmask 255.255.255.255
static (inside,outside) tcp interface 366 192.168.1.100 366 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.100 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 5500 192.168.1.100 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 192.168.1.100 1200 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.100 4282 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.100 domain netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.100 ftp-data netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 193.242.107.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
class-map inspection_default
!
prompt hostname context
Cryptochecksum:8ef61b3523fae6ecaa5210e245119a87
: end


0
Comment
Question by:radut
  • 12
  • 12
  • +1
26 Comments
 
LVL 16

Expert Comment

by:btassure
ID: 26204329
go to console and type:
no class-map inspection_default
0
 

Author Comment

by:radut
ID: 26204383
I can still not connect to server.. :(
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204390
Did you save the config? Just reboot the ASA.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:radut
ID: 26204415
Whaw do i reboot the asa ? I have a Open RDP if i boot then that is gone. I have to be 100% shure that i can connect to the RDP after reboot


here is the new sh run

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 193.242.107.242 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.239.134.83
 name-server 193.162.153.164
 domain-name default.domain.invalid
dns server-group OPENDNS
 name-server 208.67.222.222
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 800
access-list outside_access_in extended permit tcp any interface outside eq 366
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 5500
access-list outside_access_in extended permit tcp any interface outside eq 1200
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.100 eq ftp
access-list 100 extended permit tcp any host 192.168.1.100 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.100 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 800 192.168.1.100 800 netmask 255.255.255.255
static (inside,outside) tcp interface 366 192.168.1.100 366 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.100 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 5500 192.168.1.100 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 192.168.1.100 1200 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.100 4282 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.100 domain netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.100 ftp-data netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 193.242.107.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:8ef61b3523fae6ecaa5210e245119a87
: end
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204440
If you have not saved the config a reboot will revert back to the startup config before you made changes.
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204454
You could also paste this in:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
!

But that may not account for what you previously had configured for your inspect rules.
0
 

Author Comment

by:radut
ID: 26204463
i do not know how to se what is what, the sh run return the current config og saved config.

Whow do i reboot ?

0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204473
You can do a "sh start" to see what's in there.

Actually, if you do a "sh start" and it has the old config, you can paste your inspect rules into the console from there.
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204477
To reboot, enter "reload". But before you do that, post the output of "sh start".
0
 

Author Comment

by:radut
ID: 26204504
I think that this is the current configuration.

In the GUI i can not se alle the rules i can se in the output by sh run.
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204519
If the output is right in "sh run" do a reload then. If it isn't, paste in the rules I posted above.
0
 

Author Comment

by:radut
ID: 26204520
Here is all ok ?


Result of the command: "sh start"

: Saved
: Written by enable_15 at 08:36:28.583 CEST Wed Nov 18 2009
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 193.242.107.242 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.239.134.83
 name-server 193.162.153.164
 domain-name default.domain.invalid
dns server-group OPENDNS
 name-server 208.67.222.222
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 800
access-list outside_access_in extended permit tcp any interface outside eq 366
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 5500
access-list outside_access_in extended permit tcp any interface outside eq 1200
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.100 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 800 192.168.1.100 800 netmask 255.255.255.255
static (inside,outside) tcp interface 366 192.168.1.100 366 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.100 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 5500 192.168.1.100 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 192.168.1.100 1200 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.100 4282 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.100 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.242.107.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:8ef61b3523fae6ecaa5210e245119a87
0
 

Author Comment

by:radut
ID: 26204531
on the "old config " is security-level 0 on sh start is security-level 100 what is this ?
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204533
Says the config hasn't been written since November 18, so if your time is right, you should be able to reboot and revert back to the old config.
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204547
The security levels look the same on both to me. Reboot it.
0
 

Author Comment

by:radut
ID: 26204577
I can not reboot


Result of the command: "reload"

System config has been modified. Save? [Y]es/[N]o:  


Whau do i send no ?  i tried n .. and N



Result of the command: "N"

N
ERROR: % Incomplete command
0
 

Author Comment

by:radut
ID: 26204592
I think i done it ..  whau long will it take ?
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204593
You can't enter "n"?

0
 

Author Comment

by:radut
ID: 26204619
Now it is all working..

I made all this mess.. becouse i was woring on makeing Passive FTP to work, can you help ?

0
 
LVL 9

Accepted Solution

by:
Vito_Corleone earned 2000 total points
ID: 26204735
I can try. Post your current sh run.
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204745
Should that be in a new question?
0
 

Author Comment

by:radut
ID: 26204830
Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 193.242.107.242 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.239.134.83
 name-server 193.162.153.164
 domain-name default.domain.invalid
dns server-group OPENDNS
 name-server 208.67.222.222
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 800
access-list outside_access_in extended permit tcp any interface outside eq 366
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 5500
access-list outside_access_in extended permit tcp any interface outside eq 1200
access-list outside_access_in extended permit tcp any interface outside eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.100 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 800 192.168.1.100 800 netmask 255.255.255.255
static (inside,outside) tcp interface 366 192.168.1.100 366 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.100 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 5500 192.168.1.100 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 1200 192.168.1.100 1200 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.100 4282 netmask 255.255.255.255
static (inside,outside) tcp interface domain 192.168.1.100 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 193.242.107.1 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:8ef61b3523fae6ecaa5210e245119a87
: end

0
 

Author Comment

by:radut
ID: 26204844
I will make a new question with the passive FTP can you help ?
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26204851
Yep, I'll jump into it as soon as you make it!
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26204865
what do you want?
0
 

Author Comment

by:radut
ID: 26204874
i just made it ..
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question