balinton
asked on
Cisco ASA Internal routing issues
Hello,
I am having some issues with routing i think. Everything seems to be working fine and all of a sudden my connection drops and i cant hit the internet. After awhile the connection reconnects and i am back online after looking on the asa i see the below message. I have the ASA hading out two DNS servers my internal server 192.168.1.5 and itself 192.168.1.1 Please let me know if anything looks wrong or where to look.
Make sure that a DNS server is configured and reachable by the adaptive security appliance. If the problem persists, contact the Cisco TAC.
Thanks,
Brandon
I am having some issues with routing i think. Everything seems to be working fine and all of a sudden my connection drops and i cant hit the internet. After awhile the connection reconnects and i am back online after looking on the asa i see the below message. I have the ASA hading out two DNS servers my internal server 192.168.1.5 and itself 192.168.1.1 Please let me know if anything looks wrong or where to look.
Make sure that a DNS server is configured and reachable by the adaptive security appliance. If the problem persists, contact the Cisco TAC.
Thanks,
Brandon
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq www
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any
pager lines 24
logging enable
logging trap errors
logging asdm informational
logging host inside 192.168.1.5 format emblem
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) 192.168.1.5 176.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 176.0.0.0 netmask 255.255.255.255
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS (inside) host 192.168.1.8
key *****
radius-common-pw *****
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 176.0.0.0 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.1 192.168.1.5
dhcpd domain INKBAL.COM
dhcpd auto_config outside
dhcpd update dns both override
!
dhcpd address 192.168.1.6-192.168.1.35 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 8443
enable outside
dtls port 8443
csd image disk0:/securedesktop_asa_3_2_1_103.pkg.zip
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
svc ask enable
group-policy SSL-Users internal
group-policy SSL-Users attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list value Webmail
svc ask enable
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
dns-server value 192.168.1.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
split-dns value DOMAIN.COM
username test password xxxxxxxxxxxxxxxxx encrypted privilege 0
username test attributes
vpn-group-policy SSL_Policy
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSL_Pool
default-group-policy SSL-Users
tunnel-group SSLVPN webvpn-attributes
group-alias Anyconnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3049b4c5d535ebe072c0feb6f6481ce3
: end
ASKER
Hmmm... Didn't think about they as an issue thought that for redundancy I could use the Asa invade my dns server went down guess I need to stand up a second dns server
if you don't have a secondary internal DNS server you can do one of the following -
1. just use the primary internal dns server
2. setup a secondary internal dns server and use that as the secondary dns server
3. use an external public dns server as secondary dns server - such as 4.2.2.2
1. just use the primary internal dns server
2. setup a secondary internal dns server and use that as the secondary dns server
3. use an external public dns server as secondary dns server - such as 4.2.2.2
Also when you loose connectivity have you confirmed that the ASA is still accessible? Can you ping the upstream IP from the ASA? Can you login into the DSL modem at the time the event happens and confirm that the DSL is still connected?
ASKER
ok so i have been traveling and have not had a chance to get back to this thread... I made the changes and am using a external DNS server and Internet browsing seems to be better but connections still drop and it seems to be coming from the asa my modem has perfect connection and does not drop on its own. I thought it could of been the DHCP lease time because it was so short but that didnt do it either. Does anyone have any suggestions this is killing me. Latest running config is below
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq www
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any
pager lines 24
logging enable
logging trap errors
logging asdm informational
logging host inside 192.168.1.5 format emblem
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS (inside) host 192.168.1.8
key *****
radius-common-pw *****
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.5 64.129.67.101
dhcpd lease 604800
dhcpd domain DOMAIN.COM
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.1.6-192.168.1.35 inside
dhcpd dns 192.168.1.5 64.129.67.101 interface inside
dhcpd lease 604800 interface inside
dhcpd domain DOMAIN.COM interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 8443
enable outside
dtls port 8443
csd image disk0:/securedesktop_asa_3_2_1_103.pkg.zip
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
svc ask enable
group-policy SSL-Users internal
group-policy SSL-Users attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list value Webmail
svc ask enable
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
dns-server value 192.168.1.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
split-dns value INKBAL.COM
username user password xxxxxxxxxxxxx encrypted privilege 0
username user attributes
vpn-group-policy SSL_Policy
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSL_Pool
default-group-policy SSL-Users
tunnel-group SSLVPN webvpn-attributes
group-alias Anyconnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:adfs;ldkfjas;dlkfasdfasdfS
: end
You need to remove these lines....
static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
Probably not part of the problem, but you can also remove these entries
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
ASKER
Thanks irmoore how would i remove these entries using the cli? i hate the gui its more confusing then anything...
Also what do these lines do?
0.0.0.0 = My outside interface
static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
Also what do these lines do?
0.0.0.0 = My outside interface
static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you irmoore i just added that change and the below is the latest running code. Also not sure if these changes will fix this or not but i have the asa handing out DHCP and my server has a static ip of 192.168.1.5 when i reboot the server it gets an ip conflict but this address is outside of the pool so no one should get this address do you see anything that could cause that?
Again thank you for your genius...
Again thank you for your genius...
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list outside_access_in extended permit tcp any interface outside eq www
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any any
pager lines 24
logging enable
logging trap errors
logging asdm informational
logging host inside 192.168.1.5 format emblem
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS (inside) host 192.168.1.8
key *****
radius-common-pw *****
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http x.x.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.5 64.129.67.101
dhcpd lease 604800
dhcpd domain DOMAIN.COM
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.1.6-192.168.1.35 inside
dhcpd dns 192.168.1.5 64.129.67.101 interface inside
dhcpd lease 604800 interface inside
dhcpd domain DOMAIN.COM interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 8443
enable outside
dtls port 8443
csd image disk0:/securedesktop_asa_3_2_1_103.pkg.zip
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
svc ask enable
group-policy SSL-Users internal
group-policy SSL-Users attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list value Webmail
svc ask enable
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
dns-server value 192.168.1.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
split-dns value DOMAIN.COM
username user password XXXXXXXXXX encrypted privilege 0
username user attributes
vpn-group-policy SSL_Policy
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool SSL_Pool
default-group-policy SSL-Users
tunnel-group SSLVPN webvpn-attributes
group-alias Anyconnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0c11ecf9f3439928481e4b3adcb25da5
: end
This looks much better.
I don't see anything that would cause an IP address conflict with the server.
Clear the arp cache on the ASA. It will proxy the .5 because of the static nats that you had.
asa# clear arp
I don't see anything that would cause an IP address conflict with the server.
Clear the arp cache on the ASA. It will proxy the .5 because of the static nats that you had.
asa# clear arp
ASKER
Thank you irmoore i will mark this complete and monitor to see if this continues to happen and will open a new question if needed.
Thanks,
Brandon
Thanks,
Brandon
Do NOT hand out the ASA itself as a DNS server. It should be your internal DNS sever only.