Solved

Upgraded ASA image breaks FTP for verizon wireless

Posted on 2013-01-08
4
438 Views
Last Modified: 2013-01-22
Upgraded ASA version from 7.1.2 to 8.0.2 on ASA 5510, now clients using Verizon wireless can connect but will not pass traffic. Clients are using pantech uml290 usb modem with Cradlepoint router.
Prior to ASA upgrade no problem.
0
Comment
Question by:holcom86
  • 3
4 Comments
 
LVL 5

Expert Comment

by:Leeeee
ID: 38755341
Can you post your config?  Please sanitize any sensitive information.
0
 

Author Comment

by:holcom86
ID: 38755599
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.248
!
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 140.140.0.106 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service 4500 udp
 port-object range 4500 4500
object-group service 500 udp
 port-object range isakmp isakmp
access-list csc-acl remark Exclude CSC module traffic from being scanned
access-list csc-acl extended deny ip host 140.140.1.2 any
access-list csc-acl remark Scan Web & Mail traffic
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended deny tcp any any eq https
access-list csc-acl-ftp extended permit tcp any any eq ftp
access-list LAN_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 140.140.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 140.140.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 140.140.0.0 255.255.0.0 192.168.34.0 255.255.255.0
access-list Local_Lan_access standard permit host 0.0.0.0
access-list Local_behind_ASA standard permit 140.140.0.0 255.255.0.0
access-list VPN2_splitTunnelAcl standard permit 140.140.0.0 255.255.0.0
access-list VPN_splitTunnelAcl standard permit 140.140.0.0 255.255.0.0
access-list Outside_cryptomap_20_5 extended permit ip 140.140.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list acl_in extended permit ip any host XXX.XXX.XXX.XXX
access-list Outside_cryptomap_40_1 extended permit ip 140.140.0.0 255.255.0.0 192.168.34.0 255.255.255.0
pager lines 24
logging enable
logging list vpnlogins level notifications class vpn
logging buffered emergencies
logging asdm informational
logging mail vpnlogins
logging recipient-address ADMIN@MAIL.com level errors
mtu Outside 1500
mtu LAN 1500
mtu management 1500
ip local pool vpn2 192.168.100.50-192.168.100.60 mask 255.255.255.0
ip local pool vpn 192.168.100.1-192.168.100.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 10 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 192.0.2.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface LAN
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map LAN_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_cryptomap_20_5
crypto map Outside_map 20 set peer XXX.XXX.XXX.XXX
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address Outside_cryptomap_40_1
crypto map Outside_map 40 set peer XXX.XXX.XXX.XXX
crypto map Outside_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map LAN_map interface LAN
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 3600
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
telnet 140.140.0.0 255.255.0.0 LAN
telnet 192.168.1.0 255.255.255.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
class-map csc-class
 match access-list csc-acl
class-map csc-ftp-class
 match access-list csc-acl-ftp
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
 class csc-ftp-class
  csc fail-open
policy-map csc-in
 class csc-class
  csc fail-open
policy-map map
!
service-policy global_policy global
service-policy csc-in interface Outside
group-policy DfltGrpPolicy attributes
 wins-server value 140.140.0.30
 dns-server value 140.140.0.30
 vpn-simultaneous-logins 30
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 split-dns value domainname.com
 user-authentication-idle-timeout none
 webvpn
  svc dpd-interval client none
  svc dpd-interval gateway none
group-policy VPN2 internal
group-policy VPN2 attributes
 dns-server value 140.140.0.30 140.140.0.30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN2_splitTunnelAcl
group-policy VPN-1 internal
group-policy VPN-1 attributes
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
group-policy VPN internal
group-policy VPN attributes
 wins-server value 140.140.0.30
 dns-server value 140.140.0.30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 split-dns value domainname.com
username USERJ password 0QqiE0yYPs9Sy3pt encrypted
username USERJ attributes
 vpn-framed-ip-address 192.168.100.20 255.255.255.0
username vendor password mGV5uRtaT8C/2vdA encrypted
username vendor attributes
 vpn-group-policy DfltGrpPolicy
 vpn-framed-ip-address 192.168.100.25 255.255.255.0
username USERG password qpe7PG23jd1Nd8Xa encrypted
username USERG attributes
 vpn-group-policy DfltGrpPolicy
 vpn-framed-ip-address 192.168.100.21 255.255.255.0
username location13 password MetL/YTmEZB0zkCb encrypted
username location13 attributes
 vpn-framed-ip-address 192.168.100.13 255.255.255.0
username location12 password MetL/YTmEZB0zkCb encrypted
username location12 attributes
 vpn-framed-ip-address 192.168.100.14 255.255.255.0
username location32 password MetL/YTmEZB0zkCb encrypted
username location11 password MetL/YTmEZB0zkCb encrypted
username location11 attributes
 vpn-framed-ip-address 192.168.100.9 255.255.255.0
username location1 password MetL/YTmEZB0zkCb encrypted
username location1 attributes
 vpn-framed-ip-address 192.168.100.1 255.255.255.0
username location30 password MetL/YTmEZB0zkCb encrypted
username location30 attributes
 vpn-framed-ip-address 192.168.100.15 255.255.255.0
username location10 password MetL/YTmEZB0zkCb encrypted
username location10 attributes
 vpn-framed-ip-address 192.168.100.3 255.255.255.0
username location27 password MetL/YTmEZB0zkCb encrypted
username location27 attributes
 vpn-framed-ip-address 192.168.100.2 255.255.255.0
username location16 password Bjc.vk0rgpqMbxth encrypted
username location16 attributes
 vpn-framed-ip-address 192.168.100.7 255.255.255.0
username location26 password MetL/YTmEZB0zkCb encrypted
username location26 attributes
 vpn-framed-ip-address 192.168.100.8 255.255.255.0
username location15 password MetL/YTmEZB0zkCb encrypted
username location15 attributes
 vpn-framed-ip-address 192.168.100.11 255.255.255.0
username location25 password MetL/YTmEZB0zkCb encrypted
username location25 attributes
 vpn-framed-ip-address 192.168.100.6 255.255.255.0
username location5 password MetL/YTmEZB0zkCb encrypted
username location24 password MetL/YTmEZB0zkCb encrypted
username location24 attributes
 vpn-framed-ip-address 192.168.100.5 255.255.255.0
username location4 password MetL/YTmEZB0zkCb encrypted
username location29 password MetL/YTmEZB0zkCb encrypted
username location29 attributes
 vpn-framed-ip-address 192.168.100.10 255.255.255.0
username location9 password MetL/YTmEZB0zkCb encrypted
username location18 password MetL/YTmEZB0zkCb encrypted
username location18 attributes
 vpn-framed-ip-address 192.168.100.4 255.255.255.0
username location28 password MetL/YTmEZB0zkCb encrypted
username location28 attributes
 vpn-framed-ip-address 192.168.100.12 255.255.255.0
username USERMN password RPllg519ay1mJLPI encrypted
username USERMN attributes
 vpn-framed-ip-address 192.168.100.24 255.255.255.0
username USERMW password wFtXFcvlsGxOP3tj encrypted
username USERMW attributes
 vpn-group-policy DfltGrpPolicy
 vpn-framed-ip-address 192.168.100.26 255.255.255.0
username cmstest password MCgX1kLXyNqDf7dR encrypted
username cmstest attributes
 vpn-framed-ip-address 192.168.100.22 255.255.255.0
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool vpn
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
tunnel-group VPN2 type remote-access
tunnel-group VPN2 general-attributes
 address-pool vpn
 default-group-policy VPN2
tunnel-group VPN2 ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:9cdfca94c5bce04bb865923e760632e8
: end
asdm image disk0:/asdm-711.bin
asdm location 140.140.0.30 255.255.255.255 LAN
no asdm history enable
0
 

Accepted Solution

by:
holcom86 earned 0 total points
ID: 38787873
Resolved issue. In new version, there is setting in IKE parameters...."enable IPsec over NAT-T" which upon upgrade was set to default of no. Should be set to allow.

Thanks
0
 

Author Closing Comment

by:holcom86
ID: 38804782
resolved issue
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH logs Cisco switch 4 29
Cisco C3750X Switch 19 75
Porting over phone number to another circuit 3 38
cisco nexus experiance 2 28
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now