Eric Greene
asked on
Single host traffic only allowed through ASA--strange.
I have a strange problem. My ASA 5505 has a 10-user license. I have, at most, seven devices on this side (the remote side) that would be communicating across the L2L VPN I have established with our main building. When I do a show conn count I see 139 connections. That baffles me. I'm not a router jockey or Cisco IOS guy, so I'm struggling. Are some of those connections likely to be coming from the main building to here? Either way, here is the real problem.
There are two people who have computers in this office. The first one to establish an internet connection is the only one to be able to use it from that point forward. Once one of them shuts down, or logs off, then the other machine is able to get out to the internet or across the tunnel. Otherwise, it's one-at-a-time for the PCs. I have no idea what's happening. Can anyone help me out? There is definitely traffic going both ways.
Below is the output for sho ver.
Here is the config:
There are two people who have computers in this office. The first one to establish an internet connection is the only one to be able to use it from that point forward. Once one of them shuts down, or logs off, then the other machine is able to get out to the internet or across the tunnel. Otherwise, it's one-at-a-time for the PCs. I have no idea what's happening. Can anyone help me out? There is definitely traffic going both ways.
Below is the output for sho ver.
Cisco Adaptive Security Appliance Software Version 9.1(6)
Device Manager Version 7.5(2)
Compiled on Fri 27-Feb-15 13:50 by builders
System image file is "disk0:/asa916-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 4 days 17 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 0081.c45e.ff72, irq 11
1: Ext: Ethernet0/0 : address is 0081.c45e.ff6a, irq 255
2: Ext: Ethernet0/1 : address is 0081.c45e.ff6b, irq 255
3: Ext: Ethernet0/2 : address is 0081.c45e.ff6c, irq 255
4: Ext: Ethernet0/3 : address is 0081.c45e.ff6d, irq 255
5: Ext: Ethernet0/4 : address is 0081.c45e.ff6e, irq 255
6: Ext: Ethernet0/5 : address is 0081.c45e.ff6f, irq 255
7: Ext: Ethernet0/6 : address is 0081.c45e.ff70, irq 255
8: Ext: Ethernet0/7 : address is 0081.c45e.ff71, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: XXXXXXXXXXX
Running Permanent Activation Key: XXXXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX
Configuration register is 0x1
Configuration last modified by enable_15 at 13:19:47.259 UTC Fri Nov 25 2016
sho cryp ipsec sa
interface: outside
Crypto map tag: CRYPTOMAP, seq num: 10, local addr: 74.xxx.xxx.xxx
access-list LIBRARY extended permit ip 172.16.128.0 255.255.255.0 172.16.0.0 255.255.252.0
local ident (addr/mask/prot/port): (172.16.128.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.252.0/0/0)
current_peer: 12.xxx.xxx.xxx
#pkts encaps: 54866, #pkts encrypt: 54866, #pkts digest: 54866
#pkts decaps: 72740, #pkts decrypt: 72740, #pkts verify: 72740
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 54866, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 74.xxx.xxx.xxx/0, remote crypto endpt.: 12.xxx.xxx.xxx/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 902BD566
current inbound spi : 10E582CB
inbound esp sas:
spi: 0x10E582CB (283476683)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: CRYPTOMAP
sa timing: remaining key lifetime (kB/sec): (4353537/11312)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x902BD566 (2418791782)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: CRYPTOMAP
sa timing: remaining key lifetime (kB/sec): (4371809/11312)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
sho cryp ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 12.xxx.xxx.xxx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Here is the config:
: Saved
:
: Serial Number: XXXXXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 07:02:06.570 UTC Wed Nov 30 2016
!
ASA Version 9.1(6)
!
hostname MYASA
enable password EUfKAz4sNC/DZq4. encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool RAPOOL 172.16.129.1-172.16.129.10 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.128.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.xxx.xxx.xxx 255.255.255.252
!
ftp mode passive
object network INSIDENET
subnet 172.16.128.0 255.255.255.0
object network REMOTENET
subnet 172.16.128.0 255.255.255.0
object network MAINNET
subnet 172.16.0.0 255.255.252.0
access-list MAIN extended permit ip object REMOTENET object MAINNET
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static REMOTENET REMOTENET destination static MAINNET MAINNET no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic INSIDENET interface
route outside 0.0.0.0 0.0.0.0 74.xxx.xxx.yyy 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TRANSFORMSET esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 65535 set ikev1 transform-set TRANSFORMSET
crypto dynamic-map dynmap 65535 set reverse-route
crypto map CRYPTOMAP 10 match address MAIN
crypto map CRYPTOMAP 10 set peer 12.xxx.xxx.xxx
crypto map CRYPTOMAP 10 set ikev1 transform-set TRANSFORMSET
crypto map CRYPTOMAP 10 set reverse-route
crypto map CRYPTOMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYPTOMAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6exxxxxxxxxxxxxxxxxxxxxxd491
<MASKED KEY>
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.128.0 255.255.255.0 inside
ssh 172.16.0.0 255.255.252.0 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 172.16.3.254 172.16.3.241
dhcpd domain mydomain.lan
!
dhcpd address 172.16.128.33-172.16.128.64 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username anotheradmin password xxxxxxxxxxxxxx encrypted
username adminuser password xxxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group 12.xxx.xxx.xxx type ipsec-l2l
tunnel-group 12.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key 3f1Ix@pqzl
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
These 2 PC's dont have the same IP address do they?
ASKER
Pete,
Thank you again! I had somewhere around 136 listed, but I don't have NEAR that many devices on that end of the tunnel. Is it counting connections coming across the tunnel from the other side? If so, I'm upgrading to unlimited.
Thank you again! I had somewhere around 136 listed, but I don't have NEAR that many devices on that end of the tunnel. Is it counting connections coming across the tunnel from the other side? If so, I'm upgrading to unlimited.
When someone can't get on, issue a 'show conn' command and see how many connections you have (not how many people) count the source IPs
P