Marco Lisi
asked on
Cisco ASA 5506-X Setup with Static IP (outside)
Hi,
Hope somebody could help us with this issue..
We recently purchased a 5506-X firewall to add to our existing network. We work in a shared office environment and the IT department provided us with a Static IP for (outside) configuration of the firewall. In order to have access to the internet in our network environment we must authorize devices by MAC address. I have tested the outside IP on my laptop and was able to connect to the internet from the uplink provided to me.
We have followed all the steps necessary to setup the 5506-x firewall but cannot seem to get internet access. Also, we have allowed the mac address of each interface on the 5506-x to have access to the network.
Maybe we missed something and someone could help guide us in the right direction. We followed the instructions here but still know luck.
Below is the show configuration log...
Saved
:
: Serial Number: JAD22310EK4
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 18:30:29.659 UTC Tue Jun 11 2019
!
ASA Version 9.8(2)
!
hostname AI-Firewall
enable password $sha512$5000$oN0ERX19wEcf1 sA20aNprA= =$h4DD3XDf 1aAxawHyqy jPYQ== pbkdf2
names
ip local pool AI-Pool 10.222.222.100-10.222.222. 120 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 67.71.213.166 255.255.255.252
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
nameif AI-LAN
security-level 100
ip address 10.222.222.253 255.255.255.0
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.222.222.96_ 27
subnet 10.222.222.96 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside_1 1500
mtu AI-LAN 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server local protocol radius
aaa-server local (AI-LAN) host 10.222.222.254
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d3093 0699ff
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 67.71.213.129 67.71.213.130
dhcpd auto_config outside
!
dhcpd address 10.222.222.50-10.222.222.9 9 AI-LAN
dhcpd dns 67.71.213.129 67.71.213.130 interface AI-LAN
dhcpd auto_config outside interface AI-LAN
dhcpd enable AI-LAN
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_AI-VPN internal
group-policy GroupPolicy_AI-VPN attributes
wins-server none
dns-server value 67.71.213.129 67.71.213.130
default-domain value automotiveintelligence.ca
dynamic-access-policy-reco rd DfltAccessPolicy
username Richard password $sha512$5000$6+WopOeqRaAWl f88HCUCTA= =$3permKSa LBhz8MJpnR hhag== pbkdf2 privilege 15
username Marco password $sha512$5000$EZkJNn2tN9pW6 OQzO6pJxA= =$xCPyJtFR i5juHuTpT9 RRgQ== pbkdf2 privilege 15
username Andrei password $sha512$5000$OE+tkbdiUp3HC 9b+ILpckg= =$MCFnz0q2 W4ajO9TeM3 vJIw== pbkdf2 privilege 15
tunnel-group AI-VPN type remote-access
tunnel-group AI-VPN general-attributes
address-pool AI-Pool
default-group-policy GroupPolicy_AI-VPN
tunnel-group AI-VPN webvpn-attributes
group-alias AI-VPN enable
tunnel-group AI-VPN ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous
Cryptochecksum:0bf5cd32a71 5716e44ed4 d3595f428b a
Hope somebody could help us with this issue..
We recently purchased a 5506-X firewall to add to our existing network. We work in a shared office environment and the IT department provided us with a Static IP for (outside) configuration of the firewall. In order to have access to the internet in our network environment we must authorize devices by MAC address. I have tested the outside IP on my laptop and was able to connect to the internet from the uplink provided to me.
We have followed all the steps necessary to setup the 5506-x firewall but cannot seem to get internet access. Also, we have allowed the mac address of each interface on the 5506-x to have access to the network.
Maybe we missed something and someone could help guide us in the right direction. We followed the instructions here but still know luck.
Below is the show configuration log...
Saved
:
: Serial Number: JAD22310EK4
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 18:30:29.659 UTC Tue Jun 11 2019
!
ASA Version 9.8(2)
!
hostname AI-Firewall
enable password $sha512$5000$oN0ERX19wEcf1
names
ip local pool AI-Pool 10.222.222.100-10.222.222.
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 67.71.213.166 255.255.255.252
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
nameif AI-LAN
security-level 100
ip address 10.222.222.253 255.255.255.0
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.222.222.96_
subnet 10.222.222.96 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside_1 1500
mtu AI-LAN 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server local protocol radius
aaa-server local (AI-LAN) host 10.222.222.254
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d3093
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 67.71.213.129 67.71.213.130
dhcpd auto_config outside
!
dhcpd address 10.222.222.50-10.222.222.9
dhcpd dns 67.71.213.129 67.71.213.130 interface AI-LAN
dhcpd auto_config outside interface AI-LAN
dhcpd enable AI-LAN
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_AI-VPN internal
group-policy GroupPolicy_AI-VPN attributes
wins-server none
dns-server value 67.71.213.129 67.71.213.130
default-domain value automotiveintelligence.ca
dynamic-access-policy-reco
username Richard password $sha512$5000$6+WopOeqRaAWl
username Marco password $sha512$5000$EZkJNn2tN9pW6
username Andrei password $sha512$5000$OE+tkbdiUp3HC
tunnel-group AI-VPN type remote-access
tunnel-group AI-VPN general-attributes
address-pool AI-Pool
default-group-policy GroupPolicy_AI-VPN
tunnel-group AI-VPN webvpn-attributes
group-alias AI-VPN enable
tunnel-group AI-VPN ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous
Cryptochecksum:0bf5cd32a71
I'm not a whiz at using the CLI, but it appears that you've not set up the Gateway address. That's a very easy thing to overlook.
Hi,
you have forgotten the static route for the WAN default gateway
Should be something like Route 0.0.0.0 0.0.0.0 67.71.213.1
you have forgotten the static route for the WAN default gateway
Should be something like Route 0.0.0.0 0.0.0.0 67.71.213.1
Like it or not, if you are going to use any cisco Gears you need to be familiar with troubleshooting commands and understand the command console, otherwise, you'd get lost in the mist.
Add the static route and you should be good to go.
Add the static route and you should be good to go.
The command should be
A word of advice though, I'd remove that horrible BVI interface setup that comes default on the 5506-X, I've worked on ASA/PIX for 20 years and I struggle with it!
To change it it to work like a 'proper' Cisco ASA see the following link;
Remove Cisco ASA 5506-X: Bridged BVI Interface
route outside 0.0.0.0 0.0.0.0 67.71.213.1 1
On an ASA you need to specify the interface name.A word of advice though, I'd remove that horrible BVI interface setup that comes default on the 5506-X, I've worked on ASA/PIX for 20 years and I struggle with it!
To change it it to work like a 'proper' Cisco ASA see the following link;
Remove Cisco ASA 5506-X: Bridged BVI Interface
ASKER
Hi.
Thank you for your suggestions.
Unfortunately, after adding this route, there is still no internet access.
May be I am missing something else....?
Thank you for your suggestions.
Unfortunately, after adding this route, there is still no internet access.
May be I am missing something else....?
Have you checked if all your interfaces are Up/UP?
ASKER
Yes, they are.
I wander if the network itself that I am connected to is blocking my access to internet.
But I registered the MAC addresses of my interfaces so there should be no problem there.
From the screenshot attached, we can see that there is no outside traffic.
image_2019_06_12T13_36_57_736Z.png
I wander if the network itself that I am connected to is blocking my access to internet.
But I registered the MAC addresses of my interfaces so there should be no problem there.
From the screenshot attached, we can see that there is no outside traffic.
image_2019_06_12T13_36_57_736Z.png
Are you sure you have the right IP address and static route? cause I made up the last number.
ASKER
The last number I put the gateway provided to me, 67.71.213.165
When I connected with the same setting with my laptop directly, there was traffic, but not through firewall.
When I connected with the same setting with my laptop directly, there was traffic, but not through firewall.
From your firewall can you ping 67.71.213.165?
ASKER
No, Success rate is 0
ASKER
These are the settings provided to me:
Vlan ID: 85
Public IPs: 67.71.213.166
Local Network: 67.71.213.164/30
Netmask: 255.255.255.252
Gateway IP: 67.71.213.165
DNS1: 67.71.213.129
DNS2: 67.71.213.130
Vlan ID: 85
Public IPs: 67.71.213.166
Local Network: 67.71.213.164/30
Netmask: 255.255.255.252
Gateway IP: 67.71.213.165
DNS1: 67.71.213.129
DNS2: 67.71.213.130
Your hardware device does not support L2 meaning it does not support VLANS but instead L3.
Here are some tips for you to check.
1- Make sure the cable from the modem to the ASA to your WAN specific port.
2- If you cannot reach your IP address from your ISP provider that means you don't have connectivity.
3- Are you using an ISP or sharing IP?
Here are some tips for you to check.
1- Make sure the cable from the modem to the ASA to your WAN specific port.
2- If you cannot reach your IP address from your ISP provider that means you don't have connectivity.
3- Are you using an ISP or sharing IP?
ASKER
1. Yes
3. I am not sure, I think it is from ISP but I am not sure.
3. I am not sure, I think it is from ISP but I am not sure.
Send me your configuration once more to review it.
ASKER
Result of the command: "show configuration"
: Saved
:
: Serial Number: JAD22310EK4
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 13:46:13.218 UTC Wed Jun 12 2019
!
ASA Version 9.8(2)
!
hostname AI-Firewall
enable password $sha512$5000$oN0ERX19wEcf1 sA20aNprA= =$h4DD3XDf 1aAxawHyqy jPYQ== pbkdf2
names
ip local pool AI-Pool 10.222.222.100-10.222.222. 120 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 67.71.213.166 255.255.255.252
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
nameif AI-LAN
security-level 100
ip address 10.222.222.253 255.255.255.0
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.222.222.96_ 27
subnet 10.222.222.96 255.255.255.224
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside_1 1500
mtu AI-LAN 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (AI-LAN,outside) source static any any destination static NETWORK_OBJ_10.222.222.96_ 27 NETWORK_OBJ_10.222.222.96_ 27 no-proxy-arp route-lookup
!
object network obj_any
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.71.213.165 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server local protocol radius
aaa-server local (AI-LAN) host 10.222.222.254
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d3093 0699ff
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 67.71.213.129 67.71.213.130
dhcpd auto_config outside
!
dhcpd address 10.222.222.50-10.222.222.9 9 AI-LAN
dhcpd auto_config outside interface AI-LAN
dhcpd enable AI-LAN
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_AI-VPN internal
group-policy GroupPolicy_AI-VPN attributes
wins-server none
dns-server value 67.71.213.129 67.71.213.130
default-domain value automotiveintelligence.ca
dynamic-access-policy-reco rd DfltAccessPolicy
username Richard password $sha512$5000$6+WopOeqRaAWl f88HCUCTA= =$3permKSa LBhz8MJpnR hhag== pbkdf2 privilege 15
username Marco password $sha512$5000$EZkJNn2tN9pW6 OQzO6pJxA= =$xCPyJtFR i5juHuTpT9 RRgQ== pbkdf2 privilege 15
username Andrei password $sha512$5000$OE+tkbdiUp3HC 9b+ILpckg= =$MCFnz0q2 W4ajO9TeM3 vJIw== pbkdf2 privilege 15
tunnel-group AI-VPN type remote-access
tunnel-group AI-VPN general-attributes
address-pool AI-Pool
default-group-policy GroupPolicy_AI-VPN
tunnel-group AI-VPN webvpn-attributes
group-alias AI-VPN enable
tunnel-group AI-VPN ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous
Cryptochecksum:89b97036663 2e6a4f3395 7381afd59b c
: Saved
:
: Serial Number: JAD22310EK4
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 13:46:13.218 UTC Wed Jun 12 2019
!
ASA Version 9.8(2)
!
hostname AI-Firewall
enable password $sha512$5000$oN0ERX19wEcf1
names
ip local pool AI-Pool 10.222.222.100-10.222.222.
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 67.71.213.166 255.255.255.252
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
nameif AI-LAN
security-level 100
ip address 10.222.222.253 255.255.255.0
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.222.222.96_
subnet 10.222.222.96 255.255.255.224
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside_1 1500
mtu AI-LAN 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (AI-LAN,outside) source static any any destination static NETWORK_OBJ_10.222.222.96_
!
object network obj_any
nat (inside_1,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.71.213.165 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server local protocol radius
aaa-server local (AI-LAN) host 10.222.222.254
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d3093
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 67.71.213.129 67.71.213.130
dhcpd auto_config outside
!
dhcpd address 10.222.222.50-10.222.222.9
dhcpd auto_config outside interface AI-LAN
dhcpd enable AI-LAN
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_AI-VPN internal
group-policy GroupPolicy_AI-VPN attributes
wins-server none
dns-server value 67.71.213.129 67.71.213.130
default-domain value automotiveintelligence.ca
dynamic-access-policy-reco
username Richard password $sha512$5000$6+WopOeqRaAWl
username Marco password $sha512$5000$EZkJNn2tN9pW6
username Andrei password $sha512$5000$OE+tkbdiUp3HC
tunnel-group AI-VPN type remote-access
tunnel-group AI-VPN general-attributes
address-pool AI-Pool
default-group-policy GroupPolicy_AI-VPN
tunnel-group AI-VPN webvpn-attributes
group-alias AI-VPN enable
tunnel-group AI-VPN ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous
Cryptochecksum:89b97036663
Everything looks good, who gave you that VLAN ID tagging? tell them your device is not using VLAN tagging, you're using L3 routing.
So in each end should be L3-L3
On your computer works because your computer tagging gets tears off after arrives.
Call your other end and tell them that.
So in each end should be L3-L3
On your computer works because your computer tagging gets tears off after arrives.
Call your other end and tell them that.
ASKER
Thank you, I will try that.
ASKER
They gave me that because I am connected through their switch.
ASKER
Their switch is also CISCO. We asked for a public IP and that is the info they gave us.
Tell them you cannot use tagging, configure the switch as L3.
You need to use native VLAN thus It won't send tagging to your device.
You need to use native VLAN thus It won't send tagging to your device.
ASKER
Is there a way we can make the firewall to use tagging?
Hey dude,
Sorry for my late response, I had so much work the past few days. You cant do tagging on that device.
He needs to configure the switch to route L3 Ip addresses.
Sorry for my late response, I had so much work the past few days. You cant do tagging on that device.
He needs to configure the switch to route L3 Ip addresses.
ASA 5506-X is VLAN tagging removed.
if provider can provice a native vlan to you so you dont need to tagg out on your interface this should also be fine.
Might be able to do some tagging with:
interface GigabitEthernet1/1
no shut
!
interface GigabitEthernet1/1.85
nameif outside
vlan 85
security-level 0
ip address 67.71.213.166 255.255.255.252
!
I think this is correct. but might be that 5506-X has removed vlan support.
if provider can provice a native vlan to you so you dont need to tagg out on your interface this should also be fine.
Might be able to do some tagging with:
interface GigabitEthernet1/1
no shut
!
interface GigabitEthernet1/1.85
nameif outside
vlan 85
security-level 0
ip address 67.71.213.166 255.255.255.252
!
I think this is correct. but might be that 5506-X has removed vlan support.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.