How to Faultfind on Interface 2

[rangerman]

I am quite new to ASA and I have a company that has a VPN Tunnel coming into a server in the DMZ on a sub interface - ie 0.2.400

they are having issues RDP to it.

I have looked on the net of "how to faultfind" but there are so many commands and I am not sure if I am using the right tools.

Packet-tracer, show logging etc but

How do I view traffic trying to come into the DMZ interface from the external IP address. Command line or ADSM

I hope this makes sense to somebody out there !!!

Thanks a lot guys - I will view older posts as maybe some will have the answer.

 

[unclerico]

Do you have logging enabled on your ASA?? Post a scrubbed config and we can take a look at it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[rangerman]

Thanks for the reply -

When I start up ADSM it has logging conming up, Internal buffer - severtiy debugging
email - alerts
adsm - severrity - emergencies
syslog - critical

thanks

 

[unclerico]

can you post a scrubbed config? do a sh run and replace your public IP addresses with xxx.xxx.xxx.xxx or something ficticious.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Supergrrover]

Make sure that the DMZ is considered interesting traffic for the VPN and is nat exempt in the config.

Here is a quick guide -

http://www.cisco.com/en/US/products...s_configuration_example09186a00806a5cea.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[rangerman]

I have stripped out a lot as there was a lot of crap in there, I changed some IP addreses aswell so I hope you can make sense of it - I will have a read throgh the DOc that the other guy sent. Cheers


name 195.153.131.100 AX description AX

I am having an issue with the above IP and name gaing access to this SAP RTR in the DMZ

I hope I have not scrubbed it up too much !!!


Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname
domain-name test
enable password
passwd encrypted
names
name *.*.*.* ASA-01 description Primary Firewall
name *.*.*.* ASA-01-Secondary description Secondary Firewall
name *.*.*.* Testt
name *.*.*.* SAP_RTR
name *.*.*.* SAP_DE2
name 195.153.131.14 AX-Support description AX Support
name 173.30.30.254 SAP_RTR_DMZ
name 195.153.131.100 AX description AX
name 80.170.175.4 SAPRTR_DMZ description SAP_ROUTER
name 191.39.131.34 SAP_DE
name 195.153.131.254 AX_OUTSIDE description AX outside
!
interface Ethernet0/0
description **OUTSIDE Link to PUB_01 F0/2**
speed 100
duplex full
nameif outside
security-level 0
ip address ASA-01 *.*.*.* standby ASA-01-Secondary
ospf cost 10
!
interface Ethernet0/1
description **INSIDE Link to CPT F0/4**
speed 100
duplex full
nameif inside
security-level 100
ip address *.*.*.* 255.255.255.0 standby *.*.*.*
ospf cost 10
!
interface Ethernet0/2
description **DMZ Link to CPT F0/10**
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/2.300
vlan 300
nameif DMZ
security-level 50
ip address 173.30.30.1 255.255.255.0 standby 173.30.30.2
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN/STATE Failover Interface
speed 100
duplex full
!
banner login
banner motd **************************************************
banner motd ** **
banner motd ** Authorised users only **
banner motd **************************************************
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server *.*.*.*
name-server *.*.*.*
domain-name uk
same-security-traffic permit intra-interface

object-group service AXAccess tcp
description AX Access to SAP
port-object eq 3200
port-object eq lpd
port-object eq www
port-object eq 3600
port-object eq https
port-object eq 3300
port-object eq 9100
port-object eq 3299
port-object eq 8000
port-object eq 3389

object-group network AX-ACCESS
description AX-NETWORK-ACCESS
network-object host *.*.*
network-object host SAP_RTR_DMZ


object-group service SAPAccess-Outside tcp
description Access to SAP RTR from Outside
port-object eq 3200
port-object eq 3298
port-object eq 3299
port-object eq 1023
port-object eq telnet
port-object eq 3389


object-group network network
description network Access
network-object host *.*.*.*


object-group network SAP_RTR_ACCESS
description SAP Router Access
network-object host SAP_DE
network-object host AX_OUTSIDE

access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark Allow SAP in Germany to Access our SAPRTR
access-list outside_access_in extended permit tcp object-group SAP_RTR_ACCESS host SAP_RTR object-group SAPAccess
access-list outside_access_in remark Allow SAP in Germany to Access our SAPRTR
access-list outside_access_in extended permit tcp object-group SAP_RTR_ACCESS host SAP_RTR_DMZ object-group SAPAccess
access-list outside_access_in remark Allow Teleworker on TCP ports
access-list dmz_access_in extended permit tcp host SAP_RTR_DMZ host SAP_DE object-group SAPAccess
access-list dmz_access_in remark Permit AX to acces the SAP Router
access-list dmz_access_in extended permit ip host SAP_RTR_DMZ host AX
access-list dmz_access_in remark Allows SAPRTRDMZ to SAP Internal servers
access-list dmz_access_in extended permit icmp any any echo inactive
access-list dmz_access_in extended permit icmp any any echo-reply inactive
access-list inside_nat0_outbound remark NAT Rule for VPN Address Pool
access-list inside_nat0_outbound extended permit ip any *.*.*.* 255.255.255.0
access-list inside_nat0_outbound extended permit ip any *.*.*.* 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.240.255.0 255.255.255.0 host AX
access-list inside_nat0_outbound extended permit ip object-group Networks host AX
access-list inside_nat0_outbound remark DMZ Sap RTR to AX
access-list inside_nat0_outbound extended permit ip host SAP_RTR_DMZ host AX
access-list inside_nat0_outbound remark AX to SAP RTR
access-list inside_nat0_outbound extended permit ip host AX host SAP_RTR_DMZ
access-list inside_nat0_outbound extended permit ip *.*.* 255.255.255.0 *.*.* 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group disney_Networks 217.240.95.0 255.255.255.0
access-list inside_nat0_outbound remark Allow SAP internal servers to SAP Router in DMZ
access-list inside_nat0_outbound extended permit ip object-group Sap-Access-Servers host SAP_RTR_DMZ
access-list inside_nat0_outbound remark Allow SAP internal servers to SAP Router in DMZ
access-list outside_60_cryptomap extended permit ip 10.240.255.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list inside_access_in remark Allow ICMP
access-list inside_access_in extended permit icmp object-group disney_Networks any
access-list inside_access_in extended permit tcp object-group disney_Networks any eq 3389
access-list inside_access_in remark Allow network team direct access to DMZ
access-list inside_access_in extended permit ip object-group network any
access-list inside_access_in remark Temp Rule
access-list inside_access_in extended permit ip host *.*.*.* any inactive
access-list inside_access_in extended deny *.*.*.* 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_80_cryptomap extended permit ip 173.17.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_100_cryptomap extended permit ip 10.254.255.0 255.255.255.0 host *.*.*.*
access-list outside_180_cryptomap_1 extended permit ip 10.240.255.0 255.255.255.0 host AX
access-list outside_180_cryptomap_1 extended permit ip object-group AX-ACCESS host AX
access-list outside_cryptomap_60 extended permit ip 10.240.255.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NAC-default extended permit udp any any eq 21862
access-list NAC-default extended permit udp any eq 21862 any
access-list outside_cryptomap_65535.20 extended permit ip any any
access-list capture extended permit ip host 213.161.72.200 host CPT-COL-ASA-01
access-list 101 extended permit icmp host ASA-01 host
access-list 101 extended permit icmp host*.*.*.* host ASA-01
access-list 101 extended permit icmp host CPT-COL-ASA-01 host *.*.*.*
access-list 101 extended permit icmp host 213.161.72.200 host ASA-01
access-list capout extended permit icmp any host *.*.*.*
access-list capout extended permit icmp host *.*.*.* any
access-list capout extended permit icmp any any
access-list captout extended permit ip any any
access-list captout extended permit ip host *.*.*.* any
access-list #ACSACL#-IP-AIS-4799d1d7 extended permit ip any host *.*.*.*
access-list #ACSACL#-IP-AIS-479a1c2e extended permit ip any host 10.10.102.3
access-list DMZ_access_out extended permit ip object-group *.*.*.* object-group *.*.*.*
access-list DMZ_access_out extended permit ip host *.*.*.* object-group *.*.*.*
access-list DMZ_access_out remark Allow Selected users to access test
access-list DMZ_access_out extended permit ip object-group network host *.*.*.*
access-list DMZ_access_out remark Allow network team group to access SAPRTRDMZ
access-list DMZ_access_out extended permit ip object-group network host SAP_RTR_DMZ
access-list DMZ_access_out remark Allow SAP germany to access SAPRTRDMZ
access-list DMZ_access_out extended permit tcp host SAP_DE host SAP_RTR_DMZ object-group SAPAccess
access-list DMZ_access_out remark Allow SAP germany to access SAPRTRDMZ
access-list DMZ_access_out extended permit tcp object-group Sap-Access-Servers host SAP_RTR_DMZ object-group SAPAccess
access-list DMZ_access_out remark Allow AX access to the SAP Router Via VPN Tunnel
access-list DMZ_access_out extended permit ip host AX host SAP_RTR_DMZ
access-list DMZ_access_out remark Allow AX access to the SAP Router Via VPN Tunnel
access-list DMZ_access_out extended permit ip host AX_OUTSIDE host SAP_RTR_DMZ
access-list DMZ_access_out extended permit icmp any any echo inactive
access-list DMZ_access_out extended permit icmp any any echo-reply inactive

no pager
logging enable
logging timestamp
logging buffer-size 1048576
logging asdm-buffer-size 512
logging monitor critical
logging buffered debugging
logging trap critical
logging asdm emergencies
logging mail alerts
logging from-address *.*.*.*
logging recipient-address *.*.*.* level emergencies
logging host inside *.*.*.*
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu DMZ2 1500
ip local pool *.*.*.* *.*.*.*-*.*.*.* mask 255.255.255.0
ip verify reverse-path interface outside
ip audit name InfoPolicy info action alarm
ip audit name AttackPolicy attack action alarm
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ip audit interface inside InfoPolicy
ip audit interface inside AttackPolicy
failover
failover lan unit secondary
failover lan interface LAN_Failover Management0/0
failover key *****
failover replication http
failover link LAN_Failover Management0/0
failover interface ip LAN_Failover*.*.*.* 255.255.255.252 standby *.*.*.*
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
no monitor-interface DMZ2
icmp unreachable rate-limit 10 burst-size 5
icmp permit any outside
icmp permit any inside
icmp permit host *.*.*.* DMZ
icmp permit host *.*.*.* DMZ2
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface domain 10.*.*.* domain netmask 255.255.255.255
static (DMZ,outside) SAP_RTR SAP_RTR_DMZ netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACAS+ protocol tacacs+
reactivation-mode timed
aaa-server TACAS+ (inside) host *.*.*.*
key *.*.*.*
aaa-server TACAS+ (inside) host *.*.*.*
key *.*.*.*
aaa-server RADIUS_ACS protocol radius
reactivation-mode timed
aaa-server RADIUS_ACS (inside) host*.*.*.*
key*.*.*.*
aaa-server RADIUS_ACS (inside) host *.*.*.*
key *.*.*.*
aaa-server AD protocol nt
reactivation-mode timed
aaa-server AD (inside) host *.*.*.*
nt-auth-domain-controller dc
aaa-server AD (inside) host *.*.*.*
nt-auth-domain-controller dc
eou clientless password *.*.*.*
aaa authentication http console TACAS+ LOCAL
aaa authentication serial console TACAS+ LOCAL
aaa authentication telnet console TACAS+ LOCAL
aaa authentication enable console TACAS+ LOCAL
aaa authentication ssh console TACAS+ LOCAL
aaa accounting telnet console TACAS+
aaa accounting enable console TACAS+
http server enable
no snmp-server location
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 120 set peer 195.171.88.226
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 180 match address outside_180_cryptomap_1
crypto map outside_map 180 set pfs
crypto map outside_map 180 set peer AX_OUTSIDE
crypto map outside_map 180 set transform-set ESP-3DES-MD5
crypto map outside_map 180 set security-association lifetime seconds 86400
crypto map outside_map 200 match address outside_200_cryptomap_1
crypto map outside_map 200 set pfs
crypto map outside_map 340 set transform-set ESP-3DES-SHA
crypto map outside_map 340 set security-association lifetime seconds 86400
crypto map outside_map 360 match address outside_360_cryptomap
crypto map outside_map 360 set pfs

crypto map outside_map interface outside
crypto ca trustpoint webconnect.disney.co.uk
enrollment self
fqdn webconnect.disney.co.uk
subject-name CN=web.disney.co.uk
keypair Webconnect
crl configure
crypto ca certificate chain webconnect.disney.co.uk
certificate 31

quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp nat-traversal 40
telnet 10.*.*.* 255.255.255.255 inside
telnet 10.*.*.* 255.255.255.0 inside
telnet 10.*.*.* 255.255.255.0 inside
telnet 192.*.*.* 255.255.255.248 inside
telnet 10.*.*.* 255.255.255.255 inside
telnet timeout 60
ssh
ssh timeout 5
console timeout 10
management-access inside

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point web.disney.co.uk outside
webvpn
enable outside
default-idle-timeout 900
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
customization DfltCustomization
title text WEBCONNECT SERVICE
password-prompt text PASSCODE:
login-title text disney WEBCONNECT SERVICE
login-message text Please enter your Secure ID username and passcode. NOTE: By logging in to this service you are accepting disney's Computer, Internet and E-mail Usage Policy.
logo file disk0:/logoportal2.jpg
customization SSLVPN
logo file disk0:/logoportal2.jpg
application-access hide-details enable
customization customization1
customization customization2

java-trustpoint webconnect.disney.co.uk
group-policy sslvpn internal
group-policy sslvpn attributes
webvpn
customization value SSLVPN
group-policy CRADMINS external server-group RADIUS_ACS password
group-policy disney_users internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value *.*.* *.*.*
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac enable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions file-access file-entry file-browsing port-forward filter citrix
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list value ADMINS
customization value customization1
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy VPN-Clientbased-Users internal
group-policy VPN-Clientbased-Users attributes
dns-server value *.*.*.*
vpn-tunnel-protocol IPSec
default-domain value UK.CRUK.NET
nac enable
nac-sq-period 300
nac-reval-period 18000
nac-default-acl value NAC-default
client-firewall none
group-policy VPN_TUNNELS internal
group-policy VPN_TUNNELS attributes
dns-server value *.*.*
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
vpn-nac-exempt none
username

tunnel-group DefaultL2LGroup general-attributes
default-group-policy VPN_TUNNELS
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
default-group-policy VPN_TUNNELS
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp ikev1-user-authentication none
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool disney
authentication-server-group RADIUS_ACS
accounting-server-group RADIUS_ACS
default-group-policy CRADMINS
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy CRADMINS
group-alias CRADMINS enable
group-alias SSLVPN enable
tunnel-group VPN-Clientbased-Users type ipsec-ra
tunnel-group VPN-Clientbased-Users general-attributes
address-pool disney
authentication-server-group RADIUS_ACS LOCAL
accounting-server-group RADIUS_ACS
default-group-policy VPN-Clientbased-Users

tunnel-group 195.153.131.254 type ipsec-l2l
tunnel-group 195.153.131.254 general-attributes
default-group-policy VPN_TUNNELS
tunnel-group 195.153.131.254 ipsec-attributes
pre-shared-key *

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
class class-default
set connection decrement-ttl
!
service-policy global_policy global
smtp-server 10.10.10.10
prompt hostname context
Cryptochecksum:334f849d2870683e2e55eddfc4a6aa7c
: end