Glocap
asked on
cisco asa
Looking at my ASA log I have tons of 710003 errors. The source IP is an external ip and the destination IP is the outside address of my ASA. THis is the only error that is happening on the ASA and it causes an internet drop for our internal users .
what can i do to prevent this.
TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/443
what can i do to prevent this.
TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/443
Is the source IP constant? Is the destination port constant? (443) t looks like a possible DDoS attack as referenced by aarie.
However, it appears that there may already be an ACL in place denying the traffic which is why it is showing up as access denied.
If it is a constant source IP then try doing a whois.
However, it appears that there may already be an ACL in place denying the traffic which is why it is showing up as access denied.
If it is a constant source IP then try doing a whois.
ASKER
It is different IP addresses every time.
can you let me know the commands for creating an ACL rule denying the traffice and how to rate limit this?
can you let me know the commands for creating an ACL rule denying the traffice and how to rate limit this?
Are you running any type of secure web server? Port 443 is used for SSL connections to a web server. If you are not running one then you can put in a rule like this:
deny tcp any any eq 443
Or if you want to be more specific you can use the IP address of the ASA as the destination:
deny tcp any xxx.xxx.xxx.xxx eq 443
deny tcp any any eq 443
Or if you want to be more specific you can use the IP address of the ASA as the destination:
deny tcp any xxx.xxx.xxx.xxx eq 443
ASKER
hi pony10us, i can run the below commands for cisco asa external interface
deny tcp any xxx.xxx.xxx.xxx eq 443
deny tcp any xxx.xxx.xxx.xxx eq 80
but will it block my internet completely as port 80 will be blocked too?
have been having drops on both 80 and 443
TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/80
TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/443
deny tcp any xxx.xxx.xxx.xxx eq 443
deny tcp any xxx.xxx.xxx.xxx eq 80
but will it block my internet completely as port 80 will be blocked too?
have been having drops on both 80 and 443
TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/80
TCP Access denied by ACL from xxxx.xxxx.xxxx.xxx to primary isp :xxxx.xxxx.xxxx.xxx/443
Those commands will block all incoming traffic to the address of the ASA on both port 80 and 443. Since it is an ASA then I would expect that you don't want the web interface open to the outside world anyway.
ASKER
ok thanks , i will enter the deny commands on the ASA and see how it goes.
what is the command in case i need to undo the changes?
what is the command in case i need to undo the changes?
To remove a command you would re-enter and put a no in front
no deny tcp any xxx.xxx.xxx.xxx eq 443
no deny tcp any xxx.xxx.xxx.xxx eq 80
no deny tcp any xxx.xxx.xxx.xxx eq 443
no deny tcp any xxx.xxx.xxx.xxx eq 80
ASKER
thanks ponyus10, i am writing down the current config of the asa , let me know if you think any other changes are required
69.74.205.226 is the external interface IP of the firewall
please find below the config
username admin attributes
vpn-group-policy glocap.com
username zoia@glocap.com password iarvwww40jwB3oBf encrypted privilege 0
username zoia@glocap.com attributes
vpn-group-policy glocap.com
username ctoffice password 3qpNN8u1sMkwQV2t encrypted
username ctoffice attributes
vpn-group-policy glocap.com
vpn-simultaneous-logins 3
webvpn
svc ask enable default svc
username enable_16 password sj2wkcWtN4dIfBl6 encrypted privilege 15
username song password ggyYwwJ2UNJMYF5L encrypted privilege 0
username song attributes
vpn-group-policy glocap.com
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
dhcp-server 192.168.3.4
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *
tunnel-group glocap.com type remote-access
tunnel-group glocap.com general-attributes
address-pool VPN_Pool
default-group-policy glocap.com
tunnel-group glocap.com ipsec-attributes
pre-shared-key *
tunnel-group 74.211.164.194 type ipsec-l2l
tunnel-group 74.211.164.194 ipsec-attributes
pre-shared-key *
tunnel-group 24.43.165.42 type ipsec-l2l
tunnel-group 24.43.165.42 ipsec-attributes
pre-shared-key *
tunnel-group 70.99.142.162 type ipsec-l2l
tunnel-group 70.99.142.162 ipsec-attributes
pre-shared-key *
tunnel-group 173.247.204.74 type ipsec-l2l
tunnel-group 173.247.204.74 ipsec-attributes
pre-shared-key *
tunnel-group 99.115.135.225 type ipsec-l2l
tunnel-group 99.115.135.225 ipsec-attributes
pre-shared-key *
tunnel-group 108.66.222.161 type ipsec-l2l
tunnel-group 108.66.222.161 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.3.10
prompt hostname context
Cryptochecksum:e8314d9e5e8 5d6bceed47 bb2bfd117e 5
: end
asdm image disk0:/asdm-623.bin
asdm location Sharepoint 255.255.255.255 inside
asdm location A-69.74.205.229 255.255.255.255 inside
asdm location A-69.74.205.228 255.255.255.255 inside
asdm location A-69.74.205.231 255.255.255.255 inside
asdm location A-64.52.247.50 255.255.255.255 inside
asdm location TKO 255.255.255.255 inside
asdm location A-69.74.205.234 255.255.255.255 inside
asdm location A-69.74.205.235 255.255.255.255 inside
asdm location Google1 255.255.240.0 inside
asdm location Google2 255.255.252.0 inside
asdm location Google3 255.255.240.0 inside
asdm location Postini 255.255.252.0 inside
asdm location LA_Office 255.255.255.0 inside
asdm location SEAOffice 255.255.255.0 inside
asdm location NYEX1 255.255.255.255 inside
asdm location A-69.74.205.230 255.255.255.255 inside
asdm location A-192.168.3.15 255.255.255.255 inside
asdm location Kia_RDP_INT 255.255.255.255 inside
asdm location A-108.66.222.161 255.255.255.255 inside
asdm location Nick 255.255.255.255 inside
asdm location A-69.74.205.236 255.255.255.255 inside
asdm location A-69.74.205.237 255.255.255.255 inside
asdm location A-69.74.205.238 255.255.255.255 inside
asdm location ANALYZER 255.255.255.255 inside
asdm location 96.56.6.165 255.255.255.255 inside
asdm location SK 255.255.255.255 inside
no asdm history enable
69.74.205.226 is the external interface IP of the firewall
please find below the config
username admin attributes
vpn-group-policy glocap.com
username zoia@glocap.com password iarvwww40jwB3oBf encrypted privilege 0
username zoia@glocap.com attributes
vpn-group-policy glocap.com
username ctoffice password 3qpNN8u1sMkwQV2t encrypted
username ctoffice attributes
vpn-group-policy glocap.com
vpn-simultaneous-logins 3
webvpn
svc ask enable default svc
username enable_16 password sj2wkcWtN4dIfBl6 encrypted privilege 15
username song password ggyYwwJ2UNJMYF5L encrypted privilege 0
username song attributes
vpn-group-policy glocap.com
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
dhcp-server 192.168.3.4
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *
tunnel-group glocap.com type remote-access
tunnel-group glocap.com general-attributes
address-pool VPN_Pool
default-group-policy glocap.com
tunnel-group glocap.com ipsec-attributes
pre-shared-key *
tunnel-group 74.211.164.194 type ipsec-l2l
tunnel-group 74.211.164.194 ipsec-attributes
pre-shared-key *
tunnel-group 24.43.165.42 type ipsec-l2l
tunnel-group 24.43.165.42 ipsec-attributes
pre-shared-key *
tunnel-group 70.99.142.162 type ipsec-l2l
tunnel-group 70.99.142.162 ipsec-attributes
pre-shared-key *
tunnel-group 173.247.204.74 type ipsec-l2l
tunnel-group 173.247.204.74 ipsec-attributes
pre-shared-key *
tunnel-group 99.115.135.225 type ipsec-l2l
tunnel-group 99.115.135.225 ipsec-attributes
pre-shared-key *
tunnel-group 108.66.222.161 type ipsec-l2l
tunnel-group 108.66.222.161 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.3.10
prompt hostname context
Cryptochecksum:e8314d9e5e8
: end
asdm image disk0:/asdm-623.bin
asdm location Sharepoint 255.255.255.255 inside
asdm location A-69.74.205.229 255.255.255.255 inside
asdm location A-69.74.205.228 255.255.255.255 inside
asdm location A-69.74.205.231 255.255.255.255 inside
asdm location A-64.52.247.50 255.255.255.255 inside
asdm location TKO 255.255.255.255 inside
asdm location A-69.74.205.234 255.255.255.255 inside
asdm location A-69.74.205.235 255.255.255.255 inside
asdm location Google1 255.255.240.0 inside
asdm location Google2 255.255.252.0 inside
asdm location Google3 255.255.240.0 inside
asdm location Postini 255.255.252.0 inside
asdm location LA_Office 255.255.255.0 inside
asdm location SEAOffice 255.255.255.0 inside
asdm location NYEX1 255.255.255.255 inside
asdm location A-69.74.205.230 255.255.255.255 inside
asdm location A-192.168.3.15 255.255.255.255 inside
asdm location Kia_RDP_INT 255.255.255.255 inside
asdm location A-108.66.222.161 255.255.255.255 inside
asdm location Nick 255.255.255.255 inside
asdm location A-69.74.205.236 255.255.255.255 inside
asdm location A-69.74.205.237 255.255.255.255 inside
asdm location A-69.74.205.238 255.255.255.255 inside
asdm location ANALYZER 255.255.255.255 inside
asdm location 96.56.6.165 255.255.255.255 inside
asdm location SK 255.255.255.255 inside
no asdm history enable
ASKER
sorry, had an incomplete config in the previous messsage. please find below
: Saved
:
ASA Version 8.0(5)
!
hostname fw-glocap
domain-name glocap.com
enable password 0e53SZdxezxawxDG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 64.52.247.47 Sharepoint description Sharepoint
name 69.74.205.229 A-69.74.205.229 description Exchange
name 69.74.205.228 A-69.74.205.228 description Adam
name 69.74.205.231 A-69.74.205.231 description Archive
name 69.74.205.227 TKO description TKO
name 69.74.205.234 A-69.74.205.234 description Sharepoint
name 64.18.0.0 Google1
name 74.125.148.0 Google2
name 207.126.144.0 Google3
name 74.125.244.0 Postini
name 192.168.11.0 LA_Office description LA Office
name 192.168.12.0 SEAOffice
name 192.168.3.10 NYEX1 description NYEX1
name 64.52.247.50 A-64.52.247.50 description WSUS
name 69.74.205.235 A-69.74.205.235 description KIA
name 69.74.205.230 A-69.74.205.230 description WSUS-PrimaryISP
name 192.168.3.15 A-192.168.3.15 description Archive
name 192.168.3.210 Kia_RDP_INT
name 192.168.3.19 WSUS description WSUS
name 108.66.222.161 A-108.66.222.161 description LA WAN AT&T
name 69.74.205.236 A-69.74.205.236 description Nick
name 192.168.3.194 Nick description Nick
name 69.74.205.237 A-69.74.205.237 description SK
name 69.74.205.238 A-69.74.205.238 description SonicWALL Analyzer
name 192.168.3.9 ANALYZER description SonicWALL Analyzer
name 192.168.3.115 SK description SK
name 192.168.10.0 SFLan description SF Lan
dns-guard
!
interface Ethernet0/0
nameif BackupISP
security-level 0
ip address 64.52.247.34 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
no ip address
ospf cost 10
!
interface Ethernet0/1.3
vlan 3
nameif inside3
security-level 90
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif inside20
security-level 20
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/1.30
vlan 30
nameif inside30
security-level 30
ip address 192.168.30.254 255.255.255.0
!
interface Ethernet0/1.40
vlan 40
nameif inside40
security-level 40
ip address 192.168.40.254 255.255.255.0
!
interface Ethernet0/1.50
vlan 50
nameif inside50
security-level 50
ip address 192.168.50.254 255.255.255.0
!
interface Ethernet0/1.60
vlan 60
nameif inside60
security-level 60
ip address 192.168.60.254 255.255.255.0
!
interface Ethernet0/1.70
vlan 70
nameif inside70
security-level 70
ip address 192.168.70.254 255.255.255.0
!
interface Ethernet0/1.80
vlan 80
nameif Inside80
security-level 80
ip address 192.168.80.254 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif PrimaryISP
security-level 0
ip address 69.74.205.226 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN/STATE Failover Interface
speed 100
duplex full
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup BackupISP
dns domain-lookup inside3
dns domain-lookup inside70
dns server-group DefaultDNS
name-server 8.8.4.4
domain-name glocap.com
object-group service trusted-tcp tcp
port-object eq telnet
port-object eq 3389
port-object eq https
port-object eq 5101
port-object eq 5023
port-object eq pcanywhere-data
port-object eq www
port-object eq ssh
port-object eq smtp
port-object range 6720 6740
port-object range 5900 5901
port-object range 3668 3669
port-object range ftp-data telnet
port-object eq 2222
port-object eq 5022
port-object eq 6677
object-group service trusted-udp udp
port-object eq pcanywhere-status
object-group service TKO tcp
description Accounting Server
port-object eq 9505
port-object eq 9506
port-object eq 8080
port-object eq www
port-object eq https
port-object eq ssh
object-group service Timbuktu
service-object tcp-udp eq 407
service-object tcp range 1417 1420
object-group service VNC tcp
port-object eq 5500
port-object eq 5800
port-object eq 5900
object-group service SSL tcp
description SMTP
port-object eq 587
port-object eq 993
object-group network ExchangeServers
network-object host 192.168.3.4
network-object host 192.168.3.5
network-object host 192.168.3.8
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service n-mon
description MessageLabs Monitoring
service-object udp eq snmp
service-object udp eq snmptrap
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
object-group network ML-001
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 216.82.240.0 255.255.240.0
network-object 67.219.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 95.131.104.0 255.255.248.0
object-group network DM_INLINE_NETWORK_3
network-object host 96.56.6.162
network-object host 96.56.6.163
network-object host 96.56.6.165
object-group service UDP_4500 udp
port-object eq 4500
object-group service Secure_POP3 tcp
port-object eq 995
object-group network DM_INLINE_NETWORK_1
network-object host 96.56.6.162
network-object host 96.56.6.163
network-object host 96.56.6.165
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service KMS tcp
description KMS
port-object eq 1688
object-group service DM_INLINE_TCP_1 tcp
group-object RDP
port-object eq https
group-object KMS
access-list outside_access_in extended deny icmp any any log errors inactive
access-list outside_access_in remark Pop Access for testjobs@glocap.com (Mark Z.)
access-list outside_access_in extended permit tcp 70.89.67.24 255.255.255.248 host 64.52.247.35 eq pop3 inactive
access-list outside_access_in remark Pop Access for testjobs@glocap.com (Mark Z.)
access-list outside_access_in extended permit tcp 207.7.135.0 255.255.255.0 host 64.52.247.35 eq pop3 inactive
access-list outside_access_in extended deny tcp any any eq pop3 log errors
access-list outside_access_in remark Adam Zoia RDP Access
access-list outside_access_in extended permit tcp any host 64.52.247.40 object-group RDP
access-list outside_access_in remark Exchange RDP access
access-list outside_access_in extended permit tcp any host 64.52.247.35 object-group RDP
access-list outside_access_in extended deny tcp any any object-group RDP log errors
access-list outside_access_in remark Exchange
access-list outside_access_in extended permit tcp Postini 255.255.252.0 host 64.52.247.35 eq smtp
access-list outside_access_in remark TKO Server - New Rule. Note: Check Linux IP Tables when change occurs.
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 64.52.247.60 eq ssh
access-list outside_access_in remark TKO Server
access-list outside_access_in extended permit tcp any host 64.52.247.60 object-group TKO
access-list outside_access_in extended permit tcp any any eq www inactive
access-list outside_access_in remark OWA/Activesync
access-list outside_access_in extended permit tcp any host 64.52.247.35 eq https
access-list outside_access_in remark Archive
access-list outside_access_in extended permit tcp any host 64.52.247.41 eq https
access-list outside_access_in remark Sharepoint access
access-list outside_access_in extended permit tcp any host Sharepoint eq www
access-list outside_access_in remark FTP
access-list outside_access_in extended permit tcp any host A-64.52.247.50 eq ftp inactive
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any host 64.52.247.35 eq 995 inactive
access-list outside_access_in extended permit icmp any any time-exceeded inactive
access-list outside_access_in extended permit icmp any any unreachable inactive
access-list outside_access_in extended permit icmp any any echo inactive
access-list outside_access_in extended permit icmp any any echo-reply inactive
access-list glocap.com_SplitTunnelACL remark LAN
access-list glocap.com_SplitTunnelACL standard permit 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0 inactive
access-list inside_nat0_outbound extended permit icmp any any inactive
access-list test extended permit ip host 64.52.247.34 host 64.52.247.33 inactive
access-list test extended permit ip host 64.52.247.33 host 64.52.247.34 inactive
access-list test extended permit ip host 64.52.247.34 any inactive
access-list test extended permit ip any host 64.52.247.34 inactive
access-list inside_access_in remark allow exchange server outbound
access-list inside_access_in extended permit tcp object-group ExchangeServers any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 192.168.3.0 255.255.255.0 any
access-list inside_access_in remark blocking spam traffic on port 25
access-list inside_access_in extended deny tcp any any eq smtp log errors inactive
access-list inside_access_in extended deny tcp any any object-group RDP log errors inactive
access-list inside_access_in extended permit icmp any any
access-list capin extended permit tcp host 192.168.3.182 any eq www inactive
access-list capin extended permit tcp any eq www host 192.168.3.182 inactive
access-list capout extended permit tcp host 64.52.247.34 host 68.142.121.167 eq www inactive
access-list capout extended permit tcp host 68.142.121.167 eq www host 64.52.247.34 inactive
access-list backup_access_in extended deny tcp any any eq pop3 log errors
access-list backup_access_in remark Exchange
access-list backup_access_in extended permit tcp Postini 255.255.252.0 host A-69.74.205.229 eq smtp
access-list backup_access_in remark OWA/Activesync - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.229 eq https
access-list backup_access_in remark Adam Zoia RDP Access - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.228 object-group RDP
access-list backup_access_in remark Archive
access-list backup_access_in extended permit tcp any host A-69.74.205.231 object-group DM_INLINE_TCP_1
access-list backup_access_in remark Exchange RDP Access - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.229 object-group RDP
access-list backup_access_in remark Communication with SonicWALL Analyzer
access-list backup_access_in extended permit udp any host A-69.74.205.238 eq syslog
access-list backup_access_in extended deny tcp any any object-group RDP log errors inactive
access-list backup_access_in remark TKO
access-list backup_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host TKO eq ssh
access-list backup_access_in remark TKO
access-list backup_access_in extended permit tcp any host TKO object-group TKO
access-list backup_access_in extended permit tcp any host A-69.74.205.235 eq ftp inactive
access-list backup_access_in remark Sharepoint
access-list backup_access_in extended permit object-group TCPUDP any host A-69.74.205.234 eq www
access-list backup_access_in extended permit icmp any any time-exceeded inactive
access-list backup_access_in extended permit icmp any any unreachable inactive
access-list backup_access_in extended permit icmp any any echo inactive
access-list backup_access_in extended permit icmp any any echo-reply inactive
access-list backup_access_in extended deny icmp any any log errors inactive
access-list backup_access_in extended permit tcp any host A-69.74.205.235 object-group RDP
access-list backup_access_in remark Nick RDP ACCESS
access-list backup_access_in extended permit tcp any host A-69.74.205.236 object-group RDP
access-list backup_access_in extended permit tcp any host A-69.74.205.237 object-group RDP
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 SEAOffice 255.255.255.0
access-list capt1 extended permit esp host 192.168.4.10 192.168.3.0 255.255.255.0 inactive
access-list inside3_cryptomap extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
access-list inside3_cryptomap_2 extended permit ip 192.168.3.0 255.255.255.0 SEAOffice 255.255.255.0
access-list inside3_cryptomap_3 extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_4 extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_5 extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
pager lines 24
logging enable
logging standby
logging buffer-size 100000
logging asdm-buffer-size 512
logging buffered critical
logging trap debugging
logging asdm warnings
logging mail critical
logging from-address alerts@glocap.com
logging recipient-address katial@glocap.com level critical
logging host inside 192.168.3.189
mtu BackupISP 1500
mtu inside 1500
mtu inside3 1500
mtu inside20 1500
mtu inside30 1500
mtu inside40 1500
mtu inside50 1500
mtu inside60 1500
mtu inside70 1500
mtu Inside80 1500
mtu PrimaryISP 1500
ip local pool VPN_Pool 192.168.4.10-192.168.4.200 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface inside3
no failover
failover lan unit secondary
failover lan interface xover Management0/0
failover key *****
failover replication http
failover link xover Management0/0
failover interface ip xover 192.168.10.1 255.255.255.252 standby 192.168.10.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (BackupISP) 101 interface
global (PrimaryISP) 101 interface
nat (inside3) 0 access-list nonatvpn
nat (inside3) 101 0.0.0.0 0.0.0.0
nat (inside20) 101 0.0.0.0 0.0.0.0
nat (inside30) 101 0.0.0.0 0.0.0.0
nat (inside40) 101 0.0.0.0 0.0.0.0
nat (inside50) 101 0.0.0.0 0.0.0.0
nat (inside60) 101 0.0.0.0 0.0.0.0
nat (inside70) 101 0.0.0.0 0.0.0.0
nat (Inside80) 101 0.0.0.0 0.0.0.0
static (inside3,BackupISP) Sharepoint 192.168.3.33 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.35 NYEX1 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.40 192.168.3.89 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.60 192.168.3.12 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.41 A-192.168.3.15 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.229 NYEX1 netmask 255.255.255.255
static (inside3,PrimaryISP) TKO 192.168.3.12 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.228 192.168.3.89 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.234 192.168.3.33 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.230 WSUS netmask 255.255.255.255
static (inside3,BackupISP) A-64.52.247.50 WSUS netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.231 A-192.168.3.15 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.235 Kia_RDP_INT netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.236 Nick netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.237 SK netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.238 ANALYZER netmask 255.255.255.255
access-group outside_access_in in interface BackupISP
access-group inside_access_in in interface inside3
access-group backup_access_in in interface PrimaryISP
route PrimaryISP 0.0.0.0 0.0.0.0 69.74.205.225 1 track 1
route BackupISP 0.0.0.0 0.0.0.0 64.52.247.33 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server ECI protocol tacacs+
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec authentication-server
http server enable
http 192.168.3.0 255.255.255.0 inside3
http NYEX1 255.255.255.255 inside3
http 192.168.3.20 255.255.255.255 inside3
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server listen-port 1610
sla monitor 123
type echo protocol ipIcmpEcho 167.206.7.4 interface PrimaryISP
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface BackupISP
crypto map outside_map interface PrimaryISP
crypto map inside3_map 1 match address inside3_cryptomap
crypto map inside3_map 1 set peer 173.247.204.74
crypto map inside3_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 2 match address inside3_cryptomap_1
crypto map inside3_map 2 set peer 24.43.165.42
crypto map inside3_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 3 match address inside3_cryptomap_2
crypto map inside3_map 3 set peer 70.99.142.162
crypto map inside3_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 4 match address inside3_cryptomap_3
crypto map inside3_map 4 set peer 204.16.153.114
crypto map inside3_map 4 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 5 match address inside3_cryptomap_4
crypto map inside3_map 5 set peer 99.115.135.225
crypto map inside3_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 6 match address inside3_cryptomap_5
crypto map inside3_map 6 set peer A-108.66.222.161
crypto map inside3_map 6 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside3_map interface inside3
crypto isakmp enable BackupISP
crypto isakmp enable inside3
crypto isakmp enable PrimaryISP
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
!
track 1 rtr 123 reachability
no vpn-addr-assign dhcp
telnet 192.168.3.182 255.255.255.255 inside3
telnet SK 255.255.255.255 inside3
telnet 192.168.3.99 255.255.255.255 inside3
telnet timeout 25
ssh SK 255.255.255.255 inside3
ssh 192.168.3.130 255.255.255.255 inside3
ssh timeout 10
console timeout 0
management-access inside3
dhcpd dns 8.8.4.4 4.2.2.2
!
dhcpd address 192.168.70.100-192.168.70. 150 inside70
dhcpd lease 86400 interface inside70
dhcpd option 4 ascii time.nist.gov interface inside70
dhcpd enable inside70
!
vpn load-balancing
interface lbprivate inside3
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address SFLan 255.255.255.0
threat-detection scanning-threat shun except ip-address LA_Office 255.255.255.0
threat-detection scanning-threat shun except ip-address SEAOffice 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.3.113 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.249.179 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.249.211 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.254.179 255.255.255.255
threat-detection scanning-threat shun except ip-address 64.52.247.35 255.255.255.255
threat-detection scanning-threat shun except object-group ML-001
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 198.123.30.132 source BackupISP prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy glocap.com internal
group-policy glocap.com attributes
dns-server value 192.168.3.4 192.168.3.18
vpn-tunnel-protocol IPSec svc webvpn
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value glocap.com_SplitTunnelACL
default-domain value glocap.com
username carpio password biwpDBSydzum/WPZ encrypted
username carpio attributes
vpn-group-policy glocap.com
username Korb@glocap.com password z7mx4J4vEABRf.2W encrypted privilege 0
username Korb@glocap.com attributes
vpn-group-policy glocap.com
username franklin password OdnbIuf5/H3mdqnF encrypted
username franklin attributes
vpn-group-policy glocap.com
username admin password RhT7Oa3luNGYGwKl encrypted privilege 15
username admin attributes
vpn-group-policy glocap.com
username zoia@glocap.com password iarvwww40jwB3oBf encrypted privilege 0
username zoia@glocap.com attributes
vpn-group-policy glocap.com
username ctoffice password 3qpNN8u1sMkwQV2t encrypted
username ctoffice attributes
vpn-group-policy glocap.com
vpn-simultaneous-logins 3
webvpn
svc ask enable default svc
username enable_16 password sj2wkcWtN4dIfBl6 encrypted privilege 15
username song password ggyYwwJ2UNJMYF5L encrypted privilege 0
username song attributes
vpn-group-policy glocap.com
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
dhcp-server 192.168.3.4
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *
tunnel-group glocap.com type remote-access
tunnel-group glocap.com general-attributes
address-pool VPN_Pool
default-group-policy glocap.com
tunnel-group glocap.com ipsec-attributes
pre-shared-key *
tunnel-group 74.211.164.194 type ipsec-l2l
tunnel-group 74.211.164.194 ipsec-attributes
pre-shared-key *
tunnel-group 24.43.165.42 type ipsec-l2l
tunnel-group 24.43.165.42 ipsec-attributes
pre-shared-key *
tunnel-group 70.99.142.162 type ipsec-l2l
tunnel-group 70.99.142.162 ipsec-attributes
pre-shared-key *
tunnel-group 173.247.204.74 type ipsec-l2l
tunnel-group 173.247.204.74 ipsec-attributes
pre-shared-key *
tunnel-group 99.115.135.225 type ipsec-l2l
tunnel-group 99.115.135.225 ipsec-attributes
pre-shared-key *
tunnel-group 108.66.222.161 type ipsec-l2l
tunnel-group 108.66.222.161 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.3.10
prompt hostname context
Cryptochecksum:e8314d9e5e8 5d6bceed47 bb2bfd117e 5
: end
asdm image disk0:/asdm-623.bin
asdm location Sharepoint 255.255.255.255 inside
asdm location A-69.74.205.229 255.255.255.255 inside
asdm location A-69.74.205.228 255.255.255.255 inside
asdm location A-69.74.205.231 255.255.255.255 inside
asdm location A-64.52.247.50 255.255.255.255 inside
asdm location TKO 255.255.255.255 inside
asdm location A-69.74.205.234 255.255.255.255 inside
asdm location A-69.74.205.235 255.255.255.255 inside
asdm location Google1 255.255.240.0 inside
asdm location Google2 255.255.252.0 inside
asdm location Google3 255.255.240.0 inside
asdm location Postini 255.255.252.0 inside
asdm location LA_Office 255.255.255.0 inside
asdm location SEAOffice 255.255.255.0 inside
asdm location NYEX1 255.255.255.255 inside
asdm location A-69.74.205.230 255.255.255.255 inside
asdm location A-192.168.3.15 255.255.255.255 inside
asdm location Kia_RDP_INT 255.255.255.255 inside
asdm location A-108.66.222.161 255.255.255.255 inside
asdm location Nick 255.255.255.255 inside
asdm location A-69.74.205.236 255.255.255.255 inside
asdm location A-69.74.205.237 255.255.255.255 inside
asdm location A-69.74.205.238 255.255.255.255 inside
asdm location ANALYZER 255.255.255.255 inside
asdm location 96.56.6.165 255.255.255.255 inside
asdm location SK 255.255.255.255 inside
no asdm history enable
: Saved
:
ASA Version 8.0(5)
!
hostname fw-glocap
domain-name glocap.com
enable password 0e53SZdxezxawxDG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 64.52.247.47 Sharepoint description Sharepoint
name 69.74.205.229 A-69.74.205.229 description Exchange
name 69.74.205.228 A-69.74.205.228 description Adam
name 69.74.205.231 A-69.74.205.231 description Archive
name 69.74.205.227 TKO description TKO
name 69.74.205.234 A-69.74.205.234 description Sharepoint
name 64.18.0.0 Google1
name 74.125.148.0 Google2
name 207.126.144.0 Google3
name 74.125.244.0 Postini
name 192.168.11.0 LA_Office description LA Office
name 192.168.12.0 SEAOffice
name 192.168.3.10 NYEX1 description NYEX1
name 64.52.247.50 A-64.52.247.50 description WSUS
name 69.74.205.235 A-69.74.205.235 description KIA
name 69.74.205.230 A-69.74.205.230 description WSUS-PrimaryISP
name 192.168.3.15 A-192.168.3.15 description Archive
name 192.168.3.210 Kia_RDP_INT
name 192.168.3.19 WSUS description WSUS
name 108.66.222.161 A-108.66.222.161 description LA WAN AT&T
name 69.74.205.236 A-69.74.205.236 description Nick
name 192.168.3.194 Nick description Nick
name 69.74.205.237 A-69.74.205.237 description SK
name 69.74.205.238 A-69.74.205.238 description SonicWALL Analyzer
name 192.168.3.9 ANALYZER description SonicWALL Analyzer
name 192.168.3.115 SK description SK
name 192.168.10.0 SFLan description SF Lan
dns-guard
!
interface Ethernet0/0
nameif BackupISP
security-level 0
ip address 64.52.247.34 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
no ip address
ospf cost 10
!
interface Ethernet0/1.3
vlan 3
nameif inside3
security-level 90
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/1.20
vlan 20
nameif inside20
security-level 20
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/1.30
vlan 30
nameif inside30
security-level 30
ip address 192.168.30.254 255.255.255.0
!
interface Ethernet0/1.40
vlan 40
nameif inside40
security-level 40
ip address 192.168.40.254 255.255.255.0
!
interface Ethernet0/1.50
vlan 50
nameif inside50
security-level 50
ip address 192.168.50.254 255.255.255.0
!
interface Ethernet0/1.60
vlan 60
nameif inside60
security-level 60
ip address 192.168.60.254 255.255.255.0
!
interface Ethernet0/1.70
vlan 70
nameif inside70
security-level 70
ip address 192.168.70.254 255.255.255.0
!
interface Ethernet0/1.80
vlan 80
nameif Inside80
security-level 80
ip address 192.168.80.254 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif PrimaryISP
security-level 0
ip address 69.74.205.226 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN/STATE Failover Interface
speed 100
duplex full
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup BackupISP
dns domain-lookup inside3
dns domain-lookup inside70
dns server-group DefaultDNS
name-server 8.8.4.4
domain-name glocap.com
object-group service trusted-tcp tcp
port-object eq telnet
port-object eq 3389
port-object eq https
port-object eq 5101
port-object eq 5023
port-object eq pcanywhere-data
port-object eq www
port-object eq ssh
port-object eq smtp
port-object range 6720 6740
port-object range 5900 5901
port-object range 3668 3669
port-object range ftp-data telnet
port-object eq 2222
port-object eq 5022
port-object eq 6677
object-group service trusted-udp udp
port-object eq pcanywhere-status
object-group service TKO tcp
description Accounting Server
port-object eq 9505
port-object eq 9506
port-object eq 8080
port-object eq www
port-object eq https
port-object eq ssh
object-group service Timbuktu
service-object tcp-udp eq 407
service-object tcp range 1417 1420
object-group service VNC tcp
port-object eq 5500
port-object eq 5800
port-object eq 5900
object-group service SSL tcp
description SMTP
port-object eq 587
port-object eq 993
object-group network ExchangeServers
network-object host 192.168.3.4
network-object host 192.168.3.5
network-object host 192.168.3.8
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service n-mon
description MessageLabs Monitoring
service-object udp eq snmp
service-object udp eq snmptrap
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
object-group network ML-001
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 216.82.240.0 255.255.240.0
network-object 67.219.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 95.131.104.0 255.255.248.0
object-group network DM_INLINE_NETWORK_3
network-object host 96.56.6.162
network-object host 96.56.6.163
network-object host 96.56.6.165
object-group service UDP_4500 udp
port-object eq 4500
object-group service Secure_POP3 tcp
port-object eq 995
object-group network DM_INLINE_NETWORK_1
network-object host 96.56.6.162
network-object host 96.56.6.163
network-object host 96.56.6.165
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service KMS tcp
description KMS
port-object eq 1688
object-group service DM_INLINE_TCP_1 tcp
group-object RDP
port-object eq https
group-object KMS
access-list outside_access_in extended deny icmp any any log errors inactive
access-list outside_access_in remark Pop Access for testjobs@glocap.com (Mark Z.)
access-list outside_access_in extended permit tcp 70.89.67.24 255.255.255.248 host 64.52.247.35 eq pop3 inactive
access-list outside_access_in remark Pop Access for testjobs@glocap.com (Mark Z.)
access-list outside_access_in extended permit tcp 207.7.135.0 255.255.255.0 host 64.52.247.35 eq pop3 inactive
access-list outside_access_in extended deny tcp any any eq pop3 log errors
access-list outside_access_in remark Adam Zoia RDP Access
access-list outside_access_in extended permit tcp any host 64.52.247.40 object-group RDP
access-list outside_access_in remark Exchange RDP access
access-list outside_access_in extended permit tcp any host 64.52.247.35 object-group RDP
access-list outside_access_in extended deny tcp any any object-group RDP log errors
access-list outside_access_in remark Exchange
access-list outside_access_in extended permit tcp Postini 255.255.252.0 host 64.52.247.35 eq smtp
access-list outside_access_in remark TKO Server - New Rule. Note: Check Linux IP Tables when change occurs.
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 64.52.247.60 eq ssh
access-list outside_access_in remark TKO Server
access-list outside_access_in extended permit tcp any host 64.52.247.60 object-group TKO
access-list outside_access_in extended permit tcp any any eq www inactive
access-list outside_access_in remark OWA/Activesync
access-list outside_access_in extended permit tcp any host 64.52.247.35 eq https
access-list outside_access_in remark Archive
access-list outside_access_in extended permit tcp any host 64.52.247.41 eq https
access-list outside_access_in remark Sharepoint access
access-list outside_access_in extended permit tcp any host Sharepoint eq www
access-list outside_access_in remark FTP
access-list outside_access_in extended permit tcp any host A-64.52.247.50 eq ftp inactive
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any host 64.52.247.35 eq 995 inactive
access-list outside_access_in extended permit icmp any any time-exceeded inactive
access-list outside_access_in extended permit icmp any any unreachable inactive
access-list outside_access_in extended permit icmp any any echo inactive
access-list outside_access_in extended permit icmp any any echo-reply inactive
access-list glocap.com_SplitTunnelACL remark LAN
access-list glocap.com_SplitTunnelACL standard permit 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0 inactive
access-list inside_nat0_outbound extended permit icmp any any inactive
access-list test extended permit ip host 64.52.247.34 host 64.52.247.33 inactive
access-list test extended permit ip host 64.52.247.33 host 64.52.247.34 inactive
access-list test extended permit ip host 64.52.247.34 any inactive
access-list test extended permit ip any host 64.52.247.34 inactive
access-list inside_access_in remark allow exchange server outbound
access-list inside_access_in extended permit tcp object-group ExchangeServers any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 192.168.3.0 255.255.255.0 any
access-list inside_access_in remark blocking spam traffic on port 25
access-list inside_access_in extended deny tcp any any eq smtp log errors inactive
access-list inside_access_in extended deny tcp any any object-group RDP log errors inactive
access-list inside_access_in extended permit icmp any any
access-list capin extended permit tcp host 192.168.3.182 any eq www inactive
access-list capin extended permit tcp any eq www host 192.168.3.182 inactive
access-list capout extended permit tcp host 64.52.247.34 host 68.142.121.167 eq www inactive
access-list capout extended permit tcp host 68.142.121.167 eq www host 64.52.247.34 inactive
access-list backup_access_in extended deny tcp any any eq pop3 log errors
access-list backup_access_in remark Exchange
access-list backup_access_in extended permit tcp Postini 255.255.252.0 host A-69.74.205.229 eq smtp
access-list backup_access_in remark OWA/Activesync - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.229 eq https
access-list backup_access_in remark Adam Zoia RDP Access - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.228 object-group RDP
access-list backup_access_in remark Archive
access-list backup_access_in extended permit tcp any host A-69.74.205.231 object-group DM_INLINE_TCP_1
access-list backup_access_in remark Exchange RDP Access - Backup ISP
access-list backup_access_in extended permit tcp any host A-69.74.205.229 object-group RDP
access-list backup_access_in remark Communication with SonicWALL Analyzer
access-list backup_access_in extended permit udp any host A-69.74.205.238 eq syslog
access-list backup_access_in extended deny tcp any any object-group RDP log errors inactive
access-list backup_access_in remark TKO
access-list backup_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host TKO eq ssh
access-list backup_access_in remark TKO
access-list backup_access_in extended permit tcp any host TKO object-group TKO
access-list backup_access_in extended permit tcp any host A-69.74.205.235 eq ftp inactive
access-list backup_access_in remark Sharepoint
access-list backup_access_in extended permit object-group TCPUDP any host A-69.74.205.234 eq www
access-list backup_access_in extended permit icmp any any time-exceeded inactive
access-list backup_access_in extended permit icmp any any unreachable inactive
access-list backup_access_in extended permit icmp any any echo inactive
access-list backup_access_in extended permit icmp any any echo-reply inactive
access-list backup_access_in extended deny icmp any any log errors inactive
access-list backup_access_in extended permit tcp any host A-69.74.205.235 object-group RDP
access-list backup_access_in remark Nick RDP ACCESS
access-list backup_access_in extended permit tcp any host A-69.74.205.236 object-group RDP
access-list backup_access_in extended permit tcp any host A-69.74.205.237 object-group RDP
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
access-list nonatvpn extended permit ip 192.168.3.0 255.255.255.0 SEAOffice 255.255.255.0
access-list capt1 extended permit esp host 192.168.4.10 192.168.3.0 255.255.255.0 inactive
access-list inside3_cryptomap extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
access-list inside3_cryptomap_2 extended permit ip 192.168.3.0 255.255.255.0 SEAOffice 255.255.255.0
access-list inside3_cryptomap_3 extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_4 extended permit ip 192.168.3.0 255.255.255.0 SFLan 255.255.255.0
access-list inside3_cryptomap_5 extended permit ip 192.168.3.0 255.255.255.0 LA_Office 255.255.255.0
pager lines 24
logging enable
logging standby
logging buffer-size 100000
logging asdm-buffer-size 512
logging buffered critical
logging trap debugging
logging asdm warnings
logging mail critical
logging from-address alerts@glocap.com
logging recipient-address katial@glocap.com level critical
logging host inside 192.168.3.189
mtu BackupISP 1500
mtu inside 1500
mtu inside3 1500
mtu inside20 1500
mtu inside30 1500
mtu inside40 1500
mtu inside50 1500
mtu inside60 1500
mtu inside70 1500
mtu Inside80 1500
mtu PrimaryISP 1500
ip local pool VPN_Pool 192.168.4.10-192.168.4.200
ip verify reverse-path interface inside
ip verify reverse-path interface inside3
no failover
failover lan unit secondary
failover lan interface xover Management0/0
failover key *****
failover replication http
failover link xover Management0/0
failover interface ip xover 192.168.10.1 255.255.255.252 standby 192.168.10.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (BackupISP) 101 interface
global (PrimaryISP) 101 interface
nat (inside3) 0 access-list nonatvpn
nat (inside3) 101 0.0.0.0 0.0.0.0
nat (inside20) 101 0.0.0.0 0.0.0.0
nat (inside30) 101 0.0.0.0 0.0.0.0
nat (inside40) 101 0.0.0.0 0.0.0.0
nat (inside50) 101 0.0.0.0 0.0.0.0
nat (inside60) 101 0.0.0.0 0.0.0.0
nat (inside70) 101 0.0.0.0 0.0.0.0
nat (Inside80) 101 0.0.0.0 0.0.0.0
static (inside3,BackupISP) Sharepoint 192.168.3.33 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.35 NYEX1 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.40 192.168.3.89 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.60 192.168.3.12 netmask 255.255.255.255
static (inside3,BackupISP) 64.52.247.41 A-192.168.3.15 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.229 NYEX1 netmask 255.255.255.255
static (inside3,PrimaryISP) TKO 192.168.3.12 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.228 192.168.3.89 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.234 192.168.3.33 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.230 WSUS netmask 255.255.255.255
static (inside3,BackupISP) A-64.52.247.50 WSUS netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.231 A-192.168.3.15 netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.235 Kia_RDP_INT netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.236 Nick netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.237 SK netmask 255.255.255.255
static (inside3,PrimaryISP) A-69.74.205.238 ANALYZER netmask 255.255.255.255
access-group outside_access_in in interface BackupISP
access-group inside_access_in in interface inside3
access-group backup_access_in in interface PrimaryISP
route PrimaryISP 0.0.0.0 0.0.0.0 69.74.205.225 1 track 1
route BackupISP 0.0.0.0 0.0.0.0 64.52.247.33 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server ECI protocol tacacs+
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec authentication-server
http server enable
http 192.168.3.0 255.255.255.0 inside3
http NYEX1 255.255.255.255 inside3
http 192.168.3.20 255.255.255.255 inside3
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server listen-port 1610
sla monitor 123
type echo protocol ipIcmpEcho 167.206.7.4 interface PrimaryISP
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface BackupISP
crypto map outside_map interface PrimaryISP
crypto map inside3_map 1 match address inside3_cryptomap
crypto map inside3_map 1 set peer 173.247.204.74
crypto map inside3_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 2 match address inside3_cryptomap_1
crypto map inside3_map 2 set peer 24.43.165.42
crypto map inside3_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 3 match address inside3_cryptomap_2
crypto map inside3_map 3 set peer 70.99.142.162
crypto map inside3_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 4 match address inside3_cryptomap_3
crypto map inside3_map 4 set peer 204.16.153.114
crypto map inside3_map 4 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 5 match address inside3_cryptomap_4
crypto map inside3_map 5 set peer 99.115.135.225
crypto map inside3_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 6 match address inside3_cryptomap_5
crypto map inside3_map 6 set peer A-108.66.222.161
crypto map inside3_map 6 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside3_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside3_map interface inside3
crypto isakmp enable BackupISP
crypto isakmp enable inside3
crypto isakmp enable PrimaryISP
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
!
track 1 rtr 123 reachability
no vpn-addr-assign dhcp
telnet 192.168.3.182 255.255.255.255 inside3
telnet SK 255.255.255.255 inside3
telnet 192.168.3.99 255.255.255.255 inside3
telnet timeout 25
ssh SK 255.255.255.255 inside3
ssh 192.168.3.130 255.255.255.255 inside3
ssh timeout 10
console timeout 0
management-access inside3
dhcpd dns 8.8.4.4 4.2.2.2
!
dhcpd address 192.168.70.100-192.168.70.
dhcpd lease 86400 interface inside70
dhcpd option 4 ascii time.nist.gov interface inside70
dhcpd enable inside70
!
vpn load-balancing
interface lbprivate inside3
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address SFLan 255.255.255.0
threat-detection scanning-threat shun except ip-address LA_Office 255.255.255.0
threat-detection scanning-threat shun except ip-address SEAOffice 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.3.113 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.249.179 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.249.211 255.255.255.255
threat-detection scanning-threat shun except ip-address 216.82.254.179 255.255.255.255
threat-detection scanning-threat shun except ip-address 64.52.247.35 255.255.255.255
threat-detection scanning-threat shun except object-group ML-001
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 198.123.30.132 source BackupISP prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy glocap.com internal
group-policy glocap.com attributes
dns-server value 192.168.3.4 192.168.3.18
vpn-tunnel-protocol IPSec svc webvpn
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value glocap.com_SplitTunnelACL
default-domain value glocap.com
username carpio password biwpDBSydzum/WPZ encrypted
username carpio attributes
vpn-group-policy glocap.com
username Korb@glocap.com password z7mx4J4vEABRf.2W encrypted privilege 0
username Korb@glocap.com attributes
vpn-group-policy glocap.com
username franklin password OdnbIuf5/H3mdqnF encrypted
username franklin attributes
vpn-group-policy glocap.com
username admin password RhT7Oa3luNGYGwKl encrypted privilege 15
username admin attributes
vpn-group-policy glocap.com
username zoia@glocap.com password iarvwww40jwB3oBf encrypted privilege 0
username zoia@glocap.com attributes
vpn-group-policy glocap.com
username ctoffice password 3qpNN8u1sMkwQV2t encrypted
username ctoffice attributes
vpn-group-policy glocap.com
vpn-simultaneous-logins 3
webvpn
svc ask enable default svc
username enable_16 password sj2wkcWtN4dIfBl6 encrypted privilege 15
username song password ggyYwwJ2UNJMYF5L encrypted privilege 0
username song attributes
vpn-group-policy glocap.com
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_Pool
dhcp-server 192.168.3.4
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *
tunnel-group glocap.com type remote-access
tunnel-group glocap.com general-attributes
address-pool VPN_Pool
default-group-policy glocap.com
tunnel-group glocap.com ipsec-attributes
pre-shared-key *
tunnel-group 74.211.164.194 type ipsec-l2l
tunnel-group 74.211.164.194 ipsec-attributes
pre-shared-key *
tunnel-group 24.43.165.42 type ipsec-l2l
tunnel-group 24.43.165.42 ipsec-attributes
pre-shared-key *
tunnel-group 70.99.142.162 type ipsec-l2l
tunnel-group 70.99.142.162 ipsec-attributes
pre-shared-key *
tunnel-group 173.247.204.74 type ipsec-l2l
tunnel-group 173.247.204.74 ipsec-attributes
pre-shared-key *
tunnel-group 99.115.135.225 type ipsec-l2l
tunnel-group 99.115.135.225 ipsec-attributes
pre-shared-key *
tunnel-group 108.66.222.161 type ipsec-l2l
tunnel-group 108.66.222.161 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.3.10
prompt hostname context
Cryptochecksum:e8314d9e5e8
: end
asdm image disk0:/asdm-623.bin
asdm location Sharepoint 255.255.255.255 inside
asdm location A-69.74.205.229 255.255.255.255 inside
asdm location A-69.74.205.228 255.255.255.255 inside
asdm location A-69.74.205.231 255.255.255.255 inside
asdm location A-64.52.247.50 255.255.255.255 inside
asdm location TKO 255.255.255.255 inside
asdm location A-69.74.205.234 255.255.255.255 inside
asdm location A-69.74.205.235 255.255.255.255 inside
asdm location Google1 255.255.240.0 inside
asdm location Google2 255.255.252.0 inside
asdm location Google3 255.255.240.0 inside
asdm location Postini 255.255.252.0 inside
asdm location LA_Office 255.255.255.0 inside
asdm location SEAOffice 255.255.255.0 inside
asdm location NYEX1 255.255.255.255 inside
asdm location A-69.74.205.230 255.255.255.255 inside
asdm location A-192.168.3.15 255.255.255.255 inside
asdm location Kia_RDP_INT 255.255.255.255 inside
asdm location A-108.66.222.161 255.255.255.255 inside
asdm location Nick 255.255.255.255 inside
asdm location A-69.74.205.236 255.255.255.255 inside
asdm location A-69.74.205.237 255.255.255.255 inside
asdm location A-69.74.205.238 255.255.255.255 inside
asdm location ANALYZER 255.255.255.255 inside
asdm location 96.56.6.165 255.255.255.255 inside
asdm location SK 255.255.255.255 inside
no asdm history enable
right off hand I don't see anything.
ASKER
thanks so i will make the changes that you suggested for the external interface.
Just out of curiosity, do your users by any chance also try to use the anyconnect client (e.g. from their mobile phones/tablets) to connect to the ASA? Even though your config doesn't seem to support it, it could be a reason for the tcp 443 connection attempts showing up (the anyconnect client uses ssl vpn which in turn uses both tcp (command channel) and udp (data channel) for its communication).
ASKER
should i also disable basic threat detection in the firewall as every time the asa denies tcp access , we experience internet drops in our internal lan?
ASKER
No our users dont connect to the asa through Vpn.
I ran the deny any to external interface of the asa command on ports 80 and 443 but its still the same.still having internet drops
I ran the deny any to external interface of the asa command on ports 80 and 443 but its still the same.still having internet drops
ASKER
i ran the show asp command, if this helps in getting to a solution
Result of the command: "show asp drop"
Frame drop:
Invalid encapsulation (invalid-encap) 7
No valid adjacency (no-adjacency) 18937
Flow is denied by configured rule (acl-drop) 64921
Invalid SPI (np-sp-invalid-spi) 1125
First TCP packet not SYN (tcp-not-syn) 82906
TCP failed 3 way handshake (tcp-3whs-failed) 278
TCP RST/FIN out of order (tcp-rstfin-ooo) 117
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 55
TCP RST/SYN in window (tcp-rst-syn-in-win) 25
TCP packet failed PAWS test (tcp-paws-fail) 27
IPSEC tunnel is down (ipsec-tun-down) 136
Slowpath security checks failed (sp-security-failed) 1
DNS Inspect id not matched (inspect-dns-id-not-matche d) 10
Interface is down (interface-down) 10
Dropped pending packets in a closed socket (np-socket-closed) 391
Last clearing: Never
Flow drop:
Tunnel being brought up or torn down (tunnel-pending) 20
Inspection failure (inspect-fail) 12
Last clearing: Never
Result of the command: "show asp drop"
Frame drop:
Invalid encapsulation (invalid-encap) 7
No valid adjacency (no-adjacency) 18937
Flow is denied by configured rule (acl-drop) 64921
Invalid SPI (np-sp-invalid-spi) 1125
First TCP packet not SYN (tcp-not-syn) 82906
TCP failed 3 way handshake (tcp-3whs-failed) 278
TCP RST/FIN out of order (tcp-rstfin-ooo) 117
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 55
TCP RST/SYN in window (tcp-rst-syn-in-win) 25
TCP packet failed PAWS test (tcp-paws-fail) 27
IPSEC tunnel is down (ipsec-tun-down) 136
Slowpath security checks failed (sp-security-failed) 1
DNS Inspect id not matched (inspect-dns-id-not-matche
Interface is down (interface-down) 10
Dropped pending packets in a closed socket (np-socket-closed) 391
Last clearing: Never
Flow drop:
Tunnel being brought up or torn down (tunnel-pending) 20
Inspection failure (inspect-fail) 12
Last clearing: Never
I really didn't think those commands would stop the drops since it was already blocking that traffic.
What model of ASA is this?
Can you provide the results of running "sho ver | inc Inside Hosts" without the quotes?
What model of ASA is this?
Can you provide the results of running "sho ver | inc Inside Hosts" without the quotes?
Just was reviewing the Cisco alerts today and came across this:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa
May have nothing to do with the issue but thought I would let you know anyway.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asa
May have nothing to do with the issue but thought I would let you know anyway.
ASKER
hi pony10us , we have asa version 8.0(5) and please find below the results of the command your requested
Result of the command: "sho ver | inc Inside Hosts"
Inside Hosts : Unlimited
i also did a clear xlate also
Result of the command: "sho ver | inc Inside Hosts"
Inside Hosts : Unlimited
i also did a clear xlate also
Instead of clear xlate try clear conn
ASKER
what does clear conn command do. can i do it during business hours without affecting internet ?
Also i unchecked the option --send reset reply for denied outside TCP packets (Under TCP Options )
Also i unchecked the option --send reset reply for denied outside TCP packets (Under TCP Options )
I would wait until after hours. You can do a show conn to see the connections anytime.
clear conn
To clear a specific connection or multiple connections, use the clear conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses
Usage Guidelines
When the security appliance creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.
Examples
The following example shows all connections, and then clears the management connection between 10.10.10.108:4168 and 10.0.8.112:22:
hostname# show conn all
TCP mgmt 10.10.10.108:4168 NP Identity Ifc 10.0.8.112:22, idle 0:00:00, bytes 3084, flags
UOB
hostname# clear conn address 10.10.10.108 port 4168 address 10.0.8.112 port 22
clear conn
To clear a specific connection or multiple connections, use the clear conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses
Usage Guidelines
When the security appliance creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.
Examples
The following example shows all connections, and then clears the management connection between 10.10.10.108:4168 and 10.0.8.112:22:
hostname# show conn all
TCP mgmt 10.10.10.108:4168 NP Identity Ifc 10.0.8.112:22, idle 0:00:00, bytes 3084, flags
UOB
hostname# clear conn address 10.10.10.108 port 4168 address 10.0.8.112 port 22
ASKER
the disconnects have stopped now all of a sudden. Didn't make any more changes and seems stable. Don't know what fixed the issue?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another option is to create an ACL rule denying the specific traffic. However, the ASA will report dropping those packets in log messages at the Warning level (level 4), so you may want to rate limit that.