Cisco ASA 5505 configuration....I am in way over my head.

[SpaceHulk]

Based on a vendor recommendation I purchased 2 Cisco ASA 5505 VPN routers. I understand these are pretty nice units; but I can't get them up and running properly. I have the VPN tunnel between the to of them running OK but some the PC's in the office here have internet dropouts and I come to find out the ASA is denying network traffic due to "peer limit exceeded"

Can someone help me get these configured properly? I would greatly appriciate your help.

Here is the current configuration:

: Saved
:
ASA Version 7.2(2)
!
hostname **changed to protect the innocent***
domain-name **changed to protect the innocent***
enable password bzgAeg1Nad7ClYSm encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ddns update hostname **changed to protect the innocent***
dhcp client update dns
ip address 192.168.16.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address **changed to protect the innocent*** 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.16.10
domain-name familyfreshpackwi
access-list outside_20_cryptomap extended permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list VPN extended permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 **changed to protect the innocent*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address VPN
crypto map outside_map 20 set peer **changed to protect the innocent***
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group **changed to protect the innocent*** type ipsec-l2l
tunnel-group **changed to protect the innocent***ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2
dhcpd domain **changed to protect the innocent***
dhcpd update dns both
!
dhcpd address 192.168.16.2-192.168.16.33 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd domain **changed to protect the innocent*** interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5aeee1ac0a40632276a1adc2a2197217
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

 

[dphantom]

Just to verify you have enough VPN licenses available?

SSL VPN Licenses
Beginning with Version 7.2(1), the ASA 5550 supports a license level of 5000 users. The complete SSL VPN feature functionality offered by the security appliance is included in this single SSL VPN license. No per-feature licenses are required. This SSL VPN license has a one-time fee and lasts for the lifetime of the security appliance. Upon installation of Version 7.2(1), two simultaneous SSL VPN user sessions are included for evaluation.

 

[SpaceHulk]

I believe it came with 10 liscenses as per: http://www.cisco.com/en/US/pro...t0900aecd802930c5.html and you can upgrade to 25 ibelieve.


but, I only have the two units setup with one VPN tunnel. There are 2 workstations on the remote end using the tunnel but that should be it. Nobody in the home office has need of the VPN but they are somhow filling up the peer slots and then when an eleventh person tries to go on-line they get denied and the log says "peer license exceeded".

How come the local workstations are somehow using up VPN licenses? The only way I've been able to stay alive is by running a "clear xlate" command when someone in the office says their interent and mail isn't working.

btw, thanks for your help.

 

[Cooky]

Do a show version and post the output.
What was the part number you ordered? ASA5505-BUN-K9?
You may be hitting the user count limit, not the VPN.
Most people get 10-user license, which is sufficient for small branch office, but as soon as the 11th user hits the firewall, you're over the limit.

 

[dphantom]

Originally posted by: SpaceHulk
I believe it came with 10 liscenses as per: http://www.cisco.com/en/US/pro...t0900aecd802930c5.html and you can upgrade to 25 ibelieve.


but, I only have the two units setup with one VPN tunnel. There are 2 workstations on the remote end using the tunnel but that should be it. Nobody in the home office has need of the VPN but they are somhow filling up the peer slots and then when an eleventh person tries to go on-line they get denied and the log says "peer license exceeded".

How come the local workstations are somehow using up VPN licenses? The only way I've been able to stay alive is by running a "clear xlate" command when someone in the office says their interent and mail isn't working.

btw, thanks for your help.

With that information, I agree with Cooky. Look to the user license.

 

[SpaceHulk]

Here is the ASA info:

Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"
***Changed**** up 20 hours 40 mins
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode :
CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001b.5485.d88b, irq 11
1: Ext: Ethernet0/0 : address is 001b.5485.d883, irq 255
2: Ext: Ethernet0/1 : address is 001b.5485.d884, irq 255
3: Ext: Ethernet0/2 : address is 001b.5485.d885, irq 255
4: Ext: Ethernet0/3 : address is 001b.5485.d886, irq 255
5: Ext: Ethernet0/4 : address is 001b.5485.d887, irq 255
6: Ext: Ethernet0/5 : address is 001b.5485.d888, irq 255
7: Ext: Ethernet0/6 : address is 001b.5485.d889, irq 255
8: Ext: Ethernet0/7 : address is 001b.5485.d88a, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Serial Number: JMX1115Z0B5
Running Activation Key: 0xce0a7e49 0x78d86409 0x5c818190 0xb4ccc830 0x060b3fb3
Configuration register is 0x1

It is a ASA5505-BUN-K9. Am I completely wrong in the fact that i thought the 10 user limti was for VPN only? I didn't think this router would offer less functionality than the $40 D-link I had. We upgraded to this for VPN purposes.

OK, so on the remote side, I have 2 workstations. Lovcally I have 2 servers running business 2003 and 8 workstations. So that is still not greater than ten locally. There are other IP devices on the network. We have one small NAS decive, a network printer, a networked door security appliance, and a couple wireless routers acting as access points.

So even with 10 PC's that could need outside access, I still get the license exceeded message.

 

[Cooky]

The ASA firewall offers more granularity and reliability (uptime) than a $40 DLink.
Unfortunately w/ Cisco (and any other big name brands), you're paying premium and are restricted by the licensing.
We generally use unrestricted licenses simply because of the size.

Pull unneecessary hosts off network so that you have only 10 (or even 9), and see if you'll still get that error.