Cisco ASA 5505 configuration....I am in way over my head.

Discussion in 'Networking' started by SpaceHulk, Jul 19, 2007.

  1. SpaceHulk

    SpaceHulk Senior member

    Joined:
    Mar 26, 2002
    Messages:
    818
    Likes Received:
    0
    Based on a vendor recommendation I purchased 2 Cisco ASA 5505 VPN routers. I understand these are pretty nice units; but I can't get them up and running properly. I have the VPN tunnel between the to of them running OK but some the PC's in the office here have internet dropouts and I come to find out the ASA is denying network traffic due to "peer limit exceeded"

    Can someone help me get these configured properly? I would greatly appriciate your help.

    Here is the current configuration:

    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname **changed to protect the innocent***
    domain-name **changed to protect the innocent***
    enable password bzgAeg1Nad7ClYSm encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ddns update hostname **changed to protect the innocent***
    dhcp client update dns
    ip address 192.168.16.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address **changed to protect the innocent*** 255.255.255.0
    !
    interface Vlan3
    shutdown
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 192.168.16.10
    domain-name familyfreshpackwi
    access-list outside_20_cryptomap extended permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list VPN extended permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 **changed to protect the innocent*** 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.16.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection tcpmss 1300
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 match address VPN
    crypto map outside_map 20 set peer **changed to protect the innocent***
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 20
    tunnel-group **changed to protect the innocent*** type ipsec-l2l
    tunnel-group **changed to protect the innocent***ipsec-attributes
    pre-shared-key *
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd dns 4.2.2.2
    dhcpd domain **changed to protect the innocent***
    dhcpd update dns both
    !
    dhcpd address 192.168.16.2-192.168.16.33 inside
    dhcpd dns 4.2.2.2 interface inside
    dhcpd domain **changed to protect the innocent*** interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:5aeee1ac0a40632276a1adc2a2197217
    : end
    asdm image disk0:/asdm-522.bin
    no asdm history enable

     
  2. dphantom

    dphantom Diamond Member

    Joined:
    Jan 14, 2005
    Messages:
    3,754
    Likes Received:
    0
    Just to verify you have enough VPN licenses available?

    SSL VPN Licenses
    Beginning with Version 7.2(1), the ASA 5550 supports a license level of 5000 users. The complete SSL VPN feature functionality offered by the security appliance is included in this single SSL VPN license. No per-feature licenses are required. This SSL VPN license has a one-time fee and lasts for the lifetime of the security appliance. Upon installation of Version 7.2(1), two simultaneous SSL VPN user sessions are included for evaluation.

     
  3. SpaceHulk

    SpaceHulk Senior member

    Joined:
    Mar 26, 2002
    Messages:
    818
    Likes Received:
    0
    I believe it came with 10 liscenses as per: http://www.cisco.com/en/US/pro...t0900aecd802930c5.html and you can upgrade to 25 ibelieve.


    but, I only have the two units setup with one VPN tunnel. There are 2 workstations on the remote end using the tunnel but that should be it. Nobody in the home office has need of the VPN but they are somhow filling up the peer slots and then when an eleventh person tries to go on-line they get denied and the log says "peer license exceeded".

    How come the local workstations are somehow using up VPN licenses? The only way I've been able to stay alive is by running a "clear xlate" command when someone in the office says their interent and mail isn't working.

    btw, thanks for your help.
     
  4. Cooky

    Cooky Golden Member

    Joined:
    Apr 2, 2002
    Messages:
    1,407
    Likes Received:
    0
    Do a show version and post the output.
    What was the part number you ordered? ASA5505-BUN-K9?
    You may be hitting the user count limit, not the VPN.
    Most people get 10-user license, which is sufficient for small branch office, but as soon as the 11th user hits the firewall, you're over the limit.
     
  5. dphantom

    dphantom Diamond Member

    Joined:
    Jan 14, 2005
    Messages:
    3,754
    Likes Received:
    0
    With that information, I agree with Cooky. Look to the user license.
     
  6. SpaceHulk

    SpaceHulk Senior member

    Joined:
    Mar 26, 2002
    Messages:
    818
    Likes Received:
    0
    Here is the ASA info:

    Cisco Adaptive Security Appliance Software Version 7.2(2)
    Device Manager Version 5.2(2)
    Compiled on Wed 22-Nov-06 14:16 by builders
    System image file is "disk0:/asa722-k8.bin"
    Config file at boot was "startup-config"
    ***Changed**** up 20 hours 40 mins
    Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW080 @ 0xffe00000, 1024KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
    Boot microcode : CNlite-MC-Boot-Cisco-1.2
    SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
    0: Int: Internal-Data0/0 : address is 001b.5485.d88b, irq 11
    1: Ext: Ethernet0/0 : address is 001b.5485.d883, irq 255
    2: Ext: Ethernet0/1 : address is 001b.5485.d884, irq 255
    3: Ext: Ethernet0/2 : address is 001b.5485.d885, irq 255
    4: Ext: Ethernet0/3 : address is 001b.5485.d886, irq 255
    5: Ext: Ethernet0/4 : address is 001b.5485.d887, irq 255
    6: Ext: Ethernet0/5 : address is 001b.5485.d888, irq 255
    7: Ext: Ethernet0/6 : address is 001b.5485.d889, irq 255
    8: Ext: Ethernet0/7 : address is 001b.5485.d88a, irq 255
    9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
    10: Int: Not used : irq 255
    11: Int: Not used : irq 255
    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 3, DMZ Restricted
    Inside Hosts : 10
    Failover : Disabled
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    VPN Peers : 10
    WebVPN Peers : 2
    Dual ISPs : Disabled
    VLAN Trunk Ports : 0
    This platform has a Base license.
    Serial Number: JMX1115Z0B5
    Running Activation Key: 0xce0a7e49 0x78d86409 0x5c818190 0xb4ccc830 0x060b3fb3
    Configuration register is 0x1

    It is a ASA5505-BUN-K9. Am I completely wrong in the fact that i thought the 10 user limti was for VPN only? I didn't think this router would offer less functionality than the $40 D-link I had. We upgraded to this for VPN purposes.

    OK, so on the remote side, I have 2 workstations. Lovcally I have 2 servers running business 2003 and 8 workstations. So that is still not greater than ten locally. There are other IP devices on the network. We have one small NAS decive, a network printer, a networked door security appliance, and a couple wireless routers acting as access points.

    So even with 10 PC's that could need outside access, I still get the license exceeded message.
     
  7. Cooky

    Cooky Golden Member

    Joined:
    Apr 2, 2002
    Messages:
    1,407
    Likes Received:
    0
    The ASA firewall offers more granularity and reliability (uptime) than a $40 DLink.
    Unfortunately w/ Cisco (and any other big name brands), you're paying premium and are restricted by the licensing.
    We generally use unrestricted licenses simply because of the size.

    Pull unneecessary hosts off network so that you have only 10 (or even 9), and see if you'll still get that error.
     
Loading...