ASA 5510 8.4 Simple Configuration Issue

Good Afternoon,
   Ok, so let me start out by saying that I am by no means an expert with an ASA/ASDM but what I am trying to accomplish seems pretty straight forward and I feel like I am missing something easy!
----Internet----
     eth0
     1.2.3.250 = VPN termination point (This is tested and functioning properly with 10.200.1.2 as the remoteip)
     eth1
     10.200.1.1 Interface Address
     Host IP
     10.200.1.2
Issues:
The IPSEC SA is established however I cannot reach the 10.200.1.2 host
The 10.200.1.2 host cannot ping the 1.2.3.250 interface nor do i see any hits on the policy log (10.200.1.2 any ip permit)
I understand both routes are directly connected but it seems like the public and private interfaces cannot communicate
Objectives:
1. Configure the ASA so that the VPN terminating can access the 10.200.1.2 host.
2. Configure the ASA so that the 10.200.1.2 host can reach the Internet.
Is there a sample configuration I could look at of someone accomplishing a similar task?

Hello Jon,
1) Add the fixup protocol icmp command so ICMP packets can be inspected statefully,
2) You cannot ping a far end interface as this is a security breach so from an inside user you will not be able to ping the DMZ or Outside interface of your own asa but you should be able to ping any other host behind that other interface,
Regards,
Rate all the helpful posts
Julio

Similar Messages

  • ASA 5510 Remote Access iOS devices issue

    I'm having a weird issue that just cropped up in the last week or so. Previously, ipads and iphones were working fine on our IPSec VPN, but now they don't work at all.
    The iOS device throws one of two errors:
    1. "Negotiation with the VPN server failed." (asks for user and pass first, then gives this error after about 30 seconds)
    2. "The VPN server did not repond." (might just be intermittnet 3G network I'm testing over)                  
    If the error is #1, the ASA says this:
    tacacs+ and aaa debug:
    user: testuser
    Tacacs packet sent
    Sending TACACS Start message. Session id: 11763, seq no:1
    Received TACACS packet. Session id:1263956303  seq no:2
    tacp_procpkt_authen: GETPASS
    mk_pkt - type: 0x1, session_id: 11763
    mkpkt_continue - response: ***
    Tacacs packet sent
    Sending TACACS Continue message. Session id: 11763, seq no:3
    Received TACACS packet. Session id:1263956303  seq no:4
    tacp_procpkt_authen: PASS
    TACACS Session finished. Session id: 11763, seq no: 3
    crypto isakmp debug (Negotiation with the VPN server failed.):
    Jun 11 15:09:57 [IKEv1]: IP = 174.232.18.200, IKE_DECODE RECEIVED Message (msgid=ad46fa43) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing hash payload
    Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing delete
    Jun 11 15:09:57 [IKEv1]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, Connection terminated for peer testuser.  Reason: Peer
    Terminate  Remote Proxy N/A, Local Proxy N/A
    Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, IKE SA AM:b19cbbe4 terminating:  flags 0x0941c801,
    refcnt 0, tuncnt 0
    Same error with a different debugging level and another tunnel group:
    Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, User (testuser) authenticated.
    Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Assigned private IP address 10.1.50.175 to remote user
    Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Forcing iPhone to host mask. <--is this forcing the mask to 255.255.255.255 because the iphone requires that?
    If the error is #2, the ASA says this:
    Jun 11 15:13:18 [IKEv1]: IP = 174.232.18.200, Connection landed on tunnel_group MobileDevices
    I've changed a lot of settings, but I haven't gotten anywhere. I've tried different tunnel groups and connection profiles. This setup works fine on a Windows computer with the Cisco VPN Client (5.0.07). ASA is running 8.2(5), split tunnel, no pfs, group name and psk, tried with and without peer ID validation, NAT-T (udp 500, 4500).
    Any ideas? Thanks in advance.

    Solved.
    Static Nat is solution.
    I have created rule as follows:
    nat (inside,outside) source static 192.168.1.0_24  2.2.2.2 destination static 172.16.1.0_24 172.16.1.0_24 no-proxy-arp

  • ASA 5510 context base configuration in HA Mode with two different subnet

    Hi
    Please someone help me to configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
    IP Details are below.....:
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
    interface Ethernet0/1
    no nameif
    security-level 0
    no ip address
    interface Ethernet0/1.101
    description INSIDE1
    vlan 101
    nameif INSIDE1
    security-level 90
    ip address 172.22.0.2 255.255.255.0 standby 172.22.0.3
    interface Ethernet0/1.102
    description INSIDE2
    vlan 102
    nameif INSIDE2
    security-level 80
    ip address 172.22.1.2 255.255.255.0 standby 172.22.1.3
    interface Ethernet0/3
    description LAN Failover Interface
    failover
    failover lan unit primary
    failover lan interface FAILOVER Ethernet0/3
    failover replication http
    failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

    Hi Sanjeev,
    If it is a context based configuration  that you are doing then, you would need to configure context on the ASA first, you can refer to this document for it:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • ASA 5510 vpn question

    Hi all,
    I have 1 ISP link terminated on ASA 5510. Can i configure both easy vpn and site to site vpn on that interface ?

    Hi,
    Do you mean that you would use the ASA5510 as a Easy VPN Server (where clients would connect to) and also build L2L VPN connections from the ASA5510 to other sites?
    If that is what you mean then I think that should be possible.
    - Jouni

  • ASA 5510 ignoring configured acl entry?

    Greetings,
      I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
    interface Ethernet0/0.200
    vlan 200
    nameif SITECORP
    security-level 90
    ip address 10.1.4.1 255.255.254.0
    interface Ethernet0/0.207
    vlan 207    
    nameif SITESERVER
    security-level 90
    ip address 10.1.7.1 255.255.255.128
    interface Ethernet0/1.311
    vlan 311
    nameif MOD1BMS
    security-level 100
    ip address 10.1.144.1 255.255.252.0
    I have the following access-lists configured and applied:
    access-list SITECORP_access_in extended permit ip any any
    access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
    access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
    fw# show run object-group
    object-group network SITECORP
    network-object 10.1.4.0 255.255.254.0
    object-group network MOD1BMS
    network-object 10.1.144.0 255.255.252.0
    object-group network SITESERVER
    network-object 10.1.7.0 255.255.255.128
    fw# show run nat-control
    no nat-control
    packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group SITECORP_access_in in interface SITECORP
    access-list SITECORP_access_in extended permit ip any any
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd5641ec8, priority=12, domain=permit, deny=false
            hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
            src ip=0.0.0.0, mask=0.0.0.0, port=0
            dst ip=0.0.0.0, mask=0.0.0.0, port=0
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd544e8c8, priority=110, domain=permit, deny=true
    hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0
    This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
    Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
    Regards,
      Phil

    Hello Phil,
    That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
    But you do not have to change the Security level, of course that is one work-around but again the solution is :
    -     same-security-traffic permit inter-interface
    Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
    Regards,
    Julio

  • Looking for Recommendation for Redundant or Backup ISP configuration: ASA 5510

    Good Day,
    Currently I have two ASA 5510's version 8.2(5) with the security plus license in my environment. These are configured to failover with the SAME ISP in the event of hardware failure. We are currently trying to introduce ISP backup configuration. I've already engaged ISP's for services, However, I was wonder what this configuration may entail additionally. Can anyone advise on a best practice/configuration  in this regard?
    I am trying to achieve high availability for services provided by another company location. Looking forward to any assistance that can be provided.
    Thanks much.

    Cisco has a whitepaper on setting this up. It's a bit dated but mostly applicable.
    With an HA pair of ASAs, we typically setup a switch (or stack for higher availability) between the HA pair and upstream routers. Other than that, the whitepaper is followed.
    The only significant issue is whether you have any incoming services exposed via public IP and don't have you own provider-independent address block. In that case, you need to account for how those services will be reachable in the event that your are using the address of your secondary provider. This usually involves some DNS changes or other such work.
    Some people offload the whole setup to an external device like a FatPipe Warp appliance.

  • Configuring ASA 5510

    I have turned on the aaa command authorization without applying adequate privileges to the user. I can now login through that user but the ASA 5510 displays an error :ASA5510# show run
    ERROR: % Invalid input detected at '^' marker.
    ERROR: Command authorization failed .need your help to resolvr this issue
    Posted by WebUser Mugisha Vianney

    Can I access both the FW and IPS through the dedicated management port via SSH and ASDM/IDM?
    Sorta, you can ssh to the ASA and from there establish a backplane connection to the module.
    Can I assign the management port an external IP address and to establish  a L2L VPN tunnel for remote management and tunnel syslog and IPS logs  through it?
    Would I be able to route Syslog and IPS event through the Management port to a remote event collector?
    Yes, but you can't do the IPS part though.
    The IPS is an independant unit and will use its own management interface to send logs, the only way you can do this is to log into the ASA, then into the IPS and get the logs you are looking for.
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1198794
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1214750
    Cabling clarification: internal switch connected to the ASA's management interface and to the IPS' management interface.
    This is ok, if you want the units to communicate make sure they are part of the same vlan.

  • How to configure QOS on certain IP in the Cisco ASA 5510

    Hi,
    I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
    Can this done on a ASA 5510 series? if yes can you help me how ?
    Regards,
    Venkat

    Yes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
    Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
    I hope it helps.
    PK

  • How to configure CISCO ASA 5510 for internal remote desktop ?

    Helo,I have a client that want to install new ASA (5510) in their network.
    and then I did some experiment to implement it. the topology is like this :
    --------configuration---------
    2800 router :
    interface FastEthernet0/0
    ip address 172.16.1.1 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.11.3 255.255.255.0
    duplex auto
    speed auto
    ip route 192.168.12.0 255.255.255.0 172.16.1.2
    1841 router :
    interface FastEthernet0/0
    ip address 172.16.1.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 192.168.12.1 255.255.255.0
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 172.16.1.1
    ASA 5510 :
    : Saved
    : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
    ASA Version 8.2(1)
    hostname ciscoasa
    enable password **** encrypted
    passwd ***** encrypted
    names
    name 192.168.12.0 Branch
    dns-guard
    interface Ethernet0/0
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.11.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    management-only
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
    access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
    access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
    tcp-map mssmap
      synack-data allow
      invalid-ack allow
      seq-past-window allow
      urgent-flag allow
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    asdm location Branch 255.255.255.0 inside
    no asdm history enable
    arp timeout 14400
    static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
    static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    route inside Branch 255.255.255.0 172.16.1.1 1
    timeout xlate 3:00:00
    timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username ***** password ***** encrypted
    class-map mymap
    match access-list inside_access_in
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    policy-map myPolicy
    class mymap
      set connection advanced-options mssmap
    service-policy global_policy global
    service-policy myPolicy interface inside
    prompt hostname context
    Cryptochecksum:a605d94f29924e5267644dd0f4476145
    : end
    I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
    then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
    "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
    "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
    I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
    please help, any suggest would be great .
    thanks .
    sincerley yours
    -IAN WIJAYA-

    ear Ian_benderaz,
    Thank god i am not alone on this ,
    Me too having the exact same problem , i can ping to the host ,but no remote desktop .
    Somebody please help me on this , how enable remote desktop on asa 5505 
    Thanks 

  • DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

    Hi Guys,
    I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
    The Design :
    Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
    ||
    ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
    ||
    Switch
    ||
    LAN
    Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
    I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
    I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
    Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
    Thanks,
    Aj.

    Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
    All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
    1) what RProtocol r u using?
    a) It's OSPF
    2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
    a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
        (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
        (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
    3) are your tunnels config correctly? try show crypto ipsec sa
    a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
    4) on your hub'spoke do a debug ip icmp
    a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
    I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
    Additional to the info above, Please also note :
    I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
    So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
    From HUB router I'm able to ping clients behind Spokes.
    Does that give any Ideas ?
    Thanks in Advance.
    Aj.

  • ASA 5510 anti spam module issue need help

    hi all,
    i have ASA5510 my E0 interface is having public ip and E1 is having 192.168.1.0/24 network and my DMZ E2 is 172.16.2.0/24 network.
    my management interface ip address is 10.10.10.1 and ive put 10.10.10.5 for SSM module. but im not receiving the updates from net bcoz there is no connection to the internet from 10.10.10.0/24 network.
    how can i do that, and ASA 5510 has got 4 ports E0,E1,E2,E3 but i can see that port E3 is activated if i chk the sh run there is no port E3.
    now my issue is i would like to allow 10.10.10.0/24 to access internet to update the module.
    pls help, i will rate all the posts.
    Regards
    Binoy.

    Try these links:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f70.html#wp1051819
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

  • How to configure ASA 5510 V9.1(5) to send Netflow packets to Netflow Analyser 8.0

    Hi guys,
    I've configured my ASA 5510 Version 9.1(5) to send flow to Netflow Analyser. I think I've done it correctly but what happened is that I can see the ASA in netflow and netflow packets are receiving and increasing every time I refresh the page but there are no traffic as you can see in the attachment file. Also how can I figure out which ifindex is which interface to rename it? 
    BTW, my netflow version is 8.0 and below is the netflow config:
    access-list NETFLOWMONITOREDTRAFFIC extended permit ip any any
    flow-export destination INSIDE A.B.C.D 9996
    flow-export template timeout-rate 1
    flow-export delay flow-create 60
    flow-export active refresh-interval 2
    class-map NETFLOW
     match access-list NETFLOWMONITOREDTRAFFIC
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect ip-options 
      inspect netbios 
      inspect rsh 
      inspect rtsp 
      inspect skinny  
      inspect sqlnet 
      inspect sunrpc 
      inspect tftp 
      inspect sip  
      inspect xdmcp 
      inspect icmp 
      inspect icmp error 
     class NETFLOW
      flow-export event-type all destination A.B.C.D
     class class-default
      flow-export event-type all destination A.B.C.D
    Hope someone can help me here.
    Cheers,
    Joe

    I did find a workaround by keeping a connection open for communication between the client and server. However, I wish I did not have to do this. Ideally, I would like to be able to establish connections to the server only when needed and have the client JRE remember what certificate the user selected.
    Browsers have this feature based on a user session. (i.e. once a user offers up a certificate to a server, the browser will not ask the user which certificate to send for the duration of the session to a given server).

  • ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

    Hi,
    I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
    permit ip any "Nat_subnet"
    After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
    Regards,
    Muds
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
    object-group network d1-dr-nat_nets
    network-object 192.168.128.0 255.255.248.0
    object network 10.210.14.0_Net
    nat (outside,inside) static 192.168.128.0_Net
    object network 10.210.16.0_Net
    nat (outside,inside) static 192.168.129.0_Net
    object network 10.210.80.0_Net
    nat (outside,inside) static 192.168.130.0_Net
    object network 10.210.84.0_Net
    nat (outside,inside) static 192.168.131.0_Net
    object network 10.210.86.0_Net
    nat (outside,inside) static 192.168.132.0_Net
    object network 10.210.88.0_Net
    nat (outside,inside) static 192.168.133.0_Net !
    object network 10.210.14.0_Net
    nat (outside,inside) static 192.168.128.0_Net
    object network 10.210.16.0_Net
    nat (outside,inside) static 192.168.129.0_Net
    object network 10.210.80.0_Net
    nat (outside,inside) static 192.168.130.0_Net
    object network 10.210.84.0_Net
    nat (outside,inside) static 192.168.131.0_Net
    object network 10.210.86.0_Net
    nat (outside,inside) static 192.168.132.0_Net
    object network 10.210.88.0_Net
    nat (outside,inside) static 192.168.133.0_Net
    access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
    access-group prod_lan-in in interface inside

    Hi,
    As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
    Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
    Let me give an simple example
    object network STATIC
    host 10.10.10.10
    nat (outside,inside) static 192.168.10.10
    access-list INSIDE-IN permit ip any host 10.10.10.10
    or
    access-list INSIDE-IN permit ip any object STATIC
    - Jouni

  • Connecting ASA 5510s to a DSL modem with a static IP range

    I have DSL service with AT&T and I have a Motorola 3360 modem.  We also have a /28 network of static IPs from AT&T.  When I login using PPPoE on the modem it gets x.x.x.190 as it's address.  Our range is 177-190.  I have two ASA 5510s in an active/passive failover configuration with the Ethernet port of the modem and one interface of each of the ASAs on a dumb layer 2 switch. 
    I want to setup this DSL connection as a backup to our main Internet connection.  I cannot figure out what setting on the DSL modem to use to make this happen.  I know I cannot use PPPoE in a failover setting so I can't have the modem in bridged mode.  There is some mode where it passes the 190 address to the connected device and when I plug in a PC directly to the modem and set it for DHCP it does get 190 as it's address.  So do I configure the ASA interface as 190 with one of the other addresses as it's standby?  What do I set my route on the ASA to for use of this connection?  Can I then make use of these other static addresses when plugging other devices into the layer 2 switch?

    Thanks for your prompt response.  From your information, your network near the firewalls looks like this:
    Your cable modem connects to your provider without any intervention from your equipment, and you are free to assign IP addresses from your assigned block.  The cable ISP knows to route traffic to your block down to the layer 2 segment attached to the cable mode. 
    As you described, the Motorola 3360 DSL modem is an odd fish.  I do not have personal experience with that device,  but from internet searches that appears to be a model AT&T bundles with small business DSL service.  The 3360 appears to have three modes:
    --router mode where it uses a single public IP on the WAN side and issues IP addresses in the 192.168.1.x range on the LAN side.  The modem performs the PPPoE function in this mode.
    --hybrid mode where it gets a single public IP on the WAN side and then passes that through to one device connected on the LAN side.  The modem performs the PPPoE function in this mode.
    --bridge mode.  A device on the LAN side must perform the PPPoE function.
    Various links I found indicate folks with static IP address assignments from their ISP (usually AT&T) have difficulty getting those static IP addresses to work with the Motorol 3360 except in bridge mode.
    To your original question, I'm guessing you match the configuration you performed on the cable modem side and use two of your static IPs for the ASA's.  Howver, it's unclear if the additional IP addresses will work with 3360's odd behavior.  If you have internet-exposed hosts (as shown in my simple drawing), try assigning some of the DSL static IPs to those hosts and test communications both ways -- host-->internet, internet-->host.  If possible, test two hosts at the same time to verify the 3360 can handle multiple public IPs at the same time (one posting I found claimed it could only handle one public IP address at a time).

  • Unable to see interface on ASA 5510 Firewall

    Hi All,
    I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
    Below is the output.
    ciscoasa# sh int ip br
    Interface                  IP-Address      OK? Method Status                Protocol
    Ethernet0/0                x.x.x.x           YES CONFIG up                    up
    Ethernet0/1                x.x.x.x           YES CONFIG up                    up
    Ethernet0/2                unassigned      YES unset  administratively down down
    Internal-Control0/0        127.0.1.1       YES unset  up                    up
    Internal-Data0/0           unassigned      YES unset  up                    up
    Management0/0              192.168.1.1     YES CONFIG up                    up
    Please suggest what could be the reason.
    Regards
    Pankaj

    Hi Ramraj,
    Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
    Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
    fy-a# sh ver
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 6.4(5)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fy-a up 1 day 1 hour
    Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1
    0: Ext: Ethernet0/0         : address is 2c54.2d0c.8f1a, irq 9
    1: Ext: Ethernet0/1         : address is 2c54.2d0c.8f1b, irq 9
    2: Ext: Ethernet0/2         : address is 2c54.2d0c.8f1c, irq 9
    3: Ext: Ethernet0/3         : address is 2c54.2d0c.8f1d, irq 9
    4: Ext: Management0/0       : address is 2c54.2d0c.8f1e, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 50             perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Disabled       perpetual
    VPN-DES                           : Enabled        perpetual
    VPN-3DES-AES                      : Enabled        perpetual
    Security Contexts                 : 0              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    This platform has a Base license.
    Serial Number: JMX1AXXXXX
    Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Configuration register is 0x1
    Configuration has not been modified since last system restart.
    fy-a#
    Ramraj please do correct me if am wrong.
    Please do rate if the given information helps.
    By
    Karthik

Maybe you are looking for

  • Print Preview with in the browsers

    Is it possible that we view the pdf Print with in the browsers instead of a seprate file. If yes how?

  • Outputting quiz results to E-mail / Excel

    Hi everyone, I am a multimedia computing student currently on placement at an organisation. I am designing an e-learning package at the moment and am fairly new to Captivate. I have designed a package which consists of 6 question slides. I have set t

  • Alternate to this(joins)

    SELECT ISNULL(LastMember.DimMemberId, -1) AS PrevMemberId ,ISNULL(Member.DimMemberId, -1) AS DimMemberId ,ISNULL(LASTMembership.DimMembershipId, -1) AS PrevMembershipId ,ISNULL(CurrentMembership.DimMembershipId, -1) AS DimMembershipId ,ISNULL(MemberA

  • Kindly Help Me in This Servlet...

    the error is.. Can not issue data manipulation statements with executeQuery(). i cant.. update my database and also i cant delelete.. what wrong in this servlet.. import java.sql.*; import javax.servlet.*; import javax.servlet.http.*; public class Se

  • On an iMac why can't you delete an email without opening it?

    Why can't I delete an email without opening it first? Is this not a security risk as I have always been advised that, if I don't know who the email is from, I should delete it so as to avoid opening any suspect attachments that open immediately. This