ASA 5510 9.1.x ACL/NAT issues
Forgoing some security concern have you tried "permit ip" instead?
Good afternoon.
I'm hoping one of you spiceheads might be able to help a fellow out. We upgraded our 5510 from 8.2 to 9.1 and now none of our NAT'd public servers are working.
we cleared out every thing and did step by step to create the new NAT connection and even though the ACL shows any4 for the private IP address, we are getting access denied.
access-list outside_access_1 extended permit tcp any4 host 10.201.0.130
We have the same config and IOS version running on our 5505 and don't have any issues.
Thoughts?
This topic first appeared in the Spiceworks Community
Similar Messages
-
ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP
Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is. My guess right now is that it has something to do with dynamic PAT.
Essentially, I have a block of 5 static public IP's. I have 1 assigned to the interface and am using another for email/webmail. I have no problems accessing the internet, receving emails, etc... The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT. I would really appreciate if anyone could help shed some light as to why this is happening for me. I always thought a static nat should take precidence in the order of things.
Recap:
IP 1 -- 10.10.10.78 is assigned to outside interface. Dynamic PAT for all network objects to use this address when going out.
IP 2 -- 10.10.10.74 is assgned through static nat to email server. Email server should respond to and send out using this IP address.
Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.
Thanks in advance for anyone that reads this and can lend a hand.
- Justin
Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):
ASA Version 8.4(3)
hostname MYHOSTNAME
domain-name MYDOMAIN.COM
enable password msTsgJ6BvY68//T7 encrypted
passwd msTsgJ6BvY68//T7 encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.78 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name MYDOMAIN.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)
access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any object Email eq smtp
access-list outside_access_in extended permit tcp any object Webmail eq www
access-list outside_access_in extended permit tcp any object WebmailSecure eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server MYDOMAIN protocol kerberos
aaa-server MYDOMAIN (inside) host 192.168.2.8
kerberos-realm MYDOMAIN.COM
aaa-server MYDOMAIN (inside) host 192.168.2.9
kerberos-realm MYDOMAIN.COM
aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (inside) host 192.168.2.8
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
aaa-server MY-LDAP (inside) host 192.168.2.9
ldap-base-dn DC=MYDOMAIN,DC=com
ldap-group-base-dn DC=MYDOMAIN,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=MYHOSTNAME
ip-address 10.10.10.78
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e633854f
30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105
0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133
355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609
2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886
f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43
4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4
aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810
f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88
0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65
78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02
03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3
0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300
02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd
d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298
e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c
5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2
781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.8 source inside prefer
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2 ssl-client
group-lock value VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
group-policy GroupPolicy-VPN-LAPTOP internal
group-policy GroupPolicy-VPN-LAPTOP attributes
wins-server value 192.168.2.8 192.168.2.9
dns-server value 192.168.2.8 192.168.2.9
vpn-filter value VPN_Split_Tunnel_List
vpn-tunnel-protocol ikev2
group-lock value VPN-LAPTOP
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_Tunnel_List
default-domain value MYDOMAIN.COM
webvpn
anyconnect profiles value VPN_client_profile type user
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group MYDOMAIN
default-group-policy GroupPolicy_VPN
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN-LAPTOP type remote-access
tunnel-group VPN-LAPTOP general-attributes
authentication-server-group MY-LDAP
default-group-policy GroupPolicy-VPN-LAPTOP
dhcp-server 192.168.2.8
dhcp-server 192.168.2.9
dhcp-server 192.168.2.10
tunnel-group VPN-LAPTOP webvpn-attributes
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:951faceacf912d432fc228ecfcdffd3fHi ,
As per you config :
object network obj_any
nat (inside,outside) dynamic interface
object network Email
nat (inside,outside) static 10.10.10.74 service tcp smtp smtp
object network Webmail
nat (inside,outside) static 10.10.10.74 service tcp www www
object network WebmailSecure
nat (inside,outside) static 10.10.10.74 service tcp https https
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network Email
host 192.168.2.7
object network Webmail
host 192.168.2.16
object network WebmailSecure
host 192.168.2.16
The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.
Are you saying that this is not happening ?
Dan -
ASA 5505 version 9.1(4) NAT issue
Hi,
I am using ASA 5505 version 9.1(4) and using dynamic NAT command to NAT(PAT) inside subnet 192.168.3.0/24 with outside interface 192.168.100.2/24
But unable to ping from inside host to internet or router interface 192.168.100.1 . Please suggest the show running is mentioned below.
Following is the logical diagram
192.168.100.1/24 192.168.100.2/24 192.168.3.1
Internet(ISP) ------------------->------------------ Router------------------------->(e0/0) ASA 5505 (9.1) eth0/4 ----- ---------- Host (192.168.3.22)
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ciscoasa(config)# object network Generic_All_Network
ciscoasa(config-network-object)# sub
ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
ciscoasa(config-network-object)# ex
ciscoasa(config)# nat (inside,outside) source dynamic Generic_All_Network inte$
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: fe5175c6 25dfd45a 117bd6e3 867486db
3211 bytes copied in 1.120 secs (3211 bytes/sec)
[OK]
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source dynamic Generic_All_Network interface
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:fe5175c625dfd45a117bd6e3867486db
: endyep I have already removed nat (inside,outside) source dynamic Generic_All_Network interface
Following is the latest show-running
ciscoasa(config)# sh run
: Saved
ASA Version 9.1(4)
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
ftp mode passive
object network inside_hosts
subnet 192.168.3.0 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit icmp any4 any4
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list capi extended permit ip host 192.168.3.22 host 192.168.100.1
access-list capi extended permit ip host 192.168.100.1 host 192.168.3.22
access-list capo extended permit ip host 192.168.100.2 any
access-list capo extended permit ip any host 192.168.100.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
object network inside_hosts
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:b5958fd342c81895465887026d1423b3
: end -
ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet
Hi,
I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
permit ip any "Nat_subnet"
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
Regards,
Muds
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
object-group network d1-dr-nat_nets
network-object 192.168.128.0 255.255.248.0
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net !
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net
access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
access-group prod_lan-in in interface insideHi,
As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
Let me give an simple example
object network STATIC
host 10.10.10.10
nat (outside,inside) static 192.168.10.10
access-list INSIDE-IN permit ip any host 10.10.10.10
or
access-list INSIDE-IN permit ip any object STATIC
- Jouni -
ASA 5510 NAT with IOS 9.1
Hi All,
Hoping someone can clear this up for me.
I am trying to setup a ASA 5510 with IOS 9.1 and having NAT issues.
The ASA is connected inside the LAN to separate a second LAN.
Internal (10.0.0.0/24) --> DG RTR (10.0.0.254) FE0/0--> FE0/1 (61.0.0.1/24) --> ASA outside (61.0.0.2/24) --> ASA Inside (192.168.1.0//24)
I keep getting Asymetric NAT rules matched for forward and reverse path flows when going from Internal to ASA Inside LAN
I fear it is my lack of understanding, when you have a router you can go between different LANs/subnets but with the ASA does it always NAT whatever happens?
If I statically NAT a device on the ASA Inside LAN I can get to the device via the 61.0.0.0 address and if I add what I believe to be an exemption rule to keep the translated packet the same as long as I specify something like Internal LAN to ASA Inside specific device it works but not if I do Internal LAN to ASA Inside LAN.
Hope that makes sense and someone can give me a clue to where I am going wrong with the setup / understanding.
If there are any good docs that might explain it would be appreciated as everything I have read so far has not given me an clarity.
Many thanksHi,
Just to clarify, are we talking about a situation the ASA is simply connected to an internal network (even though it might use public IP addresses)? Also, do you want to perform any NAT on this ASA or is there some separate firewall sitting at the edge of your network handling the external connectivity?
If the above things are true then you could simply leave your ASA NAT configuration totally blank and the ASA would not do any NAT to the traffic. This naturally would require that you make sure that routing for subnet 192.168.1.0/24 is handled on all the routers/devices on the network as this subnet would be directly visible with its original addresses (since we would leave the ASA NAT configuration blank). I manage a couple of environments where the customer has a internal ASA separating certain section of the LAN network and they dont have any NAT configurations.
The problems you mention in the post are probably due to Dynamic PAT configuration which means that your LAN can access the other parts of the Internal network but no connection is possible from the Internal network to this separate LAN behind the ASA. The reason there is that the connection from Internal LAN to the separate LAN wont match any NAT configuration but the return traffic (reverse check that the ASA does) will match the Dynamic PAT and that is why the traffic is dropped.
Static NAT done to the hosts behind the ASA will naturally help since there wont be any problems with the translation in that case in either direction.
You could take a look at a NAT Document I wrote way back in 2013. Though it wont really answer your specific questions here but perhaps it might be of help at some point
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni -
ASA 5510 ignoring configured acl entry?
Greetings,
I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
interface Ethernet0/0.200
vlan 200
nameif SITECORP
security-level 90
ip address 10.1.4.1 255.255.254.0
interface Ethernet0/0.207
vlan 207
nameif SITESERVER
security-level 90
ip address 10.1.7.1 255.255.255.128
interface Ethernet0/1.311
vlan 311
nameif MOD1BMS
security-level 100
ip address 10.1.144.1 255.255.252.0
I have the following access-lists configured and applied:
access-list SITECORP_access_in extended permit ip any any
access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
fw# show run object-group
object-group network SITECORP
network-object 10.1.4.0 255.255.254.0
object-group network MOD1BMS
network-object 10.1.144.0 255.255.252.0
object-group network SITESERVER
network-object 10.1.7.0 255.255.255.128
fw# show run nat-control
no nat-control
packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
<snip>
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group SITECORP_access_in in interface SITECORP
access-list SITECORP_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd5641ec8, priority=12, domain=permit, deny=false
hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
<snip>
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd544e8c8, priority=110, domain=permit, deny=true
hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
Regards,
PhilHello Phil,
That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
But you do not have to change the Security level, of course that is one work-around but again the solution is :
- same-security-traffic permit inter-interface
Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
Regards,
Julio -
Dynamic PAT and Static NAT issue ASA 5515
Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- BhalHi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
Hi,
I've got a Problem with the ACL's on a ASA 5510 Cluster:
the connected Client cannot resolve DNS; the Log says:
%ASA-session-5-106100: access-list ACL-INSIDE denied udp inside/172.27.xxx.1(53) -> outside/192.168.xxx.8(59893) hit-cnt 1 first hit [0x932a8f72, 0x0]
(this must be the Return-Paket of the DNS-Query)
where 172.27.xxx.1 is the DNS-Server in the Inside-Network, and 192.168.xxx.8 is the virtual address.
I've got an Access-List which permits the virtual address "ip" to the DNS-Server.
The same Configuration on the Test-Machine (no Cluster) works!
(It's a active/standby single Context failover Config)
Could the Problem be caused by the Cluster?
Thank you
Karlrou-ara27-rz-12/act/pri# sh run access-group
access-group ACL-INSIDE in interface inside
access-group inside_access_out out interface inside
access-group ACL-OUTSIDE in interface outside
rou-ara27-rz-12/act/pri# show access-
rou-ara27-rz-12/act/pri# show access-list ACL-INSIDE
access-list ACL-INSIDE; 11 elements; name hash: 0xfb5f17a8
access-list ACL-INSIDE line 1 extended permit icmp any any object-group ICMP-HARMLOS (hitcnt=0) 0x1a753992
access-list ACL-INSIDE line 1 extended permit icmp any any echo (hitcnt=0) 0xc4ed471c
access-list ACL-INSIDE line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xd14f0043
access-list ACL-INSIDE line 1 extended permit icmp any any unreachable (hitcnt=0) 0x92b03f68
access-list ACL-INSIDE line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xaa821c16
access-list ACL-INSIDE line 2 extended permit ip object VPN-NET object-group DM_INLINE_NETWORK_3 log debugging interval 300 0x658c9759
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 172.27.0.0 255.255.0.0 log debugging interval 300 (hitcnt=0) 0xc31eaf76
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ1$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x34d68ea6
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ2$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x7df14a53
access-list ACL-INSIDE line 2 extended permit ip 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x1aa12e0c
access-list ACL-INSIDE line 3 extended permit esp object VPN-NET object DMZ_III log debugging interval 300 (hitcnt=0) 0x2d7346ad
access-list ACL-INSIDE line 3 extended permit esp 192.168.xxx.0 255.255.255.0 $DMZ3$ 255.255.255.0 log debugging interval 300 (hitcnt=0) 0x2d7346ad
access-list ACL-INSIDE line 4 extended deny icmp any any log informational interval 300 (hitcnt=0) 0x2bcd80f1
access-list ACL-INSIDE line 5 remark CleanUp Rule with raised log level
access-list ACL-INSIDE line 6 extended deny ip any any log notifications interval 300 (hitcnt=0) 0x932a8f72
rou-ara27-rz-12/act/pri# -
ASA 5510 anti spam module issue need help
hi all,
i have ASA5510 my E0 interface is having public ip and E1 is having 192.168.1.0/24 network and my DMZ E2 is 172.16.2.0/24 network.
my management interface ip address is 10.10.10.1 and ive put 10.10.10.5 for SSM module. but im not receiving the updates from net bcoz there is no connection to the internet from 10.10.10.0/24 network.
how can i do that, and ASA 5510 has got 4 ports E0,E1,E2,E3 but i can see that port E3 is activated if i chk the sh run there is no port E3.
now my issue is i would like to allow 10.10.10.0/24 to access internet to update the module.
pls help, i will rate all the posts.
Regards
Binoy.Try these links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080636f70.html#wp1051819
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml -
ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traffic
Hi all,
Some might know that I have been dealing with an issue where I cannot seem to get forwarded packets to reach their destinations behind an ASA 5510 that has a Cisco 2811 connected directly behind it.
Some examples that work.
I can SSH into the ASA.
I can SSH to the Cisco Routers behind the ASA.
I cannot reach items beind the Cisco Routers.
My Configuration is this (I am sure I included a bunch of info I didn't need to, but I am hoping it'll help!):
I have a static Ip assigned to my Ouside Interface Ethernet 0/1
It has an IP address of 199.195.xxx.xxx
I am trying to learn how to shape network traffic (this is all new to me) via the ASA and the Routers to specific devices.
The Inside Interface on the ASA is 10.10.1.1 255.255.255.252
The Outside Interface on the 2811 is 10.10.1.2 255.255.255.252
I can ping the router from the ASA. I can SSH through the ASA to the router.
BUT I CANNOT ACCESS DEVICES BEHIND THE ROUTER.
So, I wanted to BAM that statement above because I just don't kjnow where the issue is. Is the issue on the router or the ASA, my guess is, the router, but I just don't know.
Here are my configs, helpfully someone can help.
ASA errors on the ASDM when I try and hit resources; specifically a web device behind the ASA and the 2811. It's Ip address 192.168.1.5 it's listening on port 80.Static IP, not assigned via DHCP.
6
Feb 14 2014
19:38:56
98.22.121.x
41164
192.168.1.5
80
Built inbound TCP connection 1922859 for Outside:98.22.121.x/41164 (98.22.121.x/41164) to Inside:192.168.1.5/80 (199.195.168.x/8080)
6
Feb 14 2014
19:38:56
10.10.1.2
80
98.22.121.x
41164
Deny TCP (no connection) from 10.10.1.2/80 to 98.22.121.x/41164 flags SYN ACK on interface Inside
ASA5510# sh nat
Auto NAT Policies (Section 2)
1 (DMZ) to (Outside) source static ROUTER-2821 interface service tcp ssh 2222
translate_hits = 1, untranslate_hits = 18
2 (Inside) to (Outside) source static ROUTER-2811 interface service tcp ssh 222
translate_hits = 0, untranslate_hits = 13
3 (VOIP) to (Outside) source static ROUTER-3745 interface service tcp ssh 2223
translate_hits = 0, untranslate_hits = 3
4 (Inside) to (Outside) source static RDP-DC1 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 236
5 (Inside) to (Outside) source static WEBCAM-01 interface service tcp www 8080
translate_hits = 0, untranslate_hits = 162
Manual NAT Policies (Section 3)
1 (any) to (Outside) source dynamic PAT-SOURCE interface
translate_hits = 1056862, untranslate_hits = 83506
ASA5510# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list USERS; 1 elements; name hash: 0x50681c1e
access-list USERS line 1 standard permit 10.10.1.0 255.255.255.0 (hitcnt=0) 0xdd6ba495
access-list Outside_access_in; 5 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x host 10.10.1.2 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x host 10.10.0.2 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 3 extended permit tcp host 98.22.121.x interface Outside eq https (hitcnt=0) 0x385488b2
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x object WEBCAM-01 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x host 192.168.1.5 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389 (hitcnt=3) 0x02f13f4e
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x host 192.168.1.2 eq 3389 (hitcnt=3) 0x02f13f4e
access-list dmz-access-vlan1; 1 elements; name hash: 0xc3450860
access-list dmz-access-vlan1 line 1 extended permit ip 128.162.1.0 255.255.255.0 any (hitcnt=0) 0x429fedf1
access-list dmz-access; 3 elements; name hash: 0xf53f5801
access-list dmz-access line 1 remark Permit all traffic to DC1
access-list dmz-access line 2 extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2 (hitcnt=0) 0xd2dced0a
access-list dmz-access line 3 remark Permit only DNS traffic to DNS server
access-list dmz-access line 4 extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain (hitcnt=0) 0xbb21093e
access-list dmz-access line 5 remark Permit ICMP to all devices in DC
access-list dmz-access line 6 extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x71269ef7
CISCO-2811#show access-lists
Standard IP access list 1
10 permit any (1581021 matches)
CISCO-2811#show translate
CISCO-2811#show route
CISCO-2811#show route-map
CISCO-2811#show host
CISCO-2811#show hosts
Default domain is maladomini.int
Name/address lookup uses domain service
Name servers are 192.168.1.2, 199.195.168.4, 205.171.2.65, 205.171.3.65, 8.8.8.8
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
api.mixpanel.com None (temp, OK) 2 IP 198.23.64.21
198.23.64.22
198.23.64.18
198.23.64.19
198.23.64.20
ASA5510:
ASA5510# sh run all
: Saved
ASA Version 9.1(4)
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname ASA5510
domain-name maladomini.int
enable password x encrypted
no fips enable
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
passwd x encrypted
names
dns-guard
lacp system-priority 32768
interface Ethernet0/0
description LAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
delay 10
interface Ethernet0/1
description WAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Outside
security-level 0
ip address 199.195.168.xxx 255.255.255.240
delay 10
interface Ethernet0/2
description DMZ
speed auto
duplex auto
no flowcontrol send on
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
delay 10
interface Ethernet0/3
description VOIP
speed auto
duplex auto
no flowcontrol send on
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
delay 10
interface Management0/0
speed auto
duplex auto
management-only
shutdown
nameif management
security-level 0
no ip address
delay 10
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[\r\n\t ]+[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[\r\n\t ]+[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
checkheaps check-interval 60
checkheaps validate-checksum 60
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone UTC 0
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name maladomini.int
same-security-traffic permit inter-interface
object service ah pre-defined
service ah
description This is a pre-defined object
object service eigrp pre-defined
service eigrp
description This is a pre-defined object
object service esp pre-defined
service esp
description This is a pre-defined object
object service gre pre-defined
service gre
description This is a pre-defined object
object service icmp pre-defined
service icmp
description This is a pre-defined object
object service icmp6 pre-defined
service icmp6
description This is a pre-defined object
object service igmp pre-defined
service igmp
description This is a pre-defined object
object service igrp pre-defined
service igrp
description This is a pre-defined object
object service ip pre-defined
service ip
description This is a pre-defined object
object service ipinip pre-defined
service ipinip
description This is a pre-defined object
object service ipsec pre-defined
service esp
description This is a pre-defined object
object service nos pre-defined
service nos
description This is a pre-defined object
object service ospf pre-defined
service ospf
description This is a pre-defined object
object service pcp pre-defined
service pcp
description This is a pre-defined object
object service pim pre-defined
service pim
description This is a pre-defined object
object service pptp pre-defined
service gre
description This is a pre-defined object
object service snp pre-defined
service snp
description This is a pre-defined object
object service tcp pre-defined
service tcp
description This is a pre-defined object
object service udp pre-defined
service udp
description This is a pre-defined object
object service tcp-aol pre-defined
service tcp destination eq aol
description This is a pre-defined object
object service tcp-bgp pre-defined
service tcp destination eq bgp
description This is a pre-defined object
object service tcp-chargen pre-defined
service tcp destination eq chargen
description This is a pre-defined object
object service tcp-cifs pre-defined
service tcp destination eq cifs
description This is a pre-defined object
object service tcp-citrix-ica pre-defined
service tcp destination eq citrix-ica
description This is a pre-defined object
object service tcp-ctiqbe pre-defined
service tcp destination eq ctiqbe
description This is a pre-defined object
object service tcp-daytime pre-defined
service tcp destination eq daytime
description This is a pre-defined object
object service tcp-discard pre-defined
service tcp destination eq discard
description This is a pre-defined object
object service tcp-domain pre-defined
service tcp destination eq domain
description This is a pre-defined object
object service tcp-echo pre-defined
service tcp destination eq echo
description This is a pre-defined object
object service tcp-exec pre-defined
service tcp destination eq exec
description This is a pre-defined object
object service tcp-finger pre-defined
service tcp destination eq finger
description This is a pre-defined object
object service tcp-ftp pre-defined
service tcp destination eq ftp
description This is a pre-defined object
object service tcp-ftp-data pre-defined
service tcp destination eq ftp-data
description This is a pre-defined object
object service tcp-gopher pre-defined
service tcp destination eq gopher
description This is a pre-defined object
object service tcp-ident pre-defined
service tcp destination eq ident
description This is a pre-defined object
object service tcp-imap4 pre-defined
service tcp destination eq imap4
description This is a pre-defined object
object service tcp-irc pre-defined
service tcp destination eq irc
description This is a pre-defined object
object service tcp-hostname pre-defined
service tcp destination eq hostname
description This is a pre-defined object
object service tcp-kerberos pre-defined
service tcp destination eq kerberos
description This is a pre-defined object
object service tcp-klogin pre-defined
service tcp destination eq klogin
description This is a pre-defined object
object service tcp-kshell pre-defined
service tcp destination eq kshell
description This is a pre-defined object
object service tcp-ldap pre-defined
service tcp destination eq ldap
description This is a pre-defined object
object service tcp-ldaps pre-defined
service tcp destination eq ldaps
description This is a pre-defined object
object service tcp-login pre-defined
service tcp destination eq login
description This is a pre-defined object
object service tcp-lotusnotes pre-defined
service tcp destination eq lotusnotes
description This is a pre-defined object
object service tcp-nfs pre-defined
service tcp destination eq nfs
description This is a pre-defined object
object service tcp-netbios-ssn pre-defined
service tcp destination eq netbios-ssn
description This is a pre-defined object
object service tcp-whois pre-defined
service tcp destination eq whois
description This is a pre-defined object
object service tcp-nntp pre-defined
service tcp destination eq nntp
description This is a pre-defined object
object service tcp-pcanywhere-data pre-defined
service tcp destination eq pcanywhere-data
description This is a pre-defined object
object service tcp-pim-auto-rp pre-defined
service tcp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-pop2 pre-defined
service tcp destination eq pop2
description This is a pre-defined object
object service tcp-pop3 pre-defined
service tcp destination eq pop3
description This is a pre-defined object
object service tcp-pptp pre-defined
service tcp destination eq pptp
description This is a pre-defined object
object service tcp-lpd pre-defined
service tcp destination eq lpd
description This is a pre-defined object
object service tcp-rsh pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-rtsp pre-defined
service tcp destination eq rtsp
description This is a pre-defined object
object service tcp-sip pre-defined
service tcp destination eq sip
description This is a pre-defined object
object service tcp-smtp pre-defined
service tcp destination eq smtp
description This is a pre-defined object
object service tcp-ssh pre-defined
service tcp destination eq ssh
description This is a pre-defined object
object service tcp-sunrpc pre-defined
service tcp destination eq sunrpc
description This is a pre-defined object
object service tcp-tacacs pre-defined
service tcp destination eq tacacs
description This is a pre-defined object
object service tcp-talk pre-defined
service tcp destination eq talk
description This is a pre-defined object
object service tcp-telnet pre-defined
service tcp destination eq telnet
description This is a pre-defined object
object service tcp-uucp pre-defined
service tcp destination eq uucp
description This is a pre-defined object
object service tcp-www pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-http pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-https pre-defined
service tcp destination eq https
description This is a pre-defined object
object service tcp-cmd pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-sqlnet pre-defined
service tcp destination eq sqlnet
description This is a pre-defined object
object service tcp-h323 pre-defined
service tcp destination eq h323
description This is a pre-defined object
object service tcp-udp-cifs pre-defined
service tcp-udp destination eq cifs
description This is a pre-defined object
object service tcp-udp-discard pre-defined
service tcp-udp destination eq discard
description This is a pre-defined object
object service tcp-udp-domain pre-defined
service tcp-udp destination eq domain
description This is a pre-defined object
object service tcp-udp-echo pre-defined
service tcp-udp destination eq echo
description This is a pre-defined object
object service tcp-udp-kerberos pre-defined
service tcp-udp destination eq kerberos
description This is a pre-defined object
object service tcp-udp-nfs pre-defined
service tcp-udp destination eq nfs
description This is a pre-defined object
object service tcp-udp-pim-auto-rp pre-defined
service tcp-udp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
description This is a pre-defined object
object service tcp-udp-sunrpc pre-defined
service tcp-udp destination eq sunrpc
description This is a pre-defined object
object service tcp-udp-tacacs pre-defined
service tcp-udp destination eq tacacs
description This is a pre-defined object
object service tcp-udp-www pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-http pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-talk pre-defined
service tcp-udp destination eq talk
description This is a pre-defined object
object service udp-biff pre-defined
service udp destination eq biff
description This is a pre-defined object
object service udp-bootpc pre-defined
service udp destination eq bootpc
description This is a pre-defined object
object service udp-bootps pre-defined
service udp destination eq bootps
description This is a pre-defined object
object service udp-cifs pre-defined
service udp destination eq cifs
description This is a pre-defined object
object service udp-discard pre-defined
service udp destination eq discard
description This is a pre-defined object
object service udp-domain pre-defined
service udp destination eq domain
description This is a pre-defined object
object service udp-dnsix pre-defined
service udp destination eq dnsix
description This is a pre-defined object
object service udp-echo pre-defined
service udp destination eq echo
description This is a pre-defined object
object service udp-www pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-http pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-nameserver pre-defined
service udp destination eq nameserver
description This is a pre-defined object
object service udp-kerberos pre-defined
service udp destination eq kerberos
description This is a pre-defined object
object service udp-mobile-ip pre-defined
service udp destination eq mobile-ip
description This is a pre-defined object
object service udp-nfs pre-defined
service udp destination eq nfs
description This is a pre-defined object
object service udp-netbios-ns pre-defined
service udp destination eq netbios-ns
description This is a pre-defined object
object service udp-netbios-dgm pre-defined
service udp destination eq netbios-dgm
description This is a pre-defined object
object service udp-ntp pre-defined
service udp destination eq ntp
description This is a pre-defined object
object service udp-pcanywhere-status pre-defined
service udp destination eq pcanywhere-status
description This is a pre-defined object
object service udp-pim-auto-rp pre-defined
service udp destination eq pim-auto-rp
description This is a pre-defined object
object service udp-radius pre-defined
service udp destination eq radius
description This is a pre-defined object
object service udp-radius-acct pre-defined
service udp destination eq radius-acct
description This is a pre-defined object
object service udp-rip pre-defined
service udp destination eq rip
description This is a pre-defined object
object service udp-secureid-udp pre-defined
service udp destination eq secureid-udp
description This is a pre-defined object
object service udp-sip pre-defined
service udp destination eq sip
description This is a pre-defined object
object service udp-snmp pre-defined
service udp destination eq snmp
description This is a pre-defined object
object service udp-snmptrap pre-defined
service udp destination eq snmptrap
description This is a pre-defined object
object service udp-sunrpc pre-defined
service udp destination eq sunrpc
description This is a pre-defined object
object service udp-syslog pre-defined
service udp destination eq syslog
description This is a pre-defined object
object service udp-tacacs pre-defined
service udp destination eq tacacs
description This is a pre-defined object
object service udp-talk pre-defined
service udp destination eq talk
description This is a pre-defined object
object service udp-tftp pre-defined
service udp destination eq tftp
description This is a pre-defined object
object service udp-time pre-defined
service udp destination eq time
description This is a pre-defined object
object service udp-who pre-defined
service udp destination eq who
description This is a pre-defined object
object service udp-xdmcp pre-defined
service udp destination eq xdmcp
description This is a pre-defined object
object service udp-isakmp pre-defined
service udp destination eq isakmp
description This is a pre-defined object
object service icmp6-unreachable pre-defined
service icmp6 unreachable
description This is a pre-defined object
object service icmp6-packet-too-big pre-defined
service icmp6 packet-too-big
description This is a pre-defined object
object service icmp6-time-exceeded pre-defined
service icmp6 time-exceeded
description This is a pre-defined object
object service icmp6-parameter-problem pre-defined
service icmp6 parameter-problem
description This is a pre-defined object
object service icmp6-echo pre-defined
service icmp6 echo
description This is a pre-defined object
object service icmp6-echo-reply pre-defined
service icmp6 echo-reply
description This is a pre-defined object
object service icmp6-membership-query pre-defined
service icmp6 membership-query
description This is a pre-defined object
object service icmp6-membership-report pre-defined
service icmp6 membership-report
description This is a pre-defined object
object service icmp6-membership-reduction pre-defined
service icmp6 membership-reduction
description This is a pre-defined object
object service icmp6-router-renumbering pre-defined
service icmp6 router-renumbering
description This is a pre-defined object
object service icmp6-router-solicitation pre-defined
service icmp6 router-solicitation
description This is a pre-defined object
object service icmp6-router-advertisement pre-defined
service icmp6 router-advertisement
description This is a pre-defined object
object service icmp6-neighbor-solicitation pre-defined
service icmp6 neighbor-solicitation
description This is a pre-defined object
object service icmp6-neighbor-advertisement pre-defined
service icmp6 neighbor-advertisement
description This is a pre-defined object
object service icmp6-neighbor-redirect pre-defined
service icmp6 neighbor-redirect
description This is a pre-defined object
object service icmp-echo pre-defined
service icmp echo
description This is a pre-defined object
object service icmp-echo-reply pre-defined
service icmp echo-reply
description This is a pre-defined object
object service icmp-unreachable pre-defined
service icmp unreachable
description This is a pre-defined object
object service icmp-source-quench pre-defined
service icmp source-quench
description This is a pre-defined object
object service icmp-redirect pre-defined
service icmp redirect
description This is a pre-defined object
object service icmp-alternate-address pre-defined
service icmp alternate-address
description This is a pre-defined object
object service icmp-router-advertisement pre-defined
service icmp router-advertisement
description This is a pre-defined object
object service icmp-router-solicitation pre-defined
service icmp router-solicitation
description This is a pre-defined object
object service icmp-time-exceeded pre-defined
service icmp time-exceeded
description This is a pre-defined object
object service icmp-parameter-problem pre-defined
service icmp parameter-problem
description This is a pre-defined object
object service icmp-timestamp-request pre-defined
service icmp timestamp-request
description This is a pre-defined object
object service icmp-timestamp-reply pre-defined
service icmp timestamp-reply
description This is a pre-defined object
object service icmp-information-request pre-defined
service icmp information-request
description This is a pre-defined object
object service icmp-information-reply pre-defined
service icmp information-reply
description This is a pre-defined object
object service icmp-mask-request pre-defined
service icmp mask-request
description This is a pre-defined object
object service icmp-mask-reply pre-defined
service icmp mask-reply
description This is a pre-defined object
object service icmp-traceroute pre-defined
service icmp traceroute
description This is a pre-defined object
object service icmp-conversion-error pre-defined
service icmp conversion-error
description This is a pre-defined object
object service icmp-mobile-redirect pre-defined
service icmp mobile-redirect
description This is a pre-defined object
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.121.x
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 4096
logging asdm-buffer-size 100
logging asdm informational
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
flow-export template timeout-rate 30
flow-export active refresh-interval 1
mtu Inside 1500
mtu Outside 1500
mtu management 1500
mtu DMZ 1500
mtu VOIP 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www 8080
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
object network RDP-DC1
nat (Inside,Outside) static interface service tcp 3389 3389
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
access-group Outside_access_in in interface Outside
ipv6 dhcprelay timeout 60
router rip
network 10.0.0.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action continue
no cts server-group
no cts sxp enable
no cts sxp default
no cts sxp default source-ip
cts sxp reconciliation period 120
cts sxp retry period 120
user-identity enable
user-identity domain LOCAL
user-identity default-domain LOCAL
user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 60
user-identity poll-import-user-group-timer hours 8
user-identity ad-agent active-user-database full-download
user-identity ad-agent hello-timer seconds 30 retry-times 5
no user-identity user-not-found enable
aaa authentication ssh console LOCAL
http server enable 443
http 0.0.0.0 0.0.0.0 Inside
http 98.22.121.x 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
no snmp-server enable traps memory-threshold
no snmp-server enable traps interface-threshold
no snmp-server enable traps remote-access session-threshold-exceeded
no snmp-server enable traps connection-limit-reached
no snmp-server enable traps cpu threshold rising
no snmp-server enable traps ikev2 start stop
no snmp-server enable traps nat packet-discard
snmp-server enable
snmp-server listen-port 161
fragment size 200 Inside
fragment chain 24 Inside
fragment timeout 5 Inside
no fragment reassembly full Inside
fragment size 200 Outside
fragment chain 24 Outside
fragment timeout 5 Outside
no fragment reassembly full Outside
fragment size 200 management
fragment chain 24 management
fragment timeout 5 management
no fragment reassembly full management
fragment size 200 DMZ
fragment chain 24 DMZ
fragment timeout 5 DMZ
no fragment reassembly full DMZ
fragment size 200 VOIP
fragment chain 24 VOIP
fragment timeout 5 VOIP
no fragment reassembly full VOIP
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp Inside
no sysopt noproxyarp Outside
no sysopt noproxyarp management
no sysopt noproxyarp DMZ
no sysopt noproxyarp VOIP
service password-recovery
no crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 64
crypto ipsec security-association pmtu-aging infinite
crypto ipsec fragmentation before-encryption Inside
crypto ipsec fragmentation before-encryption Outside
crypto ipsec fragmentation before-encryption management
crypto ipsec fragmentation before-encryption DMZ
crypto ipsec fragmentation before-encryption VOIP
crypto ipsec df-bit copy-df Inside
crypto ipsec df-bit copy-df Outside
crypto ipsec df-bit copy-df management
crypto ipsec df-bit copy-df DMZ
crypto ipsec df-bit copy-df VOIP
crypto ca trustpool policy
revocation-check none
crl cache-time 60
crl enforcenextupdate
crypto isakmp identity auto
crypto isakmp nat-traversal 20
crypto ikev2 cookie-challenge 50
crypto ikev2 limit max-in-negotiation-sa 100
no crypto ikev2 limit max-sa
crypto ikev2 redirect during-auth
crypto ikev1 limit max-in-negotiation-sa 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.121.x 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
ipv6-vpn-addr-assign aaa
ipv6-vpn-addr-assign local reuse-delay 0
no vpn-sessiondb max-other-vpn-limit
no vpn-sessiondb max-anyconnect-premium-or-essentials-limit
no remote-access threshold
l2tp tunnel hello 60
tls-proxy maximum-session 100
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 24.56.178.140 source Outside prefer
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2
webvpn
memory-size percent 50
port 443
dtls port 443
character-encoding none
no http-proxy
no https-proxy
default-idle-timeout 1800
portal-access-rule none
no csd enable
no anyconnect enable
no tunnel-group-list enable
no tunnel-group-preference group-url
rewrite order 65535 enable resource-mask *
no internal-password
no onscreen-keyboard
no default-language
no smart-tunnel notification-icon
no keepout
cache
no disable
max-object-size 1000
min-object-size 0
no cache-static-content enable
lmfactor 20
expiry-time 1
no auto-signon
no error-recovery disable
no ssl-server-check
no mus password
mus host mus.cisco.com
no hostscan data-limit
: # show import webvpn customization
: Template
: DfltCustomization
: # show import webvpn url-list
: Template
: # show import webvpn translation-table
: Translation Tables' Templates:
: PortForwarder
: banners
: customization
: url-list
: webvpn
: Translation Tables:
: fr PortForwarder
: fr customization
: fr webvpn
: ja PortForwarder
: ja customization
: ja webvpn
: ru PortForwarder
: ru customization
: ru webvpn
: # show import webvpn mst-translation
: No MS translation tables defined
: # show import webvpn webcontent
: No custom webcontent is loaded
: # show import webvpn AnyConnect-customization
: No OEM resources defined
: # show import webvpn plug-in
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn none
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
html-content-filter none
port-forward name Application Access
port-forward disable
http-proxy disable
sso-server none
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface private none
anyconnect firewall-rule client-interface public none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles none
anyconnect ask none
customization none
keep-alive-ignore 4
http-comp gzip
download-max-size 2147483647
upload-max-size 2147483647
post-max-size 2147483647
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting
password-policy minimum-length 3
password-policy minimum-changes 0
password-policy minimum-lowercase 0
password-policy minimum-uppercase 0
password-policy minimum-numeric 0
password-policy minimum-special 0
password-policy lifetime 0
no password-policy authenticate-enable
quota management-session 0
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultRAGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultRAGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
class-map type inspect http match-all _default_gator
match request header user-agent regex _default_gator
class-map type inspect http match-all _default_msn-messenger
match response header content-type regex _default_msn-messenger
class-map type inspect http match-all _default_yahoo-messenger
match request body regex _default_yahoo-messenger
class-map type inspect http match-all _default_windows-media-player-tunnel
match request header user-agent regex _default_windows-media-player-tunnel
class-map type inspect http match-all _default_gnu-http-tunnel
match request args regex _default_gnu-http-tunnel_arg
match request uri regex _default_gnu-http-tunnel_uri
class-map type inspect http match-all _default_firethru-tunnel
match request header host regex _default_firethru-tunnel_1
match request uri regex _default_firethru-tunnel_2
class-map type inspect http match-all _default_aim-messenger
match request header host regex _default_aim-messenger
class-map type inspect http match-all _default_http-tunnel
match request uri regex _default_http-tunnel
class-map type inspect http match-all _default_kazaa
match response header regex _default_x-kazaa-network count gt 0
class-map type inspect http match-all _default_shoutcast-tunneling-protocol
match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol
class-map class-default
match any
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2
class-map type inspect http match-all _default_httport-tunnel
match request header host regex _default_httport-tunnel
policy-map type inspect rtsp _default_rtsp_map
description Default RTSP policymap
parameters
policy-map type inspect ipv6 _default_ipv6_map
description Default IPV6 policy-map
parameters
verify-header type
verify-header order
match header routing-type range 0 255
drop log
policy-map type inspect h323 _default_h323_map
description Default H.323 policymap
parameters
no rtp-conformance
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no message-length maximum server
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
policy-map type inspect ip-options _default_ip_options_map
description Default IP-OPTIONS policy-map
parameters
router-alert action allow
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect rsh
inspect rtsp
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options _default_ip_options_map
inspect icmp
inspect icmp error
inspect pptp
class class-default
policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
im
no ip-address-privacy
traffic-non-sip
no rtp-conformance
policy-map type inspect dns _default_dns_map
description Default DNS policy-map
parameters
no message-length maximum client
no message-leI ran those commands while I had the nat off on the router and here are the results. note, i didn't make any changes to the ASA as you only said to remove the router RIP which I did and reloaded and no change.
As long as the statements ip nat outside on the Fastethernet 0/0 is off and the ip nat inside is off on the vlan and the overload statement is taken out, I cannot hit the internet.
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#int
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#no ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#no ip nat outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#$nside source list 1 interface FastEthernet0/0 overload
Dynamic mapping in use, do you want to delete all entries? [no]: y
CISCO-2811(config)#exit
CISCO-2811#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 202 c47d.4f3b.8ea6 ARPA FastEthernet0/0
Internet 10.10.1.2 - 0019.55a7.2ae8 ARPA FastEthernet0/0
Internet 172.16.10.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.1
Internet 172.16.10.3 238 0011.5c73.28c1 ARPA FastEthernet0/1.1
Internet 172.16.10.50 72 cc2d.8c78.065a ARPA FastEthernet0/1.1
Internet 172.16.20.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.2
Internet 172.16.20.3 196 0011.5c73.28c2 ARPA FastEthernet0/1.2
Internet 192.168.1.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.3
Internet 192.168.1.2 0 0024.e864.01a8 ARPA FastEthernet0/1.3
Internet 192.168.1.3 155 0011.5c73.28c0 ARPA FastEthernet0/1.3
Internet 192.168.1.5 61 4802.2a4c.1c74 ARPA FastEthernet0/1.3
Internet 192.168.1.20 0 5cf9.dd52.5fa9 ARPA FastEthernet0/1.3
Internet 192.168.1.50 0 308c.fb47.f2d9 ARPA FastEthernet0/1.3
Internet 192.168.1.51 1 ec35.8677.4057 ARPA FastEthernet0/1.3
Internet 192.168.1.52 1 b418.d136.ef72 ARPA FastEthernet0/1.3
Internet 192.168.1.53 1 8853.9572.e113 ARPA FastEthernet0/1.3
Internet 192.168.1.54 12 0009.b044.9f23 ARPA FastEthernet0/1.3
Internet 192.168.1.55 0 f47b.5e9a.7ae5 ARPA FastEthernet0/1.3
Internet 192.168.1.149 0 001e.4fc5.a199 ARPA FastEthernet0/1.3
Internet 192.168.1.174 0 b8ac.6fff.af83 ARPA FastEthernet0/1.3
CISCO-2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.1.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/30 is directly connected, FastEthernet0/0
L 10.10.1.2/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.10.0/24 is directly connected, FastEthernet0/1.1
L 172.16.10.1/32 is directly connected, FastEthernet0/1.1
C 172.16.20.0/24 is directly connected, FastEthernet0/1.2
L 172.16.20.1/32 is directly connected, FastEthernet0/1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1.3
L 192.168.1.1/32 is directly connected, FastEthernet0/1.3
ASA
ASA5510# sh arp
Inside 10.10.1.2 0019.55a7.2ae8 12342
Outside 199.195.168.113 000c.4243.581a 2
Outside 199.195.168.116 e05f.b947.116b 2436
Outside 199.195.168.120 0017.c58a.1123 9192
DMZ 10.10.0.2 0025.849f.63e0 3192
VOIP 10.10.2.2 000d.bcdc.fc40 7754
ASA5510# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 199.195.168.113 to network 0.0.0.0
S 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
C 199.195.168.112 255.255.255.240 is directly connected, Outside
C 10.10.0.0 255.255.255.252 is directly connected, DMZ
C 10.10.1.0 255.255.255.252 is directly connected, Inside
S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside
ASA5510# show xlate
35 in use, 784 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.x 2222-2222
flags sr idle 481:54:14 timeout 0:00:00
TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.x 222-222
flags sr idle 51:06:46 timeout 0:00:00
TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.x 2223-2223
flags sr idle 687:32:27 timeout 0:00:00
TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.x 3389-3389
flags sr idle 457:17:01 timeout 0:00:00
TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.x 8080-8080
flags sr idle 52:18:58 timeout 0:00:00
NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0
flags sIT idle 353:10:21 timeout 0:00:00
UDP PAT from any:10.10.1.2/52581 to Outside:199.195.168.x/52581 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from any:10.10.1.2/55389 to Outside:199.195.168.x/55389 flags ri idle 0:00:03 timeout 0:00:30
UDP PAT from any:10.10.1.2/51936 to Outside:199.195.168.x/51936 flags ri idle 0:00:04 timeout 0:00:30
UDP PAT from any:10.10.1.2/51345 to Outside:199.195.168.x/51345 flags ri idle 0:00:09 timeout 0:00:30
UDP PAT from any:10.10.1.2/55985 to Outside:199.195.168.x/55985 flags ri idle 0:00:18 timeout 0:00:30
UDP PAT from any:10.10.1.2/49368 to Outside:199.195.168.x/49368 flags ri idle 0:00:22 timeout 0:00:30
UDP PAT from any:10.10.1.2/52441 to Outside:199.195.168.x/52441 flags ri idle 0:00:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/57908 to Outside:199.195.168.x/57908 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57907 to Outside:199.195.168.x/57907 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57906 to Outside:199.195.168.x/57906 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57896 to Outside:199.195.168.x/57896 flags ri idle 0:09:09 timeout 0:00:30
TCP PAT from any:10.10.1.2/57879 to Outside:199.195.168.x/57879 flags ri idle 0:10:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/49441 to Outside:199.195.168.x/49441 flags ri idle 0:20:52 timeout 0:00:30
TCP PAT from any:10.10.1.2/57868 to Outside:199.195.168.x/57868 flags ri idle 0:25:28 timeout 0:00:30
TCP PAT from any:10.10.1.2/60519 to Outside:199.195.168.x/60519 flags ri idle 0:44:11 timeout 0:00:30
TCP PAT from any:10.10.1.2/60491 to Outside:199.195.168.x/60491 flags ri idle 0:44:20 timeout 0:00:30
TCP PAT from any:10.10.1.2/60484 to Outside:199.195.168.x/60484 flags ri idle 0:44:35 timeout 0:00:30
TCP PAT from any:10.10.1.2/60480 to Outside:199.195.168.x/60480 flags ri idle 0:44:51 timeout 0:00:30
TCP PAT from any:10.10.1.2/53851 to Outside:199.195.168.x/53851 flags ri idle 0:54:14 timeout 0:00:30
TCP PAT from any:10.10.1.2/57812 to Outside:199.195.168.x/57812 flags ri idle 0:58:30 timeout 0:00:30
TCP PAT from any:10.10.1.2/57810 to Outside:199.195.168.x/57810 flags ri idle 0:58:32 timeout 0:00:30
TCP PAT from any:10.10.1.2/53847 to Outside:199.195.168.x/53847 flags ri idle 1:00:18 timeout 0:00:30
TCP PAT from any:10.10.1.2/57808 to Outside:199.195.168.x/57808 flags ri idle 1:07:58 timeout 0:00:30
TCP PAT from any:10.10.1.2/60406 to Outside:199.195.168.x/60406 flags ri idle 1:42:13 timeout 0:00:30
TCP PAT from any:10.10.1.2/49259 to Outside:199.195.168.x/49259 flags ri idle 7:39:44 timeout 0:00:30
TCP PAT from any:10.10.1.2/49191 to Outside:199.195.168.x/49191 flags ri idle 7:42:39 timeout 0:00:30
TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.x/55951 flags ri idle 23:11:40 timeout 0:00:30
TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.x/55944 flags ri idle 23:15:19 timeout 0:00:30
TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.x/55942 flags ri idle 23:15:24 timeout 0:00:30
ASA5510# sh conn all
149 in use, 815 most used
TCP Outside 74.125.193.108:993 Inside 10.10.1.2:57879, idle 0:12:37, bytes 6398, flags UIO
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53879, idle 0:00:01, bytes 0, flags saA
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53878, idle 0:00:01, bytes 0, flags saA
TCP Outside 17.149.36.177:5223 Inside 10.10.1.2:60480, idle 0:16:53, bytes 4539, flags UIO
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53877, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53876, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53875, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53874, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53872, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53871, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53868, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53867, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53860, idle 0:00:17, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53859, idle 0:00:17, bytes 0, flags saA
TCP Outside 17.172.233.95:5223 Inside 10.10.1.2:49191, idle 0:18:48, bytes 7384, flags UIO
TCP Outside 17.178.100.43:443 Inside 10.10.1.2:57810, idle 0:56:21, bytes 5797, flags UFIO
TCP Outside 23.206.216.93:80 Inside 10.10.1.2:53847, idle 0:54:15, bytes 2683, flags UFIO
TCP Outside 143.127.93.90:80 Inside 10.10.1.2:49259, idle 0:12:20, bytes 13315, flags UIO
TCP Outside 74.125.225.53:443 Inside 192.168.1.20:53864, idle 0:00:11, bytes 0, flags saA
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49204, idle 0:00:04, bytes 67, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:50122, idle 0:00:07, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63275, idle 0:00:08, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63306, idle 0:00:18, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65059, idle 0:00:22, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64681, idle 0:00:30, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64661, idle 0:00:30, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:55618, idle 0:00:32, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65056, idle 0:00:33, bytes 48, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:59433, idle 0:00:41, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:52178, idle 0:00:42, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:61414, idle 0:00:43, bytes 34, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65438, idle 0:00:44, bytes 44, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63686, idle 0:00:44, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65416, idle 0:00:45, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:53047, idle 0:00:47, bytes 32, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:62213, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:52347, idle 0:00:46, bytes 92, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:58069, idle 0:00:46, bytes 64, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:50753, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65381, idle 0:00:50, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65082, idle 0:00:50, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64038, idle 0:00:50, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49309, idle 0:00:51, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64034, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49197, idle 0:00:51, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64728, idle 0:00:51, bytes 49, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64309, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63289, idle 0:00:51, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64174, idle 0:00:52, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:39286, idle 0:01:09, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63726, idle 0:01:09, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65482, idle 0:01:12, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65091, idle 0:01:13, bytes 61, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64976, idle 0:01:13, bytes 57, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63749, idle 0:00:51, bytes 103, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64043, idle 0:01:14, bytes 52, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64267, idle 0:01:24, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64467, idle 0:01:26, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65504, idle 0:01:26, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:38946, idle 0:01:35, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63701, idle 0:01:38, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63879, idle 0:01:46, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:58516, idle 0:01:49, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63227, idle 0:01:51, bytes 62, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:65446, idle 0:01:53, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49166, idle 0:01:55, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:56680, idle 0:02:01, bytes 33, flags -
UDP Outside 192.55.83.30:53 Inside 192.168.1.2:65073, idle 0:00:44, bytes 50, flags -
TCP Outside 74.125.193.109:993 Inside 10.10.1.2:57808, idle 0:39:33, bytes 6392, flags UFIO
TCP Outside 74.125.225.54:443 Inside 192.168.1.20:53863, idle 0:00:13, bytes 0, flags saA
TCP Outside 143.127.93.89:80 Inside 10.10.1.2:60519, idle 0:46:30, bytes 346, flags UO
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53881, idle 0:00:01, bytes 0, flags saA
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53880, idle 0:00:01, bytes 0, flags saA
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:60627, idle 0:00:39, bytes 78, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52088, idle 0:00:39, bytes 86, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50533, idle 0:00:39, bytes 76, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:63347, idle 0:00:39, bytes 80, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:62213, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52347, idle 0:00:40, bytes 46, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:58069, idle 0:00:40, bytes 32, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50753, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:50791, idle 0:01:25, bytes 35, flags -
TCP Outside 74.125.225.46:443 Inside 192.168.1.20:53870, idle 0:00:08, bytes 0, flags saA
TCP Outside 17.173.255.101:443 Inside 10.10.1.2:53851, idle 0:56:33, bytes 58, flags UfIO
TCP Outside 64.4.23.147:33033 Inside 10.10.1.2:55944, idle 0:44:45, bytes 558164, flags UFIO
TCP Outside 74.125.225.35:443 Inside 192.168.1.20:53869, idle 0:00:09, bytes 0, flags saA
UDP Outside 64.4.23.175:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 28, flags -
UDP Outside 192.54.112.30:53 Inside 192.168.1.2:65380, idle 0:00:44, bytes 49, flags -
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57908, idle 0:10:47, bytes 7895, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57907, idle 0:10:49, bytes 20323, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57906, idle 0:10:47, bytes 6539, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57868, idle 0:27:44, bytes 6395, flags UIO
TCP Outside 91.190.218.59:443 Inside 10.10.1.2:55942, idle 0:41:39, bytes 2727, flags UFIO
TCP Outside 17.172.233.123:5223 Inside 10.10.1.2:49441, idle 0:23:10, bytes 4409, flags UIO
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53862, idle 0:00:16, bytes 0, flags saA
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53861, idle 0:00:16, bytes 0, flags saA
TCP Outside 143.127.93.115:80 Inside 10.10.1.2:60406, idle 0:42:59, bytes 970, flags UFIO
TCP Outside 143.127.93.118:80 Inside 10.10.1.2:60484, idle 0:46:54, bytes 328, flags UO
TCP Outside 17.172.233.98:5223 Inside 10.10.1.2:57896, idle 0:11:28, bytes 5081, flags UIO
UDP Outside 111.221.74.16:33033 Inside 192.168.1.174:26511, idle 0:01:18, bytes 31, flags -
TCP Outside 17.149.36.103:5223 Inside 192.168.1.174:60729, idle 0:00:04, bytes 0, flags saA
UDP Outside 192.5.6.30:53 Inside 192.168.1.2:65317, idle 0:00:44, bytes 51, flags -
UDP Outside 192.12.94.30:53 Inside 192.168.1.2:65356, idle 0:00:44, bytes 54, flags -
TCP Outside 17.149.36.180:5223 Inside 10.10.1.2:55951, idle 0:46:08, bytes 14059, flags UFIO
UDP Outside 111.221.74.28:33033 Inside 192.168.1.174:26511, idle 0:01:20, bytes 33, flags -
TCP Outside 63.235.20.160:80 Inside 192.168.1.20:53873, idle 0:00:08, bytes 0, flags saA
TCP Outside 50.19.127.112:443 Inside 192.168.1.50:60678, idle 0:00:00, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60728, idle 0:00:14, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60727, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60726, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:443 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
TCP Outside 65.55.122.234:2492 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
UDP Outside 157.55.56.170:33033 Inside 192.168.1.174:26511, idle 0:01:21, bytes 37, flags -
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53866, idle 0:00:11, bytes 0, flags saA
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53865, idle 0:00:11, bytes 0, flags saA
UDP Outside 111.221.74.18:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 29, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55546, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:60277, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55618, idle 0:00:34, bytes 43, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:60627, idle 0:00:36, bytes 78, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:52088, idle 0:00:36, bytes 86, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:50533, idle 0:00:36, bytes 76, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:63347, idle 0:00:36, bytes 80, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:56958, idle 0:01:24, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:51360, idle 0:01:26, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:50791, idle 0:01:27, bytes 35, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:54134, idle 0:01:46, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:58516, idle 0:01:50, bytes 51, flags -
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59350, idle 0:00:02, bytes 0, flags saA
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59349, idle 0:00:16, bytes 0, flags saA
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:50122, idle 0:00:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:48088, idle 0:00:42, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:62213, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:52347, idle 0:00:45, bytes 92, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:58069, idle 0:00:45, bytes 64, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:50753, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:61414, idle 0:00:47, bytes 34, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:54481, idle 0:01:08, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:40285, idle 0:01:34, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:65446, idle 0:01:55, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:46155, idle 0:02:00, bytes 33, flags -
UDP Outside 66.104.81.70:5070 Inside 192.168.1.174:57609, idle 0:00:11, bytes 46, flags -
UDP Outside 64.4.23.156:33033 Inside 192.168.1.174:26511, idle 0:01:14, bytes 38, flags -
TCP Outside 65.54.167.15:12350 Inside 10.10.1.2:60491, idle 0:11:02, bytes 1405, flags UIO
TCP Outside 17.172.192.35:443 Inside 10.10.1.2:57812, idle 0:56:11, bytes 6116, flags UFIO
UDP Outside 157.55.56.176:33033 Inside 192.168.1.174:26511, idle 0:01:16, bytes 32, flags -
TCP Inside 192.168.1.20:53667 NP Identity Ifc 10.10.1.1:22, idle 0:00:00, bytes 37555, flags UOB
TCP Inside 10.10.1.2:53431 NP Identity Ifc 10.10.1.1:22, idle 0:09:03, bytes 20739, flags UOB
Ran on the ASA while overload statements were down on the router:
ASA5510# packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1988699, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Had to put these back in to get to the internet:
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#ip nat
CISCO-2811(config-if)#ip nat Outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#in
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#$de source list 1 interface FastEthernet0/0 overload
CISCO-2811(config)#
Screenshot of ASDM: -
Access from Inside to Outside ASA 5510 ver 9.1
Hi All,
I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
Thank you for the help!
ASA5510(config)# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.100 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
CISCO 2811:
Current configuration : 2601 bytes
! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RouterDeMitch
boot-start-marker
boot system flash
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
no aaa new-model
dot11 syslog
ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 172.16.10.1 172.16.10.49
ip dhcp excluded-address 172.16.20.1 172.16.20.49
ip dhcp pool Mitchs_Network
network 192.168.1.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 192.168.1.1
ip dhcp pool VLAN10
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
ip dhcp pool VLAN20
network 172.16.20.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 172.16.20.1
no ip domain lookup
ip name-server 199.195.168.4
ip name-server 205.171.2.65
ip name-server 205.171.3.65
ip name-server 8.8.8.8
multilink bundle-name authenticated
crypto pki token default removal timeout 0
redundancy
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
interface Dialer0
no ip address
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 199.195.168.0
no auto-summary
ip default-gateway 10.10.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
access-list 1 permit any
dialer-list 1 protocol ip permit
control-plane
line con 0
exec-timeout 0 0
password encrypted
login
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
scheduler allocate 20000 1000
endI made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd liqhNWIOSfzvir2g encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.123 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
object-group network PAT-SOURCE
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.10.1.0 255.255.255.252
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Message was edited by: Mitchell Tuckness -
ASA 5510 Not able to route traffic between 2 LAN interfaces
Hi everybody,
I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
Thank you,
Sigor
Here is my configuration:
ASA Version 8.2(2)
hostname Cisco
domain-name xxx.com
names
interface Ethernet0/0
description Outside
nameif Outside
security-level 0
ip address 101.101.101.101 255.255.240.0
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxx.com
same-security-traffic permit inter-interface
object-group service Port-10000 tcp
port-object eq 10000
object-group service Port-8080 tcp
port-object eq 8080
object-group service Port-8011 tcp
port-object eq 8011
object-group service DM_INLINE_TCP_1 tcp
group-object Port-8080
port-object eq www
group-object Port-8011
object-group service DM_INLINE_TCP_2 tcp
group-object Port-10000
port-object eq https
port-object eq www
object-group service rdp tcp
port-object eq 3389
object-group service DM_INLINE_TCP_3 tcp
group-object rdp
port-object eq ftp
object-group service DM_INLINE_TCP_4 tcp
group-object Port-10000
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
group-object Port-8011
group-object Port-8080
port-object eq www
object-group service DM_INLINE_TCP_6 tcp
group-object Port-10000
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
group-object rdp
port-object eq ftp
access-list Outside_access_in extended permit tcp any host 101.101.101.104 object-group DM_INLINE_TCP_5
access-list Outside_access_in extended permit tcp any host 101.101.101.102 object-group DM_INLINE_TCP_6
access-list Outside_access_in extended permit tcp any host 101.101.101.103 object-group DM_INLINE_TCP_7
access-list Outside_access_in extended permit tcp any host 101.101.101.106 eq smtp
access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Accounting 1500
mtu management 1500
ip local pool IPSecDHCP 192.168.80.100-192.168.80.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Accounting) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 101.101.101.104 www 192.168.10.14 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8011 192.168.10.14 8011 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8080 192.168.10.14 8080 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 10000 192.168.10.3 10000 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 https 192.168.10.3 https netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 www 192.168.10.3 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 ftp 192.168.10.17 ftp netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 3389 192.168.10.32 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.106 smtp 192.168.10.23 smtp netmask 255.255.255.255
static (Inside,Accounting) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Accounting in interface Accounting
route Outside 0.0.0.0 0.0.0.0 101.101.101.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 Inside
http 20.0.1.0 255.255.255.0 Accounting
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 32608000
crypto ipsec security-association replay disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256
-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 89.216.17.35
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 20.0.1.100-20.0.1.200 Accounting
dhcpd dns 192.168.10.19 8.8.8.8 interface Accounting
dhcpd lease 306800 interface Accounting
dhcpd domain abtscs.com interface Accounting
dhcpd enable Accounting
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy CiscoIPsec internal
group-policy CiscoIPsec attributes
dns-server value 192.168.10.30 192.168.10.19
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoIPsec_splitTunnelAcl
default-domain value xxx.com
vpn-group-policy CiscoIPsec
tunnel-group 198.226.20.35 type ipsec-l2l
tunnel-group 198.226.20.35 ipsec-attributes
pre-shared-key *****
tunnel-group CiscoIPsec type remote-access
tunnel-group CiscoIPsec general-attributes
address-pool IPSecDHCP
default-group-policy CiscoIPsec
tunnel-group CiscoIPsec ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a7c97a7a22397908ef83ca6f0065919
: endWithout diving too deep into your config, I noticed a couple of things:
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
access-list Inside permit ip any any
access-group Inside in interface Inside
The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
HTH,
John -
Internet Access from Inside to Outside ASA 5510 ver 9.1
Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
I get errors like this when I try Packet Tracer:
(nat-xlate-failed) NAT failed
(acl-drop) Flow is denied by configured rule
Version Information:
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
Thank You!
Config:
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name
inside.int
enable password <redacted> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <redacted> encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.199.199.123 255.255.255.240
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.199.199.4
domain-name
inside.int
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
access-group INSIDE-IN in interface Inside
access-group OUTSIDE-IN in interface Outside
router rip
network 10.0.0.0
network 199.199.199.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <redacted> password <redacted> encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:
<redacted>
: end
SH NAT:
ASA5510# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic inside-net interface
translate_hits = 0, untranslate_hits = 0
SH RUN NAT:
ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
SH RUN OBJECT:
ASA5510(config)# sh run object
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
Hi all,Hello everyone, I need some help before my head explodes. IddddddddHello Mitchell,
First of all how are you testing this:
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
Take in consideration that the netmask is /30
The Twice NAT is good, ACLs are good.
do the following and provide us the result
packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
And provide us the result!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com -
Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!
Hi,
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
Config
ciscoasa# sh run
: Saved
ASA Version 8.0(3)
hostname ciscoasa
enable password 5QB4svsHoIHxXpF/ encrypted
names
name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
name xxx.xxx.xxx.xxx Mail_Server
name xxx.xxx.xxx.xxx IncomingIP
name xxx.xxx.xxx.xxx SAP
name xxx.xxx.xxx.xxx WebServer
name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
name 192.168.2.2 isa_server_outside
interface Ethernet0/0
nameif outside
security-level 0
ip address IncomingIP 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.253 255.255.255.0
management-only
passwd 123
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group service TCP_8081 tcp
port-object eq 8081
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
port-object eq 50000
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
port-object eq 587
port-object eq 993
port-object eq 8000
port-object eq 8443
port-object eq telnet
port-object eq 3901
group-object TCP_8081
port-object eq 1433
port-object eq 3391
port-object eq 3399
port-object eq 8080
port-object eq 3128
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
port-object eq 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
port-object eq 8181
port-object eq 7778
port-object eq 8180
port-object eq 22222
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP tcp
port-object eq 3389
object-group service 3901 tcp
description 3901
port-object eq 3901
object-group service 50000 tcp
description 50000
port-object eq 50000
object-group service Enable_Transparent_Tunneling_UDP udp
port-object eq 4500
access-list inside_access_in remark connection to SAP
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in remark VPN Outgoing - PPTP
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in remark VPN Outgoing - GRE
access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
access-list inside_access_in remark VPN - GRE
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark VPN Outgoing - IKE Client
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in remark Outoing Ports
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre any host Mail_Server
access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit ah any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
access-list VPN standard permit 192.168.2.0 255.255.255.0
access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 Mail_Server netmask 255.0.0.0
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list corp_vpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
static (inside,outside) 192.168.2.0 access-list corp_vpn
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain domain.local interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
tftp-server management 192.168.1.123 /
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
username vpdn password 123
username vpdn attributes
vpn-group-policy mypolicy
service-type remote-access
tunnel-group mypolicy type remote-access
tunnel-group mypolicy general-attributes
address-pool POOL
default-group-policy mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.Here is the output:
ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 140
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Maybe you are looking for
-
Deleting an object in the background
Looking on the internet it seems I should use a tool called content aware to remove this object; however, I am unable to find that tool in Photoshop Elements 10. How do I remove an object from a picture in this program?
-
Adobe Photoshop Album Starter Edition 3.2 with AOL desktop (AOL 10)
I have fully patched XP SP2 AOL 10 as default email client Adobe Photoshop Album Starter Edition 3.2, registered and unlocked. When setting pref for email client within Adobe PSE, AOL is not listed as an email option. I have reinstalled Adobe Photosh
-
Regarding kernel upgrade in ECC 6.0
Hi, We want to perform a kernel upgrade for our ECC 6.0 system landscape. Currently we are on kernel 133 and the present kernel level is 179 in service market place. In our landscape,we have 7 dialog instances along with the central instance.If I upg
-
Spiceworks logins - how do they work
Ok, so I've got a spiceworks login id. I can get to the community forums, get into my spiceworks program (running on server A), etc. One of our techs setup just the helpdesk on server B. He invited me to join with the same spiceworks id (ie. my ema
-
ODBC 8.1.6.2 availability?
Is there anywhere to get the schedule for release / posting of ODBC driver updates? When using ODBC 8 driver through a DB Link I get an ORA-2041 which is anticipated to be fixed in 8.1.6.2. TIA, JOhn D.