ASA Firewall Upgrade from 8.2,8.4, to 9.0

Dear All ,
we have five firewalls with the following details:
First Firewall
Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
    my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
Second Firewall
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version
6.2(3)
my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
Third Firewall
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
Fourth Firewall
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
fifth Firewall:
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version 6.2(3)
my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
please help i am doing the upgrading remotely using the ASDM and i don't want to do any upgrade could result disconnectivity.
Best regards

Hi Basel,
Honestly, I wouldn't suggest a direct upgrade from 8.2 to 9.0. This is a *major* upgrade. The recommended path to reach 9.0 would be from 8.2-->8.4-->9.0
Here are the release notes for 9.0:
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp690047
Per above document:
If you are upgrading from a pre-8.3 release, see also the Cisco ASA 5500 Migration Guide to Version 8.3 and Later
for important information about migrating your configuration.
Once you are on 8.3/8.4 (I would suggest 8.4 as a lot of issues were fixed post 8.3 as that was a huge transition from 8.2) upgrade to 9.0 is fairly simple.
Major part is upgrade from 8.2 to 8.4 as configuration changes and few things can be broken as a result. I would highly recommend you to check these docs before attempting an upgrade and also do it with some maintenence window so as to correct things in case they broke:
Following doc talks about 8.3 but it is applicable to direct upgrade to 8.4 as well:
https://supportforums.cisco.com/docs/DOC-12690
Release notes for 8.4:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
Sourav

Similar Messages

Testing a Firewall upgrade from PIX 7.0.2 to ASA 8.4.5

I have upgraded from PIX 7.0.2, to ASA 8.4.5, and had some issues regarding the NAMES list, setup NETWORK-OBJECTS to get the HOSTS in the access-list added to the ASA.
The PIX script contained no NAT, only access-list, and when the script was copied onto the ASA, it was taken successfully.
I was wondering what methods are available to test the script I have compiled on the ASA, prior to switching from the PIX onto the ASA? what processes are normal to confirm the Firewall is operational, and the rulesets working ? any ideas / tools / commands would be welcome.

There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....
You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.
I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.
Using the packet tracer command you can check the NAT rules are working and ACL is working fine.
packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788
Hope this helps....
Regards
Karthik

ASA 5520 upgrade from 8.4.6 to 9.1.2

Dear All,
I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
Below is the process :
Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
Download the new software to both units, and specify the new image to           load with the boot system command.
Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
active#failover reload-standby
When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
active#no failover active
Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
Reload the former active unit (now the new standby unit) by entering           the reload command:
newstandby#reload
When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
newstandby#failover active
This completes the process of upgrading an Active/Standby Failover       pair.
Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 )
It is mentioned on cisco site that
Major Release
—You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release.

Hi Tushar,
The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
- Prateek Verma

ASA 5520 Upgrade From 8.2 to 9.1

To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.

Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni

ASA firmware upgrade from console - tftp error

Have an asa 5510, trying to upgrade the firmware via console.
I have a tftp program installed on my PC but get an error running the command, any idea what I'm doing wrong?
asa# copy tftp flash
Address or name of remote host [142.xx.xx.xx]? ------------> IP of my PC
Source filename [asa912-k8.bin]?
Destination filename [asa912-k8.bin]?
Accessing tftp://142.xx.xx.xx/asa912-k8.bin...
%Error opening tftp://142.xx.xx.xx/asa912-k8.bin (No such device)

Hi,
You really cant upload files through the Console connection. Its not a network connection.
Your PC might have an IP address configured but that would be configured in its network interface card which has nothing to do with the console cable connection.
So you will have to configure one of the ASAs network interfaces with IP address and other basic settings. Then you need to configure the PCs network interface cards settings to match the IP address/subnet configured on the ASA. Then you will have an connection between the ASA and the PC and should be able to load the software to ASA.
For example
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
no shutdown
and the configure the PC with IP address 10.10.10.100 and mask 255.255.255.0 for example and then load the software from the PCs IP address of 10.10.10.100.
- Jouni

After upgrading from ASA 8.2 to 9.1(2) not able to get web site

Dears,
ASA Version has been upgraded from 8.2 to 9.1(2). Since then, website is not accessible from outside.
Diagnosis:
Many web sites are deployed behind the ASA. When anyone accesses website from outside, the following error is reported: The page cannot be displayed. No issues have been reported with any other websites.
In the ASA, two different public subnets are in use in order to allow accessing the website from the public domain. No issues have been reported so far with the first subnet. The website is mapped to a public address in the second subnet. When the website is mapped to an IP address in the working subnet, the website is accessible from outside. As a workaround, this is applied and the website is up and running.
As the website is working fine with the second subnet, NAT and ACL configuration is fine. We have turned on logging in the ASDM, but no traffic was observed on the ASA for the non-working subnet. On the other hand, the traffic was noticed on the ASDM for the working subnet.
The working subnet is XX.YY.XX.X
Non working subnet is XX.YY.YY.X
The outside interface ip is XX.YY.XX.X (Working Subnet)
Tried to assign one ip address to the PC from non working subnet and connected to the Switch , its pinging from outside

Hi
Have you tried using packet tracer?

ASA multiple mode upgrade from 8.2.5 to 8.4.5 to 9.0.3

I'm doing ASA code upgrade with contexts from 8.2.5 to 8.4.5 to 9.0.3 and I'm concerned about the NAT syntax with the new code. Should this automatically changed to the new syntax on all contexts or I have to do it manually. Anyone there with that experience, please advise. Thanks.
Please reply to [email protected]
Thanks.

Hello,
I am actually working on a project right now really similar to yours.
When are you planning to perform the Upgrade???
As per Cisco documentation the Upgrade should be done from the system context!
Migration will happen automatically:
I created a post about it
http://www.laguiadelnetworking.com/asa-8-3-upgrade-new-features-known-issues-best-practicesetc/
Enjoy
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com

ASA 5585 IOS upgradation from 8.2(5) to 9.0(2)

Hi,
I am getting below warning messages when i am doing IOS upgradation of ASA5585.The current version of IOS is 8.2(5) and the converted version is 9.0(2). I would like to know whether i can ignore the warnings and move on with new version or need to do any manual changes in configuration.
This is my internet firewall which has DMZ as well.
WARNING: MIGRATION: ACE converted to real IP/port values based on
dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing policy NAT ACL
Thanks
Soumya

Hi ,
Sorry, I forgot to mention that we have upgraded from 8.2->8.4.6>9.02.
We have multiple warning messages like below. A huge number of inbound access rules have been created in new version and we are worried whether this will creat a security loop.
WARNING: MIGRATION: ACE converted to real IP/port values based on
dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing policy NAT ACL
216.163.252.25
8.2(5)
access-list outside extended permit udp host 216.163.252.25 host 203.99.194.163
access-list outside extended permit esp host 216.163.252.25 host 203.99.194.163
access-list Metlife-VPN extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.241.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.230.107.128 255.255.255.224 host 216.163.252.25
access-list inside1 extended permit udp 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list inside1 extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list inside1 extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip host 10.239.23.177 host 216.163.252.25
access-list outside extended permit ip any host 203.99.194.163
9.0(2)
object network obj-216.163.252.25
host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.241.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.230.107.128 255.255.255.224 host 216.163.252.25
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.56
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.72
access-list outside extended permit udp host 216.163.252.25 10.239.24.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.15
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.94
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.138
access-list outside extended permit udp host 216.163.252.25 10.239.23.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.101
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.208
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.20
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.78
access-list outside extended permit udp host 216.163.252.25 10.239.48.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.73
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.204
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.178
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.187
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.28
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.144
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.105
access-list outside extended permit udp host 216.163.252.25 10.237.23.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.179
access-list outside extended permit udp host 216.163.252.25 10.237.164.0 255.255.254.0
access-list outside extended permit udp host 216.163.252.25 10.239.50.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.46
access-list outside extended permit udp host 216.163.252.25 host 10.237.165.120
access-list outside extended permit udp host 216.163.252.25 10.239.50.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.11
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.142
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.12
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.45
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.12
access-list outside extended permit udp host 216.163.252.25 host 10.237.164.72
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.13
access-list outside extended permit udp host 216.163.252.25 host 10.239.20.145
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.23
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.128
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.146
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.137
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.144
access-list outside extended permit udp host 216.163.252.25 10.230.144.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.229.32.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.242.50.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.153
access-list outside extended permit udp host 216.163.252.25 host 10.242.50.68
access-list outside extended permit udp host 216.163.252.25 host 10.232.8.176
access-list outside extended permit udp host 216.163.252.25 10.242.0.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.198
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.199
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.201
access-list outside extended permit udp host 216.163.252.25 10.230.107.192 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.202
access-list outside extended permit udp host 216.163.252.25 10.237.226.0 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.242.146.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.197
access-list outside extended permit udp host 216.163.252.25 host 10.229.59.109
access-list outside extended permit udp host 216.163.252.25 10.242.97.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.242.36.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.237.241.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.14
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.68
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.94
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.15
access-list outside extended permit udp host 216.163.252.25 10.242.212.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.242.51.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.242.210.192 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 host 10.242.146.18
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.168
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.31
access-list outside extended permit udp host 216.163.252.25 host 10.242.195.204
access-list outside extended permit udp host 216.163.252.25 10.242.195.192 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.230.241.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 10.230.103.128 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.144
access-list outside extended permit udp host 216.163.252.25 10.230.107.128 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.211.202.224 255.255.255.240
access-list outside extended permit udp host 216.163.252.25 host 10.211.211.221
access-list outside extended permit udp host 216.163.252.25 host 10.229.34.43
access-list outside extended permit udp host 216.163.252.25 host 10.229.34.49
access-list outside extended permit udp host 216.163.252.25 host 10.232.38.160
access-list outside extended permit udp host 216.163.252.25 host 10.232.130.93
access-list outside extended permit udp host 216.163.252.25 host 10.233.38.151
access-list outside extended permit udp host 216.163.252.25 host 10.236.147.50
access-list outside extended permit udp host 216.163.252.25 host 10.236.147.71
access-list outside extended permit udp host 216.163.252.25 host 10.236.147.83
access-list outside extended permit udp host 216.163.252.25 host 10.236.180.4
access-list outside extended permit udp host 216.163.252.25 host 10.237.9.83
access-list outside extended permit udp host 216.163.252.25 host 10.237.9.93
access-list outside extended permit udp host 216.163.252.25 host 10.237.77.39
access-list outside extended permit udp host 216.163.252.25 host 10.237.77.74
access-list outside extended permit udp host 216.163.252.25 host 10.237.77.76
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.8
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.24
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.183
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.13
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.71
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.108
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.109
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.120
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.170
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.26
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.158
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.222
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.20
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.34
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.41
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.42
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.52
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.60
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.64
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.73
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.81
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.82
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.90
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.114
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.141
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.151
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.155
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.205
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.224
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.233
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.238
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.239
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.251
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.26
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.52
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.57
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.72
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.90
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.93
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.107
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.161
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.171
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.184
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.185
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.196
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.208
access-list outside extended permit udp host 216.163.252.25 host 10.239.38.17
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.34
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.68
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.72
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.78
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.143
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.10
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.15
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.31
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.35
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.52
access-list outside extended permit udp host 216.163.252.25 host 10.239.60.100
access-list outside extended permit udp host 216.163.252.25 host 10.239.67.18
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.17
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.23
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.34
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.42
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.53
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.75
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.76
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.77
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.114
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.117
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.118
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.120
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.136
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.143
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.15
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.17
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.35
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.48
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.90
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.116
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.140
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.168
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.183
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.26
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.53
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.29
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.31
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.80
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.81
access-list outside extended permit udp host 216.163.252.25 host 10.242.22.133
access-list outside extended permit udp host 216.163.252.25 host 10.242.22.134
access-list outside extended permit udp host 216.163.252.25 host 10.242.22.154
access-list outside extended permit udp host 216.163.252.25 host 10.242.36.76
access-list outside extended permit udp host 216.163.252.25 host 10.242.36.79
access-list outside extended permit udp host 216.163.252.25 host 10.242.36.118
access-list outside extended permit udp host 216.163.252.25 host 10.242.146.29
access-list outside extended permit udp host 216.163.252.25 host 10.242.158.227
access-list outside extended permit udp host 216.163.252.25 host 10.242.195.197
access-list outside extended permit udp host 216.163.252.25 host 207.41.226.145
access-list outside extended permit udp host 216.163.252.25 10.233.38.144 255.255.255.248
access-list outside extended permit udp host 216.163.252.25 10.230.132.160 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.230.134.0 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.242.68.160 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.233.38.150 255.255.255.222
access-list outside extended permit udp host 216.163.252.25 10.229.144.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.236.84.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.237.84.128 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.239.47.192 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.242.90.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.230.137.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.239.56.0 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.237.22.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.56
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.72
access-list outside extended permit esp host 216.163.252.25 10.239.24.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.15
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.94
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.138
access-list outside extended permit esp host 216.163.252.25 10.239.23.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.101
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.208
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.20
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.78
access-list outside extended permit esp host 216.163.252.25 10.239.48.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.73
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.204
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.178
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.187
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.28
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.144
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.105
access-list outside extended permit esp host 216.163.252.25 10.237.23.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.179
access-list outside extended permit esp host 216.163.252.25 10.237.164.0 255.255.254.0
access-list outside extended permit esp host 216.163.252.25 10.239.50.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.46
access-list outside extended permit esp host 216.163.252.25 host 10.237.165.120
access-list outside extended permit esp host 216.163.252.25 10.239.50.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.11
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.142
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.12
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.45
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.12
access-list outside extended permit esp host 216.163.252.25 host 10.237.164.72
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.13
access-list outside extended permit esp host 216.163.252.25 host 10.239.20.145
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.23
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.128
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.146
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.137
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.144
access-list outside extended permit esp host 216.163.252.25 10.230.144.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.229.32.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.242.50.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.153
access-list outside extended permit esp host 216.163.252.25 host 10.242.50.68
access-list outside extended permit esp host 216.163.252.25 host 10.232.8.176
access-list outside extended permit esp host 216.163.252.25 10.242.0.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.198
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.199
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.201
access-list outside extended permit esp host 216.163.252.25 10.230.107.192 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.202
access-list outside extended permit esp host 216.163.252.25 10.237.226.0 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.242.146.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.197
access-list outside extended permit esp host 216.163.252.25 host 10.229.59.109
access-list outside extended permit esp host 216.163.252.25 10.242.97.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.242.36.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.237.241.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.14
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.68
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.94
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.15
access-list outside extended permit esp host 216.163.252.25 10.242.212.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.242.51.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.242.210.192 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 host 10.242.146.18
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.168
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.31
access-list outside extended permit esp host 216.163.252.25 host 10.242.195.204
access-list outside extended permit esp host 216.163.252.25 10.242.195.192 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.230.241.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 10.230.103.128 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.144
access-list outside extended permit esp host 216.163.252.25 10.230.107.128 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.211.202.224 255.255.255.240
access-list outside extended permit esp host 216.163.252.25 host 10.211.211.221
access-list outside extended permit esp host 216.163.252.25 host 10.229.34.43
access-list outside extended permit esp host 216.163.252.25 host 10.229.34.49
access-list outside extended permit esp host 216.163.252.25 host 10.232.38.160
access-list outside extended permit esp host 216.163.252.25 host 10.232.130.93
access-list outside extended permit esp host 216.163.252.25 host 10.233.38.151
access-list outside extended permit esp host 216.163.252.25 host 10.236.147.50
access-list outside extended permit esp host 216.163.252.25 host 10.236.147.71
access-list outside extended permit esp host 216.163.252.25 host 10.236.147.83
access-list outside extended permit esp host 216.163.252.25 host 10.236.180.4
access-list outside extended permit esp host 216.163.252.25 host 10.237.9.83
access-list outside extended permit esp host 216.163.252.25 host 10.237.9.93
access-list outside extended permit esp host 216.163.252.25 host 10.237.77.39
access-list outside extended permit esp host 216.163.252.25 host 10.237.77.74
access-list outside extended permit esp host 216.163.252.25 host 10.237.77.76
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.8
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.24
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.183
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.13
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.71
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.108
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.109
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.120
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.170
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.26
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.158
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.222
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.20
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.34
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.41
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.42
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.52
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.60
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.64
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.73
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.81
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.82
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.90
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.114
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.141
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.151
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.155
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.205
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.224
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.233
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.238
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.239
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.251
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.26
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.52
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.57
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.72
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.90
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.93
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.107
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.161
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.171
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.184
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.185
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.196
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.208
access-list outside extended permit esp host 216.163.252.25 host 10.239.38.17
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.34
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.68
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.72
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.78
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.143
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.10
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.15
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.31
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.35
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.52
access-list outside extended permit esp host 216.163.252.25 host 10.239.60.100
access-list outside extended permit esp host 216.163.252.25 host 10.239.67.18
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.17
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.23
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.34
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.42
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.53
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.75
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.76
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.77
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.114
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.117
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.118
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.120
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.136
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.143
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.15
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.17
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.35
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.48
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.90
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.116
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.140
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.168
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.183
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.26
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.53
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.29
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.31
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.80
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.81
access-list outside extended permit esp host 216.163.252.25 host 10.242.22.133
access-list outside extended permit esp host 216.163.252.25 host 10.242.22.134
access-list outside extended permit esp host 216.163.252.25 host 10.242.22.154
access-list outside extended permit esp host 216.163.252.25 host 10.242.36.76
access-list outside extended permit esp host 216.163.252.25 host 10.242.36.79
access-list outside extended permit esp host 216.163.252.25 host 10.242.36.118
access-list outside extended permit esp host 216.163.252.25 host 10.242.146.29
access-list outside extended permit esp host 216.163.252.25 host 10.242.158.227
access-list outside extended permit esp host 216.163.252.25 host 10.242.195.197
access-list outside extended permit esp host 216.163.252.25 host 207.41.226.145
access-list outside extended permit esp host 216.163.252.25 10.233.38.144 255.255.255.248
access-list outside extended permit esp host 216.163.252.25 10.230.132.160 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.230.134.0 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.242.68.160 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.233.38.150 255.255.255.222
access-list outside extended permit esp host 216.163.252.25 10.229.144.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.236.84.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.237.84.128 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.239.47.192 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.242.90.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.230.137.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.239.56.0 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.237.22.0 255.255.255.0
access-list inside1 extended permit udp 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list inside1 extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list inside1 extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip host 10.239.23.177 host 216.163.252.25
nat (inside,outside) source dynamic obj-10.239.48.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.237.164.0-01 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.229.32.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.242.146.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.237.241.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.230.107.128 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

Upgrading from PIX to ASA 5512X

Hi everyone,
We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below. If anyone could help out I would GREATLY appreciate it! Thank you in advance!
ASA1:
: Saved
: Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013
ASA Version 8.6(1)2
hostname dallasroadASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 70.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.18.2.21
name-server 172.18.2.20
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network DR_CORE_SW
host 172.18.2.1
object network dallasdns02_internal
host 172.18.2.21
object network faithdallas03_internal
host 172.18.2.20
object network dns_external
host 70.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network dallasitnetwork
network-object host 172.18.2.20
network-object host 172.18.2.40
object-group protocol tcpudp
protocol-object udp
protocol-object tcp
object-group network dallasroaddns
network-object host 172.18.2.20
network-object host 172.18.2.21
object-group service tcpservices tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq ssh
object-group network remotevpnnetwork
network-object 172.18.50.0 255.255.255.0
access-list L2LAccesslist extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list NONAT extended permit ip any 172.18.50.0 255.255.255.0
access-list inside_inbound_access extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list inside_inbound_access extended permit ip object-group dallasitnetwork any
access-list inside_inbound_access extended permit object-group tcpudp object-group dallasroaddns any eq domain
access-list inside_inbound_access extended permit ip host 172.18.4.10 any
access-list inside_inbound_access extended deny object-group tcpudp any any eq domain
access-list inside_inbound_access extended deny tcp any any eq smtp
access-list inside_inbound_access extended permit ip any any
access-list outside_inbound_access extended permit tcp any host 70.x.x.x object-group tcpservices
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.18.50.0-172.18.50.255
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static dallasdns02_internal dns_external
nat (inside,outside) source static faithdallas03_internal dns_external
nat (inside,outside) source dynamic any interface
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
nat (inside,outside) source static DallasRoad DallasRoad destination static WorthStreet WorthStreet
access-group outside_inbound_access in interface outside
access-group inside_inbound_access in interface inside
route outside 0.0.0.0 0.0.0.0 70.x.x.x 1
route inside 172.18.0.0 255.255.0.0 172.18.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
server-port 389
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****
ldap-login-dn CN=fcsadmin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 71.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.18.0.0 255.255.0.0 inside
ssh 172.17.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy DfltGrpPolicy attributes
dns-server value 172.18.2.20
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
password-storage enable
group-policy DallasRoad internal
group-policy DallasRoad attributes
dns-server value 172.18.2.20 172.18.2.21
password-storage enable
default-domain value campus.fcschool.org
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
tunnel-group 71.x.x.x type ipsec-l2l
tunnel-group 71.x.x.x ipsec-attributes
ikev1 pre-shared-key ****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fd69fbd7a2cb0a6a125308dd85302198
: end
ASA2:
: Saved
: Written by enable_15 at 09:27:47.579 UTC Tue Mar 12 2013
ASA Version 8.6(1)2
hostname worthstreetASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 71.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.17.2.23
name-server 172.17.2.28
object network mail_external
host 71.x.x.x
object network mail_internal
host 172.17.2.57
object network faweb_external
host 71.x.x.x
object network netclassroom_external
host 71.x.x.x
object network blackbaud_external
host 71.x.x.x
object network netclassroom_internal
host 172.17.2.41
object network nagios
host 208.x.x.x
object network DallasRoad_ASA
host 70.x.x.x
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network WS_CORE_SW
host 172.17.2.1
object network blackbaud_internal
host 172.17.2.26
object network spiceworks_internal
host 172.17.2.15
object network faweb_internal
host 172.17.2.31
object network spiceworks_external
host 71.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object network remotevpnnetwork
subnet 172.17.50.0 255.255.255.0
object-group icmp-type echo_svc_group
icmp-object echo
icmp-object echo-reply
object-group service mail.fcshool.org_svc_group
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service nagios_svc_group tcp
port-object eq 12489
object-group service http_s_svc_group tcp
port-object eq www
port-object eq https
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network MailServers
network-object host 172.17.2.57
network-object host 172.17.2.58
network-object host 172.17.2.17
object-group protocol DM_INLINE_PROTOCOL
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DNS_Servers
network-object host 172.17.2.23
network-object host 172.17.2.28
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit object-group mail.fcshool.org_svc_group any object mail_internal
access-list outside_access_in extended permit tcp object nagios object mail_internal object-group nagios_svc_group
access-list outside_access_in extended permit tcp any object faweb_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object netclassroom_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object blackbaud_external eq https
access-list outside_access_in extended permit tcp any object spiceworks_external object-group http_s_svc_group
access-list L2LAccesslist extended permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list inside_inbound extended permit object-group TCPUDP object-group DNS_Servers any eq domain
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL host 172.17.15.10 any inactive
access-list inside_access_in extended permit tcp object-group MailServers any eq smtp
access-list inside_access_in extended permit tcp host 172.17.14.10 any eq smtp
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list vpn_access extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.17.50.1-172.17.50.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static mail_internal mail_external
nat (inside,outside) source static netclassroom_internal netclassroom_external
nat (inside,outside) source static faweb_internal faweb_external
nat (inside,outside) source static spiceworks_internal interface
nat (inside,outside) source static blackbaud_internal blackbaud_external
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static WorthStreet WorthStreet destination static DallasRoad DallasRoad
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
route inside 172.17.0.0 255.255.0.0 172.17.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
network-acl vpn_access
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password Iw@FCS730w
ldap-login-dn CN=VPN Admin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.0.0 255.255.0.0 inside
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 70.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 172.17.0.0 255.255.0.0 inside
telnet 172.18.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.17.0.0 255.255.0.0 inside
ssh 172.18.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group 70.x.x.x type ipsec-l2l
tunnel-group 70.x.x.x ipsec-attributes
ikev1 pre-shared-key FC$vpnn3tw0rk
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b599ba0f719f39b213e7f01fe55588ac
: end

Hi Derrick,
I just did the same for a customer; replaced 2 PIX515s failover cluster with 5512X. The NAT change is major with ASAs version 8.3 and later...
here's what you need: a manual NAT rule called twice NAT (policy NAT or NONAT is the old terminology) for the VPNs to work. also add the no-proxy-arp keyword:
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS VPN_NETWORKS VPN_NETWORKS no-proxy-arp
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS RA_VPN_NETWORKS RA_VPN_NETWORKS no-proxy-arp
then the dynamic PAT for internet access (after the twice NATs for VPN); could be a manual NAT like you did, or preferred an object NAT.
you did:
nat (inside,outside) source dynamic any interface
would also work with object nat:
object network INSIDE_NETWORKS
subnet ...
nat (inside,outside) dynamic interface
Same on the other side (except the networks are reversed since the inside network is now what the other side refers to as vpn network and vice versa)
If you don't put the no-proxy-arp, your NAT configuration will cause network issues.
also to be able to pass pings through ASA, add the following:
policy-map global_policy
class inspection_default
inspect icmp
The asa will do some basic inspection of the ICMP protocol with that config ex. it will make sure there is 1 echo-reply for each echo-request...
hope that helps,
Patrick

Cisco ASA Upgrade from 7.0(8) to 8.2(1)

Hi, i need to upgrade my 5510 ASA from 7.0(8) to 8.2(1) ( Please note its different query from my last thread)
what i found online is i will have to do this upgrade in sequence, that is
7.0.x -> 7.2.x --> 8.0.x --> 8.2.1
is that correct?
or i will go to 7.1.x first? like this
7.0.x--> 7.1.x -> 7.2.x --> 8.0.x --> 8.1.x--> 8.2.1
Please guide, Also i am assuming, reboot required after every upgrade right?

ok, i found something on another Cisco document. that is what i thought
To ensure that your configuration updates correctly, you must upgrade to each major release in turn. Therefore, to upgrade from Version 7.0 to Version 8.2, first upgrade from 7.0 to 7.1, then from 7.1 to 7.2, and finally from Version 7.2 to Version 8.2 (8.1 was only available on the ASA 5580). "

Upgrading from SSM-10 to ASA 5525x

We are upgrading from an ASA 5510 with a SSM-10 module to the 5525x ips. Can we simply copy the config from the SSM-10 to the 5525x?

Please refer the below document for the details regarding the catalog conversions.
http://helpx.adobe.com/photoshop-elements/kb/common-catalog-issues-upgrade-elements.html

Why is implicit deny missing from outside int incoming access rules after upgrade from 8.25 to 9.1?

i have just noticed that after upgarde of image and asdm to 911 and 711, the implicit deny acl is missing from the outside interface. Is this deliberate or a poor upgrade. i am upgrading from 8.25 normally, depends what the reseller sends me.
should this be happening or am i upgrading in too large a jump?
thanks,
david

Hi,
Would really see some screencapture / output of the thing you are referring to.
I imagine that you are perhaps referring to something related to ASDM? I dont personally really use ASDM at all for ASA configurations to I am not up to date on the possible problems it might have or changes made to its interface.
I am not sure if you have an ACL attached to the "outside" interface? If so then I think the ASDM should show the Implicit Deny at the end while this wont show on the CLI side at all.
I did just check my own ASA at home which is running 9.0(2) and ASDM 7.1(2) at the moment and it doesnt show an Implicit Deny for my LAN or WAN interfaces ACL.
Though the basic ACL operation is still in effect. If its not allowed in the ACL then its blocked by Implicit Deny. This can be confirmed with "packet-tracer" test on your firewall also.
- Jouni

How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
Jorge

Hi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni

ASA firewall wont ping remote site

We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
    10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
    30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    40 permit ip 10.23.20.0 0.0.0.255 any
    50 permit ip 10.23.21.0 0.0.0.255 any
    60 permit ip 10.23.22.0 0.0.0.255 any
    70 permit ip 10.23.23.0 0.0.0.255 any
    80 permit ip 10.23.24.0 0.0.0.255 any
    90 permit ip 10.23.25.0 0.0.0.255 any
    100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
    10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
    30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    40 permit ip 10.23.20.0 0.0.0.255 any
    50 permit ip 10.23.21.0 0.0.0.255 any
    60 permit ip 10.23.22.0 0.0.0.255 any
    70 permit ip 10.23.23.0 0.0.0.255 any
    80 permit ip 10.23.24.0 0.0.0.255 any
    90 permit ip 10.23.25.0 0.0.0.255 any
    100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
    10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
    10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
    10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
    10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
    10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
    10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
    10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
    10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
    10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
    10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
    10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
    10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S    192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C    172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S    172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C    172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C    172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S    172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S    172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S    172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S    10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S    10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S    10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S    10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S    10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S    10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C    10.21.0.0 255.255.255.0 is directly connected, inside
S    10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C    53.138.58.128 255.255.255.128 is directly connected, outside
S    192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S    0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
     205.232.16.0/32 is subnetted, 1 subnets
S       205.232.16.25 [1/0] via 10.21.0.11
     62.0.0.0/32 is subnetted, 1 subnets
S       62.100.0.146 [1/0] via 10.21.0.12
     178.78.0.0/32 is subnetted, 1 subnets
S       178.78.147.193 [1/0] via 10.21.0.12
C    192.168.10.0/24 is directly connected, Vlan29
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S       172.16.141.0/24 [1/0] via 10.21.0.11
S       172.16.142.0/23 [1/0] via 10.21.0.11
S       172.16.40.1/32 [1/0] via 10.21.2.12
S       172.16.40.10/32 [1/0] via 10.21.2.12
S       172.16.21.0/24 [1/0] via 10.21.0.11
     172.19.0.0/24 is subnetted, 1 subnets
S       172.19.21.0 [1/0] via 10.21.0.11
     172.18.0.0/24 is subnetted, 1 subnets
S       172.18.21.0 [1/0] via 10.21.0.12
     172.23.0.0/24 is subnetted, 3 subnets
S       172.23.186.0 [1/0] via 10.21.0.6
S       172.23.184.0 [1/0] via 10.21.0.6
S       172.23.181.0 [1/0] via 10.21.0.6
S    172.25.0.0/16 [1/0] via 10.21.0.11
     172.24.0.0/24 is subnetted, 3 subnets
C       172.24.181.0 is directly connected, Vlan31
C       172.24.186.0 is directly connected, Vlan32
C       172.24.187.0 is directly connected, Vlan33
S    172.26.0.0/16 [1/0] via 10.21.0.11
     172.29.0.0/24 is subnetted, 3 subnets
S       172.29.181.0 [1/0] via 10.21.0.6
S       172.29.184.0 [1/0] via 10.21.0.6
S       172.29.190.0 [1/0] via 10.21.0.6
S    172.28.0.0/16 [1/0] via 10.21.0.11
C    192.168.20.0/24 is directly connected, Vlan30
     10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S       10.11.0.0/16 [1/0] via 10.21.0.6
C       10.21.28.0/24 is directly connected, Vlan28
C       10.21.26.0/24 is directly connected, Vlan26
C       10.21.25.0/24 is directly connected, Vlan25
S       10.12.0.0/16 [1/0] via 10.21.0.6
C       10.21.24.0/24 is directly connected, Vlan24
S       10.13.0.0/16 [1/0] via 10.21.0.6
C       10.21.23.0/24 is directly connected, Vlan23
C       10.21.22.0/24 is directly connected, Vlan22
C       10.21.21.0/24 is directly connected, Vlan21
C       10.21.20.0/24 is directly connected, Vlan20
C       10.21.19.0/24 is directly connected, Vlan19
S       10.21.18.0/24 [1/0] via 10.21.0.12
S       10.21.17.0/24 [1/0] via 10.21.0.11
C       10.21.16.0/24 is directly connected, Vlan16
C       10.21.15.0/24 is directly connected, Vlan15
C       10.21.14.0/24 is directly connected, Vlan14
C       10.21.13.0/24 is directly connected, Vlan13
C       10.21.12.0/24 is directly connected, Vlan12
C       10.21.11.0/24 is directly connected, Vlan11
C       10.10.21.1/32 is directly connected, Loopback0
S       10.31.0.0/16 [1/0] via 10.21.0.6
D       10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C       10.21.5.0/24 is directly connected, Vlan5
C       10.21.4.0/24 is directly connected, Vlan4
S       10.22.0.0/16 [1/0] via 10.21.0.11
C       10.21.3.0/24 is directly connected, Vlan3
C       10.21.2.0/24 is directly connected, Vlan2
C       10.23.2.0/24 is directly connected, Vlan900
S       10.22.3.0/24 [1/0] via 10.21.0.11
C       10.21.0.0/24 is directly connected, Vlan1000
S       10.41.0.0/16 [1/0] via 10.21.0.11
S       10.10.41.0/24 [1/0] via 10.21.0.11
S       10.51.0.0/16 [1/0] via 10.21.0.6
C       10.21.252.8/30 is directly connected, Vlan999
     62.0.0.0/32 is subnetted, 1 subnets
S       62.138.58.129 [1/0] via 10.21.0.11
S    192.168.2.0/24 [1/0] via 10.21.0.12
S*   0.0.0.0/0 [1/0] via 10.21.0.11

We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
    10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
    30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    40 permit ip 10.23.20.0 0.0.0.255 any
    50 permit ip 10.23.21.0 0.0.0.255 any
    60 permit ip 10.23.22.0 0.0.0.255 any
    70 permit ip 10.23.23.0 0.0.0.255 any
    80 permit ip 10.23.24.0 0.0.0.255 any
    90 permit ip 10.23.25.0 0.0.0.255 any
    100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
    10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
    30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    40 permit ip 10.23.20.0 0.0.0.255 any
    50 permit ip 10.23.21.0 0.0.0.255 any
    60 permit ip 10.23.22.0 0.0.0.255 any
    70 permit ip 10.23.23.0 0.0.0.255 any
    80 permit ip 10.23.24.0 0.0.0.255 any
    90 permit ip 10.23.25.0 0.0.0.255 any
    100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
    10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
    10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
    10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
    10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
    10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
    10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
    10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
    10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
    10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
    10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
    10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
    10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S    192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C    172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S    172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C    172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C    172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S    172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S    172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S    172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S    10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S    10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S    10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S    10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S    10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S    10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S    10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C    10.21.0.0 255.255.255.0 is directly connected, inside
S    10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S    10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C    53.138.58.128 255.255.255.128 is directly connected, outside
S    192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S    0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
     205.232.16.0/32 is subnetted, 1 subnets
S       205.232.16.25 [1/0] via 10.21.0.11
     62.0.0.0/32 is subnetted, 1 subnets
S       62.100.0.146 [1/0] via 10.21.0.12
     178.78.0.0/32 is subnetted, 1 subnets
S       178.78.147.193 [1/0] via 10.21.0.12
C    192.168.10.0/24 is directly connected, Vlan29
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S       172.16.141.0/24 [1/0] via 10.21.0.11
S       172.16.142.0/23 [1/0] via 10.21.0.11
S       172.16.40.1/32 [1/0] via 10.21.2.12
S       172.16.40.10/32 [1/0] via 10.21.2.12
S       172.16.21.0/24 [1/0] via 10.21.0.11
     172.19.0.0/24 is subnetted, 1 subnets
S       172.19.21.0 [1/0] via 10.21.0.11
     172.18.0.0/24 is subnetted, 1 subnets
S       172.18.21.0 [1/0] via 10.21.0.12
     172.23.0.0/24 is subnetted, 3 subnets
S       172.23.186.0 [1/0] via 10.21.0.6
S       172.23.184.0 [1/0] via 10.21.0.6
S       172.23.181.0 [1/0] via 10.21.0.6
S    172.25.0.0/16 [1/0] via 10.21.0.11
     172.24.0.0/24 is subnetted, 3 subnets
C       172.24.181.0 is directly connected, Vlan31
C       172.24.186.0 is directly connected, Vlan32
C       172.24.187.0 is directly connected, Vlan33
S    172.26.0.0/16 [1/0] via 10.21.0.11
     172.29.0.0/24 is subnetted, 3 subnets
S       172.29.181.0 [1/0] via 10.21.0.6
S       172.29.184.0 [1/0] via 10.21.0.6
S       172.29.190.0 [1/0] via 10.21.0.6
S    172.28.0.0/16 [1/0] via 10.21.0.11
C    192.168.20.0/24 is directly connected, Vlan30
     10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S       10.11.0.0/16 [1/0] via 10.21.0.6
C       10.21.28.0/24 is directly connected, Vlan28
C       10.21.26.0/24 is directly connected, Vlan26
C       10.21.25.0/24 is directly connected, Vlan25
S       10.12.0.0/16 [1/0] via 10.21.0.6
C       10.21.24.0/24 is directly connected, Vlan24
S       10.13.0.0/16 [1/0] via 10.21.0.6
C       10.21.23.0/24 is directly connected, Vlan23
C       10.21.22.0/24 is directly connected, Vlan22
C       10.21.21.0/24 is directly connected, Vlan21
C       10.21.20.0/24 is directly connected, Vlan20
C       10.21.19.0/24 is directly connected, Vlan19
S       10.21.18.0/24 [1/0] via 10.21.0.12
S       10.21.17.0/24 [1/0] via 10.21.0.11
C       10.21.16.0/24 is directly connected, Vlan16
C       10.21.15.0/24 is directly connected, Vlan15
C       10.21.14.0/24 is directly connected, Vlan14
C       10.21.13.0/24 is directly connected, Vlan13
C       10.21.12.0/24 is directly connected, Vlan12
C       10.21.11.0/24 is directly connected, Vlan11
C       10.10.21.1/32 is directly connected, Loopback0
S       10.31.0.0/16 [1/0] via 10.21.0.6
D       10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C       10.21.5.0/24 is directly connected, Vlan5
C       10.21.4.0/24 is directly connected, Vlan4
S       10.22.0.0/16 [1/0] via 10.21.0.11
C       10.21.3.0/24 is directly connected, Vlan3
C       10.21.2.0/24 is directly connected, Vlan2
C       10.23.2.0/24 is directly connected, Vlan900
S       10.22.3.0/24 [1/0] via 10.21.0.11
C       10.21.0.0/24 is directly connected, Vlan1000
S       10.41.0.0/16 [1/0] via 10.21.0.11
S       10.10.41.0/24 [1/0] via 10.21.0.11
S       10.51.0.0/16 [1/0] via 10.21.0.6
C       10.21.252.8/30 is directly connected, Vlan999
     62.0.0.0/32 is subnetted, 1 subnets
S       62.138.58.129 [1/0] via 10.21.0.11
S    192.168.2.0/24 [1/0] via 10.21.0.12
S*   0.0.0.0/0 [1/0] via 10.21.0.11

Remote Desktop Connection stop working after upgrade from 10.5.8 to 10.6.1

I too could not connect to a W2K3 server with RDC 2.0.1 after upgrading from Mac OS X, 10.5.8 to 10.6/10.6.1. I have another Mac which is on 10.5.8 and connect fine with the same version of RDC 2.0.1 as well as other PC with Terminal Service Clients.
There is no change on the server side. I have uninstalled and reinstalled RDC 2.0.1 several time and it did not resolve the issue. To rule out firewall/network, I tested with another remote desktop application called CoRD (for Mac) on the same laptop running SL 10.6.1 and it connected to the same W2K3 server fine.
One thing that is worth mentioning (in my case), when it does not connect, RDC totally quit (not running anymore. Not minimize, no cannot connect error message, no little dot on the Dock for RDC, nothing) right after I put in the credential in. When looking at the log entries that are related to RDC in the Console application, I see the following
machine 10.6.1. with RDC 2.0.1 (non-working)
9/22/09 1:17:16 PM [0x0-0x3a03a].com.microsoft.rdc[468] objc[468]: Class NLAssertionHandler is implemented in both /Applications/Remote Desktop Connection.app/Contents/MacOS/../Frameworks/Netlib.framework/Versions/12/Netlib and /Applications/Remote Desktop Connection.app/Contents/MacOS/../Frameworks/RDCPAL.framework/Versions/12/RDCPAL . One of the two will be used. Which one is undefined.
On the 10.5.8 machine with RDC 2.0.1 (working), I see the following entries
9/22/09 1:13:23 PM [0x0-0x24f24f].com.microsoft.rdc[5502] objc[5502]: Class NLAssertionHandler is implemented in both /Applications/Remote Desktop Connection.app/Contents/MacOS/../Frameworks/Netlib.framework/Versions/12/Netlib and /Applications/Remote Desktop Connection.app/Contents/MacOS/../Frameworks/RDCPAL.framework/Versions/12/RDCPAL . Using implementation from /Applications/Remote Desktop Connection.app/Contents/MacOS/../Frameworks/RDCPAL.framework/Versions/12/RDCPAL .
9/22/09 1:13:39 PM Remote Desktop Connection[5502] * _NSAutoreleaseNoPool(): Object 0x16a25c20 of class NSCFArray autoreleased with no pool in place - just leaking
Stack: (0x9277af4f 0x92687432 0x93062bf5 0x926ce0fb 0x9723dff5 0x9268d52c 0x92fd447a 0x92fd4753 0x92fd4a48 0x930375da 0x530bac 0x4831a2 0x483750 0x483c0b 0x47a811 0x4796ac 0x485dad 0x47d475 0x5099dc 0x574c70 0x4ade03 0x4ae65d 0x4ae6f7 0x4ac8dd 0x53260c 0x534187 0x4ae76a 0x4ae7d0 0x4ae88e 0x493925 0x4ae13d 0x533b1a 0x53da6c 0x94a48057 0x934b3155 0x934b3012)
Any help would be appreciated

Doing some more troubleshooting after my post above as I saw a couple of entries referencing Stop Light keep popping up in the log of the Console. I removed Stoplight and Cocoa Gesture (for good meausre) and RDC 2.0.1 started working. I think it is Stop Light which causes RDC stop working, but I don't have to time right now to put Cocoa Gesture back to confirm that. I might if I have the time or post here if you have Stop Light installed as well and removing it resolved the RDC issue for you.

ASA Firewall Upgrade from 8.2,8.4, to 9.0

Similar Messages

Maybe you are looking for